Analysis Report f4b1bde3-706a-40d2-8ace-693803810b6f.exe

Overview

General Information

Sample Name: f4b1bde3-706a-40d2-8ace-693803810b6f.exe
Analysis ID: 356310
MD5: 1364f8c4c00b87e5d938e9f95af828f4
SHA1: 4dafecb2752fe653edbee9ce9794deda34325d5f
SHA256: 9a7b0abc37831a4c9dc1676cc3fc7c0278e413a845ace42ff4c82e21fc744653

Most interesting Screenshot:

Detection

GuLoader
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides threads from debuggers
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\subfolder1\filename1.exe Metadefender: Detection: 21% Perma Link
Source: C:\Users\user\subfolder1\filename1.exe ReversingLabs: Detection: 67%
Multi AV Scanner detection for submitted file
Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exe Virustotal: Detection: 56% Perma Link
Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exe Metadefender: Detection: 21% Perma Link
Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exe ReversingLabs: Detection: 67%

Compliance:

barindex
Uses 32bit PE files
Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 103.53.43.36:443 -> 192.168.2.3:49726 version: TLS 1.2
Source: unknown HTTPS traffic detected: 103.53.43.36:443 -> 192.168.2.3:49729 version: TLS 1.2
Source: unknown HTTPS traffic detected: 103.53.43.36:443 -> 192.168.2.3:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 103.53.43.36:443 -> 192.168.2.3:49737 version: TLS 1.2

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 20_2_00D0694F InternetReadFile, 20_2_00D0694F
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: <script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://www.21twelveinteractive.com/#organization","name":"21Twelve Interactive LLP","url":"https://www.21twelveinteractive.com/","sameAs":["https://www.facebook.com/21twelveinteractive/","https://www.instagram.com/21twelveinteractive/","https://www.linkedin.com/company/21twelve-interactive/","https://www.pinterest.com/21twelveinteractive/","https://twitter.com/21twelveI"],"logo":{"@type":"ImageObject","@id":"https://www.21twelveinteractive.com/#logo","inLanguage":"en-US","url":"https://www.21twelveinteractive.com/wp-content/uploads/2018/06/icon.png","width":200,"height":200,"caption":"21Twelve Interactive LLP"},"image":{"@id":"https://www.21twelveinteractive.com/#logo"}},{"@type":"WebSite","@id":"https://www.21twelveinteractive.com/#website","url":"https://www.21twelveinteractive.com/","name":"21Twelve Interactive","description":"Imagination Turns to Innovation","publisher":{"@id":"https://www.21twelveinteractive.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":"https://www.21twelveinteractive.com/?s={search_term_string}","query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}</script> equals www.facebook.com (Facebook)
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: <script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://www.21twelveinteractive.com/#organization","name":"21Twelve Interactive LLP","url":"https://www.21twelveinteractive.com/","sameAs":["https://www.facebook.com/21twelveinteractive/","https://www.instagram.com/21twelveinteractive/","https://www.linkedin.com/company/21twelve-interactive/","https://www.pinterest.com/21twelveinteractive/","https://twitter.com/21twelveI"],"logo":{"@type":"ImageObject","@id":"https://www.21twelveinteractive.com/#logo","inLanguage":"en-US","url":"https://www.21twelveinteractive.com/wp-content/uploads/2018/06/icon.png","width":200,"height":200,"caption":"21Twelve Interactive LLP"},"image":{"@id":"https://www.21twelveinteractive.com/#logo"}},{"@type":"WebSite","@id":"https://www.21twelveinteractive.com/#website","url":"https://www.21twelveinteractive.com/","name":"21Twelve Interactive","description":"Imagination Turns to Innovation","publisher":{"@id":"https://www.21twelveinteractive.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":"https://www.21twelveinteractive.com/?s={search_term_string}","query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}</script> equals www.linkedin.com (Linkedin)
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: <script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://www.21twelveinteractive.com/#organization","name":"21Twelve Interactive LLP","url":"https://www.21twelveinteractive.com/","sameAs":["https://www.facebook.com/21twelveinteractive/","https://www.instagram.com/21twelveinteractive/","https://www.linkedin.com/company/21twelve-interactive/","https://www.pinterest.com/21twelveinteractive/","https://twitter.com/21twelveI"],"logo":{"@type":"ImageObject","@id":"https://www.21twelveinteractive.com/#logo","inLanguage":"en-US","url":"https://www.21twelveinteractive.com/wp-content/uploads/2018/06/icon.png","width":200,"height":200,"caption":"21Twelve Interactive LLP"},"image":{"@id":"https://www.21twelveinteractive.com/#logo"}},{"@type":"WebSite","@id":"https://www.21twelveinteractive.com/#website","url":"https://www.21twelveinteractive.com/","name":"21Twelve Interactive","description":"Imagination Turns to Innovation","publisher":{"@id":"https://www.21twelveinteractive.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":"https://www.21twelveinteractive.com/?s={search_term_string}","query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}</script> equals www.twitter.com (Twitter)
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: "https://www.facebook.com/21twelveinteractive/", equals www.facebook.com (Facebook)
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: "https://www.linkedin.com/company/21twelve-interactive/", equals www.linkedin.com (Linkedin)
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: "sameAs" :["https://www.facebook.com/21twelveinteractive/", "https://twitter.com/21twelveI", "https://www.linkedin.com/company/13266555", "https://plus.google.com/u/0/b/117296032389086012359/117296032389086012359"] equals www.facebook.com (Facebook)
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: "sameAs" :["https://www.facebook.com/21twelveinteractive/", "https://twitter.com/21twelveI", "https://www.linkedin.com/company/13266555", "https://plus.google.com/u/0/b/117296032389086012359/117296032389086012359"] equals www.linkedin.com (Linkedin)
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: "sameAs" :["https://www.facebook.com/21twelveinteractive/", "https://twitter.com/21twelveI", "https://www.linkedin.com/company/13266555", "https://plus.google.com/u/0/b/117296032389086012359/117296032389086012359"] equals www.twitter.com (Twitter)
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: <li><a title="Facebook" href="https://www.facebook.com/21twelveinteractive/" target="_blank"><i class="fa fa-facebook"></i>Facebook</a></li> equals www.facebook.com (Facebook)
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: <li><a title="Linkedin" href="https://www.linkedin.com/company/21twelve-interactive/" target="_blank"><i class="fa fa-linkedin"></i>Linkedin</a></li> equals www.linkedin.com (Linkedin)
Source: unknown DNS traffic detected: queries for: 21twelveinteractive.com
Source: RegAsm.exe, 00000014.00000002.486413359.0000000000FE1000.00000004.00000020.sdmp String found in binary or memory: http://apps.identrust.com/roots/ds
Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmp String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000014.00000002.486413359.0000000000FE1000.00000004.00000020.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmp String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp String found in binary or memory: http://crl.i
Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmp String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: http://css3-mediaqueries-js.googlecode.com/svn/trunk/css3-mediaqueries.js
Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmp String found in binary or memory: http://r3.i.lencr.org/0
Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp String found in binary or memory: http://r3.i2
Source: RegAsm.exe, 00000014.00000002.486413359.0000000000FE1000.00000004.00000020.sdmp String found in binary or memory: http://r3.o.le
Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmp String found in binary or memory: https://21twelveinteractive.com/
Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp String found in binary or memory: https://21twelveinteractive.com//dstro
Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp String found in binary or memory: https://21twelveinteractive.com/173855x
Source: RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmp String found in binary or memory: https://21twelveinteractive.com/2
Source: RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmp String found in binary or memory: https://21twelveinteractive.com/5
Source: RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmp String found in binary or memory: https://21twelveinteractive.com/L
Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp String found in binary or memory: https://21twelveinteractive.com/U5W
Source: RegAsm.exe, 00000005.00000002.474366584.0000000001300000.00000040.00000001.sdmp, RegAsm.exe, 00000014.00000002.486227915.0000000000D00000.00000040.00000001.sdmp String found in binary or memory: https://21twelveinteractive.com/fg/janomo_ZhyUp244.bin
Source: RegAsm.exe, 00000014.00000002.486393836.0000000000FC1000.00000004.00000020.sdmp String found in binary or memory: https://21twelveinteractive.com/fg/janomo_ZhyUp244.binan
Source: RegAsm.exe, 00000014.00000002.486393836.0000000000FC1000.00000004.00000020.sdmp String found in binary or memory: https://21twelveinteractive.com/fg/janomo_ZhyUp244.bind
Source: RegAsm.exe, 00000014.00000002.486393836.0000000000FC1000.00000004.00000020.sdmp String found in binary or memory: https://21twelveinteractive.com/fg/janomo_ZhyUp244.binnt
Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp String found in binary or memory: https://21twelveinteractive.com/ileapp
Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp String found in binary or memory: https://21twelveinteractive.com/n
Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp String found in binary or memory: https://21twelveinteractive.com/nDl
Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp String found in binary or memory: https://21twelveinteractive.com/opmobi
Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://api.w.org/
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.1/jquery.min.js
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://embed.tawk.to/5dabf4d6df22d91339a00b9d/default
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://oss.maxcdn.com/respond/1.4.2/respond.min.js
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://r6k8z9y5.rocketcdn.me/wp-content/uploads/2019/10/new-logo1.svg
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://r6k8z9y5.rocketcdn.me/wp-content/uploads/2020/02/21twelve-logo-bg.png
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://schema.org
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://schema.org/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/21twelveI/
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://web.whatsapp.com/send?phone=13474740020
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://wordpress.org/plugins/mailchimp-for-wp/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/#organization
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/21twelve-interactive-portfolio/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/about-us/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/admin-dashboard-design/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/android-app-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/android-game-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/angularjs-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/banner-brochure-design/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/blog/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/cakephp-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/codeigniter-development/
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/comments/feed/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/contact-us/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/content-writing/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/corporate-website-designs/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/cross-platform-mobile-app-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/custom-cms-website-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/digital-branding/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/drupal-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/ecommerce-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/ecommerce-magento-2-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/ecommerce-magento-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/feed/
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/feed/atom/
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/feed/rss/
Source: RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmp String found in binary or memory: https://www.21twelveinteractive.com/fg/janomo_ZhyUp244.bin
Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp String found in binary or memory: https://www.21twelveinteractive.com/fg/janomo_ZhyUp244.bin0
Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp String found in binary or memory: https://www.21twelveinteractive.com/fg/janomo_ZhyUp244.bin0100
Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp String found in binary or memory: https://www.21twelveinteractive.com/fg/janomo_ZhyUp244.bin2e
Source: RegAsm.exe, 00000014.00000002.486393836.0000000000FC1000.00000004.00000020.sdmp String found in binary or memory: https://www.21twelveinteractive.com/fg/janomo_ZhyUp244.binDH
Source: RegAsm.exe, 00000014.00000002.486393836.0000000000FC1000.00000004.00000020.sdmp String found in binary or memory: https://www.21twelveinteractive.com/fg/janomo_ZhyUp244.binMH
Source: RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmp String found in binary or memory: https://www.21twelveinteractive.com/fg/janomo_ZhyUp244.bincefb9XX
Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp String found in binary or memory: https://www.21twelveinteractive.com/fg/janomo_ZhyUp244.binmobi
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/game-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/hire-android-app-developer/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/hire-cross-platform-app-developer/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/hire-drupal-developer/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/hire-ipad-app-developer/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/hire-iphone-app-developer/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/hire-joomla-developer/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/hire-magento-2-developer/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/hire-magento-developer/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/hire-php-developer/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/hire-unity-3d-game-developer/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/hire-wordpress-developer/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/hybrid-app-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/ipad-application-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/ipad-game-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/iphone-app-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/iphone-game-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/joomla-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/js-framework-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/laravel-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/logo-design/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/markup/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/meteor-js-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/mobile-app-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/mobile-responsive-website-design/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/node-js-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/opencart-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/parallax-website-design/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/pay-per-click-services/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/php-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/prestashop-development/
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/privacy-policy/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/psd-to-bootstrap/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/psd-to-drupal/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/psd-to-email-template/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/psd-to-html/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/psd-to-html5/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/psd-to-joomla/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/psd-to-magento/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/psd-to-mobile-template/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/psd-to-wordpress/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/quality-assurance/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/react-js-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/react-native-app-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/ruby-on-rails-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/search-engine-optimization/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/services/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/shopify-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/sketch-to-psd-design/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/social-media-marketing/
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/terms-and-condition/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/the-crew/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/unity-3d-2d-game-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/virtuemart-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/website-design/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/windows-app-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/woocommerce-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wordpress-development-agency/
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wordpress-development/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/work-process/
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.486393836.0000000000FC1000.00000004.00000020.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/css/browsers.min.css
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/css/formreset.min.css
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/css/formsmain.min.css
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/css/readyclass.min.css
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/images/spinner.gif
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/js/gravityforms.min.js
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/js/jquery.json.min.js
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/js/jquery.maskedinput.min.js
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/js/placeholders.jquery.min.js
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/js_composer/assets/css/vc-ie8.min.css
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/js_composer/assets/css/vc_lte_ie9.min.css
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/mailchimp-for-wp/assets/css/form-basic.min.cs
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/mailchimp-for-wp/assets/js/forms.min.js
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/structured-content/dist/blocks.style.build.cs
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/wp-rocket/assets/js/lazyload/16.1/lazyload.mi
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/css/animate.css
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/css/custom.css
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/css/pages/84.css
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/images/flag/aus.png
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/images/flag/india.png
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/images/flag/usa.png
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/js/main.min.js
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/js/plugin.min.js
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/js/snow.js
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/bootstrap/css/bootstra
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/bootstrap/js/bootstrap
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/fonts-awesome/css/font
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/jquery.jPlayer/jquery.
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/megatron-icon/css/styl
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/owl-carousel/assets/ow
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/perfect-scrollbar/css/
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/prettyPhoto/css/pretty
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/slick/css/slick.min.cs
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/slick/js/slick.min.js
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/g5plus-framework/xmenu/assets/css/ami
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/g5plus-framework/xmenu/assets/js/app.
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/style.css
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/style.min.css
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/uploads/2018/01/new-logo.svg
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/uploads/2019/04/Favicon1.png
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/uploads/2019/10/new-logo1.svg
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/uploads/2020/02/conatact-left2.png
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-content/uploads/2020/03/WhatsApp.svg
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-includes/css/dist/block-library/style.min.css
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-includes/js/wp-embed.min.js
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-includes/wlwmanifest.xml
Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/wp-json/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/xmlrpc.php
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/xmlrpc.php?rsd
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.21twelveinteractive.com/zend-development/
Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.instagram.com/21twelveinteractive/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.linkedin.com/company/21twelve-interactive/
Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://www.pinterest.com/21twelveinteractive/
Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: https://yoast.com/wordpress/plugins/seo/
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown HTTPS traffic detected: 103.53.43.36:443 -> 192.168.2.3:49726 version: TLS 1.2
Source: unknown HTTPS traffic detected: 103.53.43.36:443 -> 192.168.2.3:49729 version: TLS 1.2
Source: unknown HTTPS traffic detected: 103.53.43.36:443 -> 192.168.2.3:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 103.53.43.36:443 -> 192.168.2.3:49737 version: TLS 1.2

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe Code function: 0_2_020F06B6 NtSetInformationThread, 0_2_020F06B6
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe Code function: 0_2_020F0740 NtSetInformationThread, 0_2_020F0740
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0130694F NtQueryInformationProcess, 5_2_0130694F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_013005BD EnumWindows,NtSetInformationThread, 5_2_013005BD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_013064DF NtProtectVirtualMemory, 5_2_013064DF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01305BAD NtSetInformationThread, 5_2_01305BAD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0130696A NtQueryInformationProcess, 5_2_0130696A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01306997 NtQueryInformationProcess, 5_2_01306997
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_013069CD NtQueryInformationProcess, 5_2_013069CD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0130070D NtSetInformationThread, 5_2_0130070D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01306B0D NtQueryInformationProcess, 5_2_01306B0D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01306B73 NtQueryInformationProcess, 5_2_01306B73
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01306B47 NtQueryInformationProcess, 5_2_01306B47
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01306B91 NtQueryInformationProcess, 5_2_01306B91
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01306BCB NtQueryInformationProcess, 5_2_01306BCB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0130063A NtSetInformationThread, 5_2_0130063A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01306A29 NtQueryInformationProcess, 5_2_01306A29
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01306A05 NtQueryInformationProcess, 5_2_01306A05
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01306A79 NtQueryInformationProcess, 5_2_01306A79
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01300651 NtSetInformationThread, 5_2_01300651
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01306A49 NtQueryInformationProcess, 5_2_01306A49
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01306ABA NtQueryInformationProcess, 5_2_01306ABA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01300696 NtSetInformationThread, 5_2_01300696
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01306A99 NtQueryInformationProcess, 5_2_01306A99
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01306AE7 NtQueryInformationProcess, 5_2_01306AE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_013006D6 NtSetInformationThread, 5_2_013006D6
Source: C:\Users\user\subfolder1\filename1.exe Code function: 17_2_02232877 NtWriteVirtualMemory, 17_2_02232877
Source: C:\Users\user\subfolder1\filename1.exe Code function: 19_2_021664D1 NtProtectVirtualMemory, 19_2_021664D1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 20_2_00D064DF NtProtectVirtualMemory, 20_2_00D064DF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 20_2_00D005BD EnumWindows,NtSetInformationThread, 20_2_00D005BD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 20_2_00D05BAD NtSetInformationThread, 20_2_00D05BAD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 20_2_00D006D6 NtSetInformationThread, 20_2_00D006D6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 20_2_00D00696 NtSetInformationThread, 20_2_00D00696
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 20_2_00D00651 NtSetInformationThread, 20_2_00D00651
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 20_2_00D0063A NtSetInformationThread, 20_2_00D0063A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 20_2_00D0070D NtSetInformationThread, 20_2_00D0070D
Detected potential crypto function
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe Code function: 0_2_004014A8 0_2_004014A8
PE file contains strange resources
Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: filename1.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exe, 00000000.00000000.200454158.0000000000424000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameparag.exe vs f4b1bde3-706a-40d2-8ace-693803810b6f.exe
Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exe, 00000000.00000002.417651196.00000000020C0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs f4b1bde3-706a-40d2-8ace-693803810b6f.exe
Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exe, 00000000.00000002.418675329.0000000002930000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameparag.exeFE2XWhine Caps3 vs f4b1bde3-706a-40d2-8ace-693803810b6f.exe
Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exe Binary or memory string: OriginalFilenameparag.exe vs f4b1bde3-706a-40d2-8ace-693803810b6f.exe
Tries to load missing DLLs
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Uses 32bit PE files
Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal96.troj.evad.winEXE@12/1@4/1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File created: C:\Users\user\subfolder1 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7012:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6936:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5544:120:WilError_01
Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exe Virustotal: Detection: 56%
Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exe Metadefender: Detection: 21%
Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exe ReversingLabs: Detection: 67%
Source: unknown Process created: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe 'C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: unknown Process created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe' Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe' Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe' Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 7000, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6920, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5672, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe Code function: 0_2_0040B040 pushad ; ret 0_2_0040B041
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe Code function: 0_2_0040BC1E push cs; ret 0_2_0040BC3C
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe Code function: 0_2_0040D4D9 push edi; iretd 0_2_0040D4E4
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe Code function: 0_2_0040C085 push cs; iretd 0_2_0040C0A3
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe Code function: 0_2_0040C248 push esp; iretd 0_2_0040C24C
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe Code function: 0_2_0040C24E push esp; iretd 0_2_0040C24C
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe Code function: 0_2_0040BE79 push ss; ret 0_2_0040BE81
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe Code function: 0_2_0040BAD8 push FFFFFFB7h; retf 0_2_0040BAF4
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe Code function: 0_2_0040BB82 push cs; ret 0_2_0040BBA4
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe Code function: 0_2_0040BF99 push cs; iretd 0_2_0040C0A3
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe Code function: 0_2_020F2FEE push edx; iretd 0_2_020F3026
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe Code function: 0_2_020F3476 push 94DA5B5Eh; ret 0_2_020F350E
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe Code function: 0_2_020F34D2 push 94DA5B5Eh; ret 0_2_020F350E
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe Code function: 0_2_020F58FF push 214EAEE9h; retf 0_2_020F5907
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01304968 push ds; ret 5_2_0130497A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01304555 push ds; ret 5_2_0130459E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0130494F push ds; ret 5_2_01304961
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_013045A5 push ds; ret 5_2_013045B7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01304759 push ds; ret 5_2_01304786
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0130478D push ds; ret 5_2_0130479F
Source: C:\Users\user\subfolder1\filename1.exe Code function: 17_2_02230220 push ebx; retf 17_2_02230243
Source: C:\Users\user\subfolder1\filename1.exe Code function: 17_2_02233224 push ebx; retf 17_2_0223322B
Source: C:\Users\user\subfolder1\filename1.exe Code function: 17_2_02233A28 push ebx; retf 17_2_02233A2F
Source: C:\Users\user\subfolder1\filename1.exe Code function: 17_2_02230A2C push ebx; retf 17_2_02230A37
Source: C:\Users\user\subfolder1\filename1.exe Code function: 17_2_02231234 push ebx; retf 17_2_0223123B
Source: C:\Users\user\subfolder1\filename1.exe Code function: 17_2_02235E34 push ebx; retf 17_2_02235E3F
Source: C:\Users\user\subfolder1\filename1.exe Code function: 17_2_02235A38 push ebx; retf 17_2_02235A57
Source: C:\Users\user\subfolder1\filename1.exe Code function: 17_2_02230A3C push ebx; retf 17_2_02230A43
Source: C:\Users\user\subfolder1\filename1.exe Code function: 17_2_02232606 push ebx; retf 17_2_0223260F
Source: C:\Users\user\subfolder1\filename1.exe Code function: 17_2_02231204 push ebx; retf 17_2_0223120B
Source: C:\Users\user\subfolder1\filename1.exe Code function: 17_2_02234E09 push ebx; retf 17_2_02234E1B

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File created: C:\Users\user\subfolder1\filename1.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe RDTSC instruction interceptor: First address: 00000000020F2E56 second address: 00000000020F2E56 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FAB64BF8D18h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FAB64BF8D2Ah 0x00000020 test si, AC01h 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 pushad 0x00000029 mov eax, 000000ABh 0x0000002e cpuid 0x00000030 popad 0x00000031 cmp ecx, 00000000h 0x00000034 jne 00007FAB64BF8CD7h 0x00000036 test ax, 000006F5h 0x0000003a push ecx 0x0000003b call 00007FAB64BF8D4Fh 0x00000040 call 00007FAB64BF8D28h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe RDTSC instruction interceptor: First address: 00000000020F0C85 second address: 00000000020F0C85 instructions:
Source: C:\Users\user\subfolder1\filename1.exe RDTSC instruction interceptor: First address: 0000000002232E56 second address: 0000000002232E56 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FAB64BF8D18h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FAB64BF8D2Ah 0x00000020 test si, AC01h 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 pushad 0x00000029 mov eax, 000000ABh 0x0000002e cpuid 0x00000030 popad 0x00000031 cmp ecx, 00000000h 0x00000034 jne 00007FAB64BF8CD7h 0x00000036 test ax, 000006F5h 0x0000003a push ecx 0x0000003b call 00007FAB64BF8D4Fh 0x00000040 call 00007FAB64BF8D28h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
Source: C:\Users\user\subfolder1\filename1.exe RDTSC instruction interceptor: First address: 0000000002162E56 second address: 0000000002162E56 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FAB64BF8E58h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FAB64BF8E6Ah 0x00000020 test si, AC01h 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 pushad 0x00000029 mov eax, 000000ABh 0x0000002e cpuid 0x00000030 popad 0x00000031 cmp ecx, 00000000h 0x00000034 jne 00007FAB64BF8E17h 0x00000036 test ax, 000006F5h 0x0000003a push ecx 0x0000003b call 00007FAB64BF8E8Fh 0x00000040 call 00007FAB64BF8E68h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
Source: C:\Users\user\subfolder1\filename1.exe RDTSC instruction interceptor: First address: 0000000002230C85 second address: 0000000002230C85 instructions:
Source: C:\Users\user\subfolder1\filename1.exe RDTSC instruction interceptor: First address: 0000000002160C85 second address: 0000000002160C85 instructions:
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Tries to detect Any.run
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: RegAsm.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe RDTSC instruction interceptor: First address: 00000000020F2E56 second address: 00000000020F2E56 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FAB64BF8D18h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FAB64BF8D2Ah 0x00000020 test si, AC01h 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 pushad 0x00000029 mov eax, 000000ABh 0x0000002e cpuid 0x00000030 popad 0x00000031 cmp ecx, 00000000h 0x00000034 jne 00007FAB64BF8CD7h 0x00000036 test ax, 000006F5h 0x0000003a push ecx 0x0000003b call 00007FAB64BF8D4Fh 0x00000040 call 00007FAB64BF8D28h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe RDTSC instruction interceptor: First address: 00000000020F3047 second address: 00000000020F3047 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FAB64BFB964h 0x0000001d popad 0x0000001e jmp 00007FAB64BF8E6Ah 0x00000020 test bl, al 0x00000022 call 00007FAB64BF8E79h 0x00000027 lfence 0x0000002a rdtsc
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe RDTSC instruction interceptor: First address: 00000000020F0C85 second address: 00000000020F0C85 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000001303047 second address: 0000000001303047 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FAB64BFB964h 0x0000001d popad 0x0000001e jmp 00007FAB64BF8E6Ah 0x00000020 test bl, al 0x00000022 call 00007FAB64BF8E79h 0x00000027 lfence 0x0000002a rdtsc
Source: C:\Users\user\subfolder1\filename1.exe RDTSC instruction interceptor: First address: 0000000002232E56 second address: 0000000002232E56 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FAB64BF8D18h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FAB64BF8D2Ah 0x00000020 test si, AC01h 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 pushad 0x00000029 mov eax, 000000ABh 0x0000002e cpuid 0x00000030 popad 0x00000031 cmp ecx, 00000000h 0x00000034 jne 00007FAB64BF8CD7h 0x00000036 test ax, 000006F5h 0x0000003a push ecx 0x0000003b call 00007FAB64BF8D4Fh 0x00000040 call 00007FAB64BF8D28h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
Source: C:\Users\user\subfolder1\filename1.exe RDTSC instruction interceptor: First address: 0000000002162E56 second address: 0000000002162E56 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FAB64BF8E58h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FAB64BF8E6Ah 0x00000020 test si, AC01h 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 pushad 0x00000029 mov eax, 000000ABh 0x0000002e cpuid 0x00000030 popad 0x00000031 cmp ecx, 00000000h 0x00000034 jne 00007FAB64BF8E17h 0x00000036 test ax, 000006F5h 0x0000003a push ecx 0x0000003b call 00007FAB64BF8E8Fh 0x00000040 call 00007FAB64BF8E68h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
Source: C:\Users\user\subfolder1\filename1.exe RDTSC instruction interceptor: First address: 0000000002233047 second address: 0000000002233047 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FAB64BFB824h 0x0000001d popad 0x0000001e jmp 00007FAB64BF8D2Ah 0x00000020 test bl, al 0x00000022 call 00007FAB64BF8D39h 0x00000027 lfence 0x0000002a rdtsc
Source: C:\Users\user\subfolder1\filename1.exe RDTSC instruction interceptor: First address: 0000000002230C85 second address: 0000000002230C85 instructions:
Source: C:\Users\user\subfolder1\filename1.exe RDTSC instruction interceptor: First address: 0000000002163047 second address: 0000000002163047 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FAB64BFB824h 0x0000001d popad 0x0000001e jmp 00007FAB64BF8D2Ah 0x00000020 test bl, al 0x00000022 call 00007FAB64BF8D39h 0x00000027 lfence 0x0000002a rdtsc
Source: C:\Users\user\subfolder1\filename1.exe RDTSC instruction interceptor: First address: 0000000002160C85 second address: 0000000002160C85 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000D03047 second address: 0000000000D03047 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FAB64BFB824h 0x0000001d popad 0x0000001e jmp 00007FAB64BF8D2Ah 0x00000020 test bl, al 0x00000022 call 00007FAB64BF8D39h 0x00000027 lfence 0x0000002a rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01301563 rdtsc 5_2_01301563
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5356 Thread sleep time: -150000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: RegAsm.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_013005BD NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00020040,00000000,B95DDAB0,00000FFF 5_2_013005BD
Hides threads from debuggers
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01301563 rdtsc 5_2_01301563
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01303D88 LdrInitializeThunk, 5_2_01303D88
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01305183 mov eax, dword ptr fs:[00000030h] 5_2_01305183
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_013051FC mov eax, dword ptr fs:[00000030h] 5_2_013051FC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01306003 mov eax, dword ptr fs:[00000030h] 5_2_01306003
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01301C95 mov eax, dword ptr fs:[00000030h] 5_2_01301C95
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01302CDB mov eax, dword ptr fs:[00000030h] 5_2_01302CDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01305FD1 mov eax, dword ptr fs:[00000030h] 5_2_01305FD1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01305FCE mov eax, dword ptr fs:[00000030h] 5_2_01305FCE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01305264 mov eax, dword ptr fs:[00000030h] 5_2_01305264
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01304A42 mov eax, dword ptr fs:[00000030h] 5_2_01304A42
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_013016F0 mov eax, dword ptr fs:[00000030h] 5_2_013016F0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01301EEC mov eax, dword ptr fs:[00000030h] 5_2_01301EEC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01301EEE mov eax, dword ptr fs:[00000030h] 5_2_01301EEE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 20_2_00D02CDB mov eax, dword ptr fs:[00000030h] 20_2_00D02CDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 20_2_00D01C95 mov eax, dword ptr fs:[00000030h] 20_2_00D01C95
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 20_2_00D06003 mov eax, dword ptr fs:[00000030h] 20_2_00D06003
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 20_2_00D051FC mov eax, dword ptr fs:[00000030h] 20_2_00D051FC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 20_2_00D05183 mov eax, dword ptr fs:[00000030h] 20_2_00D05183
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 20_2_00D016F0 mov eax, dword ptr fs:[00000030h] 20_2_00D016F0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 20_2_00D01EEC mov eax, dword ptr fs:[00000030h] 20_2_00D01EEC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 20_2_00D01EEE mov eax, dword ptr fs:[00000030h] 20_2_00D01EEE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 20_2_00D04A42 mov eax, dword ptr fs:[00000030h] 20_2_00D04A42
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 20_2_00D05264 mov eax, dword ptr fs:[00000030h] 20_2_00D05264
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 20_2_00D05FD1 mov eax, dword ptr fs:[00000030h] 20_2_00D05FD1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 20_2_00D05FCE mov eax, dword ptr fs:[00000030h] 20_2_00D05FCE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 22_2_00F22CDB mov eax, dword ptr fs:[00000030h] 22_2_00F22CDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 22_2_00F21C95 mov eax, dword ptr fs:[00000030h] 22_2_00F21C95
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 22_2_00F26003 mov eax, dword ptr fs:[00000030h] 22_2_00F26003
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 22_2_00F251FC mov eax, dword ptr fs:[00000030h] 22_2_00F251FC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 22_2_00F25183 mov eax, dword ptr fs:[00000030h] 22_2_00F25183
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 22_2_00F216F0 mov eax, dword ptr fs:[00000030h] 22_2_00F216F0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 22_2_00F21EEE mov eax, dword ptr fs:[00000030h] 22_2_00F21EEE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 22_2_00F21EEC mov eax, dword ptr fs:[00000030h] 22_2_00F21EEC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 22_2_00F25264 mov eax, dword ptr fs:[00000030h] 22_2_00F25264
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 22_2_00F24A42 mov eax, dword ptr fs:[00000030h] 22_2_00F24A42
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 22_2_00F25FD1 mov eax, dword ptr fs:[00000030h] 22_2_00F25FD1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 22_2_00F25FCE mov eax, dword ptr fs:[00000030h] 22_2_00F25FCE

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 1300000 Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: D00000 Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: F20000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe' Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe' Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe' Jump to behavior
Source: RegAsm.exe, 00000005.00000002.517993849.0000000001AE0000.00000002.00000001.sdmp, filename1.exe, 00000011.00000002.473666743.0000000000DC0000.00000002.00000001.sdmp, filename1.exe, 00000013.00000002.492980873.0000000000CC0000.00000002.00000001.sdmp, RegAsm.exe, 00000014.00000002.492955227.00000000015E0000.00000002.00000001.sdmp, RegAsm.exe, 00000016.00000002.520054549.0000000001820000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: RegAsm.exe, 00000005.00000002.517993849.0000000001AE0000.00000002.00000001.sdmp, filename1.exe, 00000011.00000002.473666743.0000000000DC0000.00000002.00000001.sdmp, filename1.exe, 00000013.00000002.492980873.0000000000CC0000.00000002.00000001.sdmp, RegAsm.exe, 00000014.00000002.492955227.00000000015E0000.00000002.00000001.sdmp, RegAsm.exe, 00000016.00000002.520054549.0000000001820000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000005.00000002.517993849.0000000001AE0000.00000002.00000001.sdmp, filename1.exe, 00000011.00000002.473666743.0000000000DC0000.00000002.00000001.sdmp, filename1.exe, 00000013.00000002.492980873.0000000000CC0000.00000002.00000001.sdmp, RegAsm.exe, 00000014.00000002.492955227.00000000015E0000.00000002.00000001.sdmp, RegAsm.exe, 00000016.00000002.520054549.0000000001820000.00000002.00000001.sdmp Binary or memory string: Progman
Source: RegAsm.exe, 00000005.00000002.517993849.0000000001AE0000.00000002.00000001.sdmp, filename1.exe, 00000011.00000002.473666743.0000000000DC0000.00000002.00000001.sdmp, filename1.exe, 00000013.00000002.492980873.0000000000CC0000.00000002.00000001.sdmp, RegAsm.exe, 00000014.00000002.492955227.00000000015E0000.00000002.00000001.sdmp, RegAsm.exe, 00000016.00000002.520054549.0000000001820000.00000002.00000001.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356310 Sample: f4b1bde3-706a-40d2-8ace-693... Startdate: 22/02/2021 Architecture: WINDOWS Score: 96 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected GuLoader 2->49 51 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->51 7 f4b1bde3-706a-40d2-8ace-693803810b6f.exe 2->7         started        10 filename1.exe 2->10         started        12 filename1.exe 2->12         started        process3 signatures4 53 Writes to foreign memory regions 7->53 55 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 7->55 57 Tries to detect Any.run 7->57 14 RegAsm.exe 1 15 7->14         started        59 Multi AV Scanner detection for dropped file 10->59 61 Tries to detect virtualization through RDTSC time measurements 10->61 63 Hides threads from debuggers 10->63 19 RegAsm.exe 14 10->19         started        21 RegAsm.exe 1 12->21         started        process5 dnsIp6 31 21twelveinteractive.com 103.53.43.36, 443, 49726, 49729 PUBLIC-DOMAIN-REGISTRYUS India 14->31 33 www.21twelveinteractive.com 14->33 29 C:\Users\user\subfolder1\filename1.exe, PE32 14->29 dropped 37 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 14->37 39 Tries to detect Any.run 14->39 41 Tries to detect virtualization through RDTSC time measurements 14->41 43 Contains functionality to hide a thread from the debugger 14->43 23 conhost.exe 14->23         started        35 www.21twelveinteractive.com 19->35 45 Hides threads from debuggers 19->45 25 conhost.exe 19->25         started        27 conhost.exe 21->27         started        file7 signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.53.43.36
 unknown India
394695 PUBLIC-DOMAIN-REGISTRYUS false

Contacted Domains

Name IP Active
21twelveinteractive.com 103.53.43.36 true
www.21twelveinteractive.com unknown unknown