Loading ...

Play interactive tourEdit tour

Analysis Report f4b1bde3-706a-40d2-8ace-693803810b6f.exe

Overview

General Information

Sample Name:f4b1bde3-706a-40d2-8ace-693803810b6f.exe
Analysis ID:356310
MD5:1364f8c4c00b87e5d938e9f95af828f4
SHA1:4dafecb2752fe653edbee9ce9794deda34325d5f
SHA256:9a7b0abc37831a4c9dc1676cc3fc7c0278e413a845ace42ff4c82e21fc744653

Most interesting Screenshot:

Detection

GuLoader
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides threads from debuggers
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • f4b1bde3-706a-40d2-8ace-693803810b6f.exe (PID: 4112 cmdline: 'C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe' MD5: 1364F8C4C00B87E5D938E9F95AF828F4)
    • RegAsm.exe (PID: 5672 cmdline: 'C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 5544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • filename1.exe (PID: 6732 cmdline: 'C:\Users\user\subfolder1\filename1.exe' MD5: 1364F8C4C00B87E5D938E9F95AF828F4)
    • RegAsm.exe (PID: 6920 cmdline: 'C:\Users\user\subfolder1\filename1.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 6936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • filename1.exe (PID: 6844 cmdline: 'C:\Users\user\subfolder1\filename1.exe' MD5: 1364F8C4C00B87E5D938E9F95AF828F4)
    • RegAsm.exe (PID: 7000 cmdline: 'C:\Users\user\subfolder1\filename1.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 7012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: RegAsm.exe PID: 7000JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    Process Memory Space: RegAsm.exe PID: 6920JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
      Process Memory Space: RegAsm.exe PID: 5672JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\subfolder1\filename1.exeMetadefender: Detection: 21%Perma Link
        Source: C:\Users\user\subfolder1\filename1.exeReversingLabs: Detection: 67%
        Multi AV Scanner detection for submitted fileShow sources
        Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exeVirustotal: Detection: 56%Perma Link
        Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exeMetadefender: Detection: 21%Perma Link
        Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exeReversingLabs: Detection: 67%

        Compliance:

        barindex
        Uses 32bit PE filesShow sources
        Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Uses secure TLS version for HTTPS connectionsShow sources
        Source: unknownHTTPS traffic detected: 103.53.43.36:443 -> 192.168.2.3:49726 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 103.53.43.36:443 -> 192.168.2.3:49729 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 103.53.43.36:443 -> 192.168.2.3:49735 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 103.53.43.36:443 -> 192.168.2.3:49737 version: TLS 1.2
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D0694F InternetReadFile,20_2_00D0694F
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: <script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://www.21twelveinteractive.com/#organization","name":"21Twelve Interactive LLP","url":"https://www.21twelveinteractive.com/","sameAs":["https://www.facebook.com/21twelveinteractive/","https://www.instagram.com/21twelveinteractive/","https://www.linkedin.com/company/21twelve-interactive/","https://www.pinterest.com/21twelveinteractive/","https://twitter.com/21twelveI"],"logo":{"@type":"ImageObject","@id":"https://www.21twelveinteractive.com/#logo","inLanguage":"en-US","url":"https://www.21twelveinteractive.com/wp-content/uploads/2018/06/icon.png","width":200,"height":200,"caption":"21Twelve Interactive LLP"},"image":{"@id":"https://www.21twelveinteractive.com/#logo"}},{"@type":"WebSite","@id":"https://www.21twelveinteractive.com/#website","url":"https://www.21twelveinteractive.com/","name":"21Twelve Interactive","description":"Imagination Turns to Innovation","publisher":{"@id":"https://www.21twelveinteractive.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":"https://www.21twelveinteractive.com/?s={search_term_string}","query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}</script> equals www.facebook.com (Facebook)
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: <script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://www.21twelveinteractive.com/#organization","name":"21Twelve Interactive LLP","url":"https://www.21twelveinteractive.com/","sameAs":["https://www.facebook.com/21twelveinteractive/","https://www.instagram.com/21twelveinteractive/","https://www.linkedin.com/company/21twelve-interactive/","https://www.pinterest.com/21twelveinteractive/","https://twitter.com/21twelveI"],"logo":{"@type":"ImageObject","@id":"https://www.21twelveinteractive.com/#logo","inLanguage":"en-US","url":"https://www.21twelveinteractive.com/wp-content/uploads/2018/06/icon.png","width":200,"height":200,"caption":"21Twelve Interactive LLP"},"image":{"@id":"https://www.21twelveinteractive.com/#logo"}},{"@type":"WebSite","@id":"https://www.21twelveinteractive.com/#website","url":"https://www.21twelveinteractive.com/","name":"21Twelve Interactive","description":"Imagination Turns to Innovation","publisher":{"@id":"https://www.21twelveinteractive.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":"https://www.21twelveinteractive.com/?s={search_term_string}","query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}</script> equals www.linkedin.com (Linkedin)
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: <script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://www.21twelveinteractive.com/#organization","name":"21Twelve Interactive LLP","url":"https://www.21twelveinteractive.com/","sameAs":["https://www.facebook.com/21twelveinteractive/","https://www.instagram.com/21twelveinteractive/","https://www.linkedin.com/company/21twelve-interactive/","https://www.pinterest.com/21twelveinteractive/","https://twitter.com/21twelveI"],"logo":{"@type":"ImageObject","@id":"https://www.21twelveinteractive.com/#logo","inLanguage":"en-US","url":"https://www.21twelveinteractive.com/wp-content/uploads/2018/06/icon.png","width":200,"height":200,"caption":"21Twelve Interactive LLP"},"image":{"@id":"https://www.21twelveinteractive.com/#logo"}},{"@type":"WebSite","@id":"https://www.21twelveinteractive.com/#website","url":"https://www.21twelveinteractive.com/","name":"21Twelve Interactive","description":"Imagination Turns to Innovation","publisher":{"@id":"https://www.21twelveinteractive.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":"https://www.21twelveinteractive.com/?s={search_term_string}","query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}</script> equals www.twitter.com (Twitter)
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: "https://www.facebook.com/21twelveinteractive/", equals www.facebook.com (Facebook)
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: "https://www.linkedin.com/company/21twelve-interactive/", equals www.linkedin.com (Linkedin)
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: "sameAs" :["https://www.facebook.com/21twelveinteractive/", "https://twitter.com/21twelveI", "https://www.linkedin.com/company/13266555", "https://plus.google.com/u/0/b/117296032389086012359/117296032389086012359"] equals www.facebook.com (Facebook)
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: "sameAs" :["https://www.facebook.com/21twelveinteractive/", "https://twitter.com/21twelveI", "https://www.linkedin.com/company/13266555", "https://plus.google.com/u/0/b/117296032389086012359/117296032389086012359"] equals www.linkedin.com (Linkedin)
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: "sameAs" :["https://www.facebook.com/21twelveinteractive/", "https://twitter.com/21twelveI", "https://www.linkedin.com/company/13266555", "https://plus.google.com/u/0/b/117296032389086012359/117296032389086012359"] equals www.twitter.com (Twitter)
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: <li><a title="Facebook" href="https://www.facebook.com/21twelveinteractive/" target="_blank"><i class="fa fa-facebook"></i>Facebook</a></li> equals www.facebook.com (Facebook)
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: <li><a title="Linkedin" href="https://www.linkedin.com/company/21twelve-interactive/" target="_blank"><i class="fa fa-linkedin"></i>Linkedin</a></li> equals www.linkedin.com (Linkedin)
        Source: unknownDNS traffic detected: queries for: 21twelveinteractive.com
        Source: RegAsm.exe, 00000014.00000002.486413359.0000000000FE1000.00000004.00000020.sdmpString found in binary or memory: http://apps.identrust.com/roots/ds
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000014.00000002.486413359.0000000000FE1000.00000004.00000020.sdmpString found in binary or memory: http://cps.letsencrypt.org0
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmpString found in binary or memory: http://crl.i
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: http://css3-mediaqueries-js.googlecode.com/svn/trunk/css3-mediaqueries.js
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmpString found in binary or memory: http://r3.i.lencr.org/0
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmpString found in binary or memory: http://r3.i2
        Source: RegAsm.exe, 00000014.00000002.486413359.0000000000FE1000.00000004.00000020.sdmpString found in binary or memory: http://r3.o.le
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmpString found in binary or memory: http://r3.o.lencr.org0
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmpString found in binary or memory: https://21twelveinteractive.com/
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmpString found in binary or memory: https://21twelveinteractive.com//dstro
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmpString found in binary or memory: https://21twelveinteractive.com/173855x
        Source: RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmpString found in binary or memory: https://21twelveinteractive.com/2
        Source: RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmpString found in binary or memory: https://21twelveinteractive.com/5
        Source: RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmpString found in binary or memory: https://21twelveinteractive.com/L
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmpString found in binary or memory: https://21twelveinteractive.com/U5W
        Source: RegAsm.exe, 00000005.00000002.474366584.0000000001300000.00000040.00000001.sdmp, RegAsm.exe, 00000014.00000002.486227915.0000000000D00000.00000040.00000001.sdmpString found in binary or memory: https://21twelveinteractive.com/fg/janomo_ZhyUp244.bin
        Source: RegAsm.exe, 00000014.00000002.486393836.0000000000FC1000.00000004.00000020.sdmpString found in binary or memory: https://21twelveinteractive.com/fg/janomo_ZhyUp244.binan
        Source: RegAsm.exe, 00000014.00000002.486393836.0000000000FC1000.00000004.00000020.sdmpString found in binary or memory: https://21twelveinteractive.com/fg/janomo_ZhyUp244.bind
        Source: RegAsm.exe, 00000014.00000002.486393836.0000000000FC1000.00000004.00000020.sdmpString found in binary or memory: https://21twelveinteractive.com/fg/janomo_ZhyUp244.binnt
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmpString found in binary or memory: https://21twelveinteractive.com/ileapp
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmpString found in binary or memory: https://21twelveinteractive.com/n
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmpString found in binary or memory: https://21twelveinteractive.com/nDl
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmpString found in binary or memory: https://21twelveinteractive.com/opmobi
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://api.w.org/
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.1/jquery.min.js
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://embed.tawk.to/5dabf4d6df22d91339a00b9d/default
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://fonts.gstatic.com
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://oss.maxcdn.com/respond/1.4.2/respond.min.js
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://r6k8z9y5.rocketcdn.me/wp-content/uploads/2019/10/new-logo1.svg
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://r6k8z9y5.rocketcdn.me/wp-content/uploads/2020/02/21twelve-logo-bg.png
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://schema.org
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://schema.org/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/21twelveI/
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://web.whatsapp.com/send?phone=13474740020
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://wordpress.org/plugins/mailchimp-for-wp/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/#organization
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/21twelve-interactive-portfolio/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/about-us/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/admin-dashboard-design/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/android-app-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/android-game-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/angularjs-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/banner-brochure-design/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/blog/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/cakephp-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/codeigniter-development/
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/comments/feed/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/contact-us/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/content-writing/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/corporate-website-designs/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/cross-platform-mobile-app-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/custom-cms-website-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/digital-branding/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/drupal-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/ecommerce-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/ecommerce-magento-2-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/ecommerce-magento-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/feed/
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/feed/atom/
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/feed/rss/
        Source: RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmpString found in binary or memory: https://www.21twelveinteractive.com/fg/janomo_ZhyUp244.bin
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmpString found in binary or memory: https://www.21twelveinteractive.com/fg/janomo_ZhyUp244.bin0
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmpString found in binary or memory: https://www.21twelveinteractive.com/fg/janomo_ZhyUp244.bin0100
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmpString found in binary or memory: https://www.21twelveinteractive.com/fg/janomo_ZhyUp244.bin2e
        Source: RegAsm.exe, 00000014.00000002.486393836.0000000000FC1000.00000004.00000020.sdmpString found in binary or memory: https://www.21twelveinteractive.com/fg/janomo_ZhyUp244.binDH
        Source: RegAsm.exe, 00000014.00000002.486393836.0000000000FC1000.00000004.00000020.sdmpString found in binary or memory: https://www.21twelveinteractive.com/fg/janomo_ZhyUp244.binMH
        Source: RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmpString found in binary or memory: https://www.21twelveinteractive.com/fg/janomo_ZhyUp244.bincefb9XX
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmpString found in binary or memory: https://www.21twelveinteractive.com/fg/janomo_ZhyUp244.binmobi
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/game-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/hire-android-app-developer/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/hire-cross-platform-app-developer/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/hire-drupal-developer/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/hire-ipad-app-developer/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/hire-iphone-app-developer/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/hire-joomla-developer/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/hire-magento-2-developer/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/hire-magento-developer/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/hire-php-developer/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/hire-unity-3d-game-developer/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/hire-wordpress-developer/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/hybrid-app-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/ipad-application-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/ipad-game-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/iphone-app-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/iphone-game-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/joomla-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/js-framework-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/laravel-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/logo-design/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/markup/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/meteor-js-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/mobile-app-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/mobile-responsive-website-design/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/node-js-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/opencart-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/parallax-website-design/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/pay-per-click-services/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/php-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/prestashop-development/
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/privacy-policy/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/psd-to-bootstrap/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/psd-to-drupal/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/psd-to-email-template/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/psd-to-html/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/psd-to-html5/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/psd-to-joomla/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/psd-to-magento/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/psd-to-mobile-template/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/psd-to-wordpress/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/quality-assurance/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/react-js-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/react-native-app-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/ruby-on-rails-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/search-engine-optimization/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/services/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/shopify-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/sketch-to-psd-design/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/social-media-marketing/
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/terms-and-condition/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/the-crew/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/unity-3d-2d-game-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/virtuemart-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/website-design/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/windows-app-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/woocommerce-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wordpress-development-agency/
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wordpress-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/work-process/
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.486393836.0000000000FC1000.00000004.00000020.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/css/browsers.min.css
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/css/formreset.min.css
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/css/formsmain.min.css
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/css/readyclass.min.css
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/images/spinner.gif
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/js/gravityforms.min.js
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/js/jquery.json.min.js
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/js/jquery.maskedinput.min.js
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/js/placeholders.jquery.min.js
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/js_composer/assets/css/vc-ie8.min.css
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/js_composer/assets/css/vc_lte_ie9.min.css
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/mailchimp-for-wp/assets/css/form-basic.min.cs
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/mailchimp-for-wp/assets/js/forms.min.js
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/structured-content/dist/blocks.style.build.cs
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/wp-rocket/assets/js/lazyload/16.1/lazyload.mi
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/css/animate.css
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/css/custom.css
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/css/pages/84.css
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/images/flag/aus.png
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/images/flag/india.png
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/images/flag/usa.png
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/js/main.min.js
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/js/plugin.min.js
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/js/snow.js
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/bootstrap/css/bootstra
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/bootstrap/js/bootstrap
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/fonts-awesome/css/font
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/jquery.jPlayer/jquery.
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/megatron-icon/css/styl
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/owl-carousel/assets/ow
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/perfect-scrollbar/css/
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/prettyPhoto/css/pretty
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/slick/css/slick.min.cs
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/slick/js/slick.min.js
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/g5plus-framework/xmenu/assets/css/ami
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/g5plus-framework/xmenu/assets/js/app.
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/style.css
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/style.min.css
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/uploads/2018/01/new-logo.svg
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/uploads/2019/04/Favicon1.png
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/uploads/2019/10/new-logo1.svg
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/uploads/2020/02/conatact-left2.png
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/uploads/2020/03/WhatsApp.svg
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-includes/css/dist/block-library/style.min.css
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-includes/js/wp-embed.min.js
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-includes/wlwmanifest.xml
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-json/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/xmlrpc.php
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/xmlrpc.php?rsd
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/zend-development/
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/21twelveinteractive/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.linkedin.com/company/21twelve-interactive/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.pinterest.com/21twelveinteractive/
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://yoast.com/wordpress/plugins/seo/
        Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
        Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
        Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
        Source: unknownHTTPS traffic detected: 103.53.43.36:443 -> 192.168.2.3:49726 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 103.53.43.36:443 -> 192.168.2.3:49729 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 103.53.43.36:443 -> 192.168.2.3:49735 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 103.53.43.36:443 -> 192.168.2.3:49737 version: TLS 1.2
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess Stats: CPU usage > 98%
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_020F06B6 NtSetInformationThread,0_2_020F06B6
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_020F0740 NtSetInformationThread,0_2_020F0740
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_0130694F NtQueryInformationProcess,5_2_0130694F
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_013005BD EnumWindows,NtSetInformationThread,5_2_013005BD
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_013064DF NtProtectVirtualMemory,5_2_013064DF
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01305BAD NtSetInformationThread,5_2_01305BAD
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_0130696A NtQueryInformationProcess,5_2_0130696A
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01306997 NtQueryInformationProcess,5_2_01306997
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_013069CD NtQueryInformationProcess,5_2_013069CD
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_0130070D NtSetInformationThread,5_2_0130070D
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01306B0D NtQueryInformationProcess,5_2_01306B0D
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01306B73 NtQueryInformationProcess,5_2_01306B73
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01306B47 NtQueryInformationProcess,5_2_01306B47
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01306B91 NtQueryInformationProcess,5_2_01306B91
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01306BCB NtQueryInformationProcess,5_2_01306BCB
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_0130063A NtSetInformationThread,5_2_0130063A
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01306A29 NtQueryInformationProcess,5_2_01306A29
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01306A05 NtQueryInformationProcess,5_2_01306A05
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01306A79 NtQueryInformationProcess,5_2_01306A79
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01300651 NtSetInformationThread,5_2_01300651
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01306A49 NtQueryInformationProcess,5_2_01306A49
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01306ABA NtQueryInformationProcess,5_2_01306ABA
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01300696 NtSetInformationThread,5_2_01300696
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01306A99 NtQueryInformationProcess,5_2_01306A99
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01306AE7 NtQueryInformationProcess,5_2_01306AE7
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_013006D6 NtSetInformationThread,5_2_013006D6
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 17_2_02232877 NtWriteVirtualMemory,17_2_02232877
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 19_2_021664D1 NtProtectVirtualMemory,19_2_021664D1
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D064DF NtProtectVirtualMemory,20_2_00D064DF
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D005BD EnumWindows,NtSetInformationThread,20_2_00D005BD
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D05BAD NtSetInformationThread,20_2_00D05BAD
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D006D6 NtSetInformationThread,20_2_00D006D6
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D00696 NtSetInformationThread,20_2_00D00696
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D00651 NtSetInformationThread,20_2_00D00651
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D0063A NtSetInformationThread,20_2_00D0063A
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D0070D NtSetInformationThread,20_2_00D0070D
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_004014A80_2_004014A8
        Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: filename1.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exe, 00000000.00000000.200454158.0000000000424000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameparag.exe vs f4b1bde3-706a-40d2-8ace-693803810b6f.exe
        Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exe, 00000000.00000002.417651196.00000000020C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs f4b1bde3-706a-40d2-8ace-693803810b6f.exe
        Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exe, 00000000.00000002.418675329.0000000002930000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameparag.exeFE2XWhine Caps3 vs f4b1bde3-706a-40d2-8ace-693803810b6f.exe
        Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exeBinary or memory string: OriginalFilenameparag.exe vs f4b1bde3-706a-40d2-8ace-693803810b6f.exe
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
        Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: classification engineClassification label: mal96.troj.evad.winEXE@12/1@4/1
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\subfolder1Jump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7012:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6936:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5544:120:WilError_01
        Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exeVirustotal: Detection: 56%
        Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exeMetadefender: Detection: 21%
        Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exeReversingLabs: Detection: 67%
        Source: unknownProcess created: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe 'C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe'
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
        Source: unknownProcess created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe' Jump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe' Jump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe' Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected

        Data Obfuscation:

        barindex
        Yara detected GuLoaderShow sources
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7000, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6920, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5672, type: MEMORY
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_0040B040 pushad ; ret 0_2_0040B041
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_0040BC1E push cs; ret 0_2_0040BC3C
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_0040D4D9 push edi; iretd 0_2_0040D4E4
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_0040C085 push cs; iretd 0_2_0040C0A3
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_0040C248 push esp; iretd 0_2_0040C24C
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_0040C24E push esp; iretd 0_2_0040C24C
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_0040BE79 push ss; ret 0_2_0040BE81
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_0040BAD8 push FFFFFFB7h; retf 0_2_0040BAF4
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_0040BB82 push cs; ret 0_2_0040BBA4
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_0040BF99 push cs; iretd 0_2_0040C0A3
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_020F2FEE push edx; iretd 0_2_020F3026
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_020F3476 push 94DA5B5Eh; ret 0_2_020F350E
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_020F34D2 push 94DA5B5Eh; ret 0_2_020F350E
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_020F58FF push 214EAEE9h; retf 0_2_020F5907
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01304968 push ds; ret 5_2_0130497A
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01304555 push ds; ret 5_2_0130459E
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_0130494F push ds; ret 5_2_01304961
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_013045A5 push ds; ret 5_2_013045B7
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01304759 push ds; ret 5_2_01304786
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_0130478D push ds; ret 5_2_0130479F
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 17_2_02230220 push ebx; retf 17_2_02230243
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 17_2_02233224 push ebx; retf 17_2_0223322B
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 17_2_02233A28 push ebx; retf 17_2_02233A2F
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 17_2_02230A2C push ebx; retf 17_2_02230A37
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 17_2_02231234 push ebx; retf 17_2_0223123B
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 17_2_02235E34 push ebx; retf 17_2_02235E3F
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 17_2_02235A38 push ebx; retf 17_2_02235A57
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 17_2_02230A3C push ebx; retf 17_2_02230A43
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 17_2_02232606 push ebx; retf 17_2_0223260F
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 17_2_02231204 push ebx; retf 17_2_0223120B
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 17_2_02234E09 push ebx; retf 17_2_02234E1B
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\subfolder1\filename1.exeJump to dropped file
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeRDTSC instruction interceptor: First address: 00000000020F2E56 second address: 00000000020F2E56 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FAB64BF8D18h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FAB64BF8D2Ah 0x00000020 test si, AC01h 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 pushad 0x00000029 mov eax, 000000ABh 0x0000002e cpuid 0x00000030 popad 0x00000031 cmp ecx, 00000000h 0x00000034 jne 00007FAB64BF8CD7h 0x00000036 test ax, 000006F5h 0x0000003a push ecx 0x0000003b call 00007FAB64BF8D4Fh 0x00000040 call 00007FAB64BF8D28h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeRDTSC instruction interceptor: First address: 00000000020F0C85 second address: 00000000020F0C85 instructions:
        Source: C:\Users\user\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 0000000002232E56 second address: 0000000002232E56 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FAB64BF8D18h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FAB64BF8D2Ah 0x00000020 test si, AC01h 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 pushad 0x00000029 mov eax, 000000ABh 0x0000002e cpuid 0x00000030 popad 0x00000031 cmp ecx, 00000000h 0x00000034 jne 00007FAB64BF8CD7h 0x00000036 test ax, 000006F5h 0x0000003a push ecx 0x0000003b call 00007FAB64BF8D4Fh 0x00000040 call 00007FAB64BF8D28h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
        Source: C:\Users\user\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 0000000002162E56 second address: 0000000002162E56 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FAB64BF8E58h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FAB64BF8E6Ah 0x00000020 test si, AC01h 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 pushad 0x00000029 mov eax, 000000ABh 0x0000002e cpuid 0x00000030 popad 0x00000031 cmp ecx, 00000000h 0x00000034 jne 00007FAB64BF8E17h 0x00000036 test ax, 000006F5h 0x0000003a push ecx 0x0000003b call 00007FAB64BF8E8Fh 0x00000040 call 00007FAB64BF8E68h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
        Source: C:\Users\user\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 0000000002230C85 second address: 0000000002230C85 instructions:
        Source: C:\Users\user\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 0000000002160C85 second address: 0000000002160C85 instructions:
        Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_5-15061
        Tries to detect Any.runShow sources
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: RegAsm.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
        Tries to detect virtualization through RDTSC time measurementsShow sources
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeRDTSC instruction interceptor: First address: 00000000020F2E56 second address: 00000000020F2E56 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FAB64BF8D18h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FAB64BF8D2Ah 0x00000020 test si, AC01h 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 pushad 0x00000029 mov eax, 000000ABh 0x0000002e cpuid 0x00000030 popad 0x00000031 cmp ecx, 00000000h 0x00000034 jne 00007FAB64BF8CD7h 0x00000036 test ax, 000006F5h 0x0000003a push ecx 0x0000003b call 00007FAB64BF8D4Fh 0x00000040 call 00007FAB64BF8D28h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeRDTSC instruction interceptor: First address: 00000000020F3047 second address: 00000000020F3047 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FAB64BFB964h 0x0000001d popad 0x0000001e jmp 00007FAB64BF8E6Ah 0x00000020 test bl, al 0x00000022 call 00007FAB64BF8E79h 0x00000027 lfence 0x0000002a rdtsc
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeRDTSC instruction interceptor: First address: 00000000020F0C85 second address: 00000000020F0C85 instructions:
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 0000000001303047 second address: 0000000001303047 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FAB64BFB964h 0x0000001d popad 0x0000001e jmp 00007FAB64BF8E6Ah 0x00000020 test bl, al 0x00000022 call 00007FAB64BF8E79h 0x00000027 lfence 0x0000002a rdtsc
        Source: C:\Users\user\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 0000000002232E56 second address: 0000000002232E56 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FAB64BF8D18h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FAB64BF8D2Ah 0x00000020 test si, AC01h 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 pushad 0x00000029 mov eax, 000000ABh 0x0000002e cpuid 0x00000030 popad 0x00000031 cmp ecx, 00000000h 0x00000034 jne 00007FAB64BF8CD7h 0x00000036 test ax, 000006F5h 0x0000003a push ecx 0x0000003b call 00007FAB64BF8D4Fh 0x00000040 call 00007FAB64BF8D28h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
        Source: C:\Users\user\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 0000000002162E56 second address: 0000000002162E56 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FAB64BF8E58h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FAB64BF8E6Ah 0x00000020 test si, AC01h 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 pushad 0x00000029 mov eax, 000000ABh 0x0000002e cpuid 0x00000030 popad 0x00000031 cmp ecx, 00000000h 0x00000034 jne 00007FAB64BF8E17h 0x00000036 test ax, 000006F5h 0x0000003a push ecx 0x0000003b call 00007FAB64BF8E8Fh 0x00000040 call 00007FAB64BF8E68h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
        Source: C:\Users\user\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 0000000002233047 second address: 0000000002233047 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FAB64BFB824h 0x0000001d popad 0x0000001e jmp 00007FAB64BF8D2Ah 0x00000020 test bl, al 0x00000022 call 00007FAB64BF8D39h 0x00000027 lfence 0x0000002a rdtsc
        Source: C:\Users\user\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 0000000002230C85 second address: 0000000002230C85 instructions:
        Source: C:\Users\user\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 0000000002163047 second address: 0000000002163047 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FAB64BFB824h 0x0000001d popad 0x0000001e jmp 00007FAB64BF8D2Ah 0x00000020 test bl, al 0x00000022 call 00007FAB64BF8D39h 0x00000027 lfence 0x0000002a rdtsc
        Source: C:\Users\user\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 0000000002160C85 second address: 0000000002160C85 instructions:
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000D03047 second address: 0000000000D03047 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FAB64BFB824h 0x0000001d popad 0x0000001e jmp 00007FAB64BF8D2Ah 0x00000020 test bl, al 0x00000022 call 00007FAB64BF8D39h 0x00000027 lfence 0x0000002a rdtsc
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01301563 rdtsc 5_2_01301563
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5356Thread sleep time: -150000s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
        Source: RegAsm.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

        Anti Debugging:

        barindex
        Contains functionality to hide a thread from the debuggerShow sources
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_013005BD NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00020040,00000000,B95DDAB0,00000FFF5_2_013005BD
        Hides threads from debuggersShow sources
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01301563 rdtsc 5_2_01301563
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01303D88 LdrInitializeThunk,5_2_01303D88
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01305183 mov eax, dword ptr fs:[00000030h]5_2_01305183
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_013051FC mov eax, dword ptr fs:[00000030h]5_2_013051FC
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01306003 mov eax, dword ptr fs:[00000030h]5_2_01306003
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01301C95 mov eax, dword ptr fs:[00000030h]5_2_01301C95
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01302CDB mov eax, dword ptr fs:[00000030h]5_2_01302CDB
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01305FD1 mov eax, dword ptr fs:[00000030h]5_2_01305FD1
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01305FCE mov eax, dword ptr fs:[00000030h]5_2_01305FCE
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01305264 mov eax, dword ptr fs:[00000030h]5_2_01305264
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01304A42 mov eax, dword ptr fs:[00000030h]5_2_01304A42
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_013016F0 mov eax, dword ptr fs:[00000030h]5_2_013016F0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01301EEC mov eax, dword ptr fs:[00000030h]5_2_01301EEC
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01301EEE mov eax, dword ptr fs:[00000030h]5_2_01301EEE
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D02CDB mov eax, dword ptr fs:[00000030h]20_2_00D02CDB
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D01C95 mov eax, dword ptr fs:[00000030h]20_2_00D01C95
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D06003 mov eax, dword ptr fs:[00000030h]20_2_00D06003
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D051FC mov eax, dword ptr fs:[00000030h]20_2_00D051FC
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D05183 mov eax, dword ptr fs:[00000030h]20_2_00D05183