Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report f4b1bde3-706a-40d2-8ace-693803810b6f.exe

Overview

General Information

Sample Name:f4b1bde3-706a-40d2-8ace-693803810b6f.exe
Analysis ID:356310
MD5:1364f8c4c00b87e5d938e9f95af828f4
SHA1:4dafecb2752fe653edbee9ce9794deda34325d5f
SHA256:9a7b0abc37831a4c9dc1676cc3fc7c0278e413a845ace42ff4c82e21fc744653

Most interesting Screenshot:

Detection

GuLoader
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides threads from debuggers
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • f4b1bde3-706a-40d2-8ace-693803810b6f.exe (PID: 4112 cmdline: 'C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe' MD5: 1364F8C4C00B87E5D938E9F95AF828F4)
    • RegAsm.exe (PID: 5672 cmdline: 'C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 5544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • filename1.exe (PID: 6732 cmdline: 'C:\Users\user\subfolder1\filename1.exe' MD5: 1364F8C4C00B87E5D938E9F95AF828F4)
    • RegAsm.exe (PID: 6920 cmdline: 'C:\Users\user\subfolder1\filename1.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 6936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • filename1.exe (PID: 6844 cmdline: 'C:\Users\user\subfolder1\filename1.exe' MD5: 1364F8C4C00B87E5D938E9F95AF828F4)
    • RegAsm.exe (PID: 7000 cmdline: 'C:\Users\user\subfolder1\filename1.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 7012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: RegAsm.exe PID: 7000JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    Process Memory Space: RegAsm.exe PID: 6920JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
      Process Memory Space: RegAsm.exe PID: 5672JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\subfolder1\filename1.exeMetadefender: Detection: 21%Perma Link
        Source: C:\Users\user\subfolder1\filename1.exeReversingLabs: Detection: 67%
        Multi AV Scanner detection for submitted fileShow sources
        Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exeVirustotal: Detection: 56%Perma Link
        Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exeMetadefender: Detection: 21%Perma Link
        Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exeReversingLabs: Detection: 67%

        Compliance:

        barindex
        Uses 32bit PE filesShow sources
        Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Uses secure TLS version for HTTPS connectionsShow sources
        Source: unknownHTTPS traffic detected: 103.53.43.36:443 -> 192.168.2.3:49726 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 103.53.43.36:443 -> 192.168.2.3:49729 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 103.53.43.36:443 -> 192.168.2.3:49735 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 103.53.43.36:443 -> 192.168.2.3:49737 version: TLS 1.2
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D0694F InternetReadFile,
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: <script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://www.21twelveinteractive.com/#organization","name":"21Twelve Interactive LLP","url":"https://www.21twelveinteractive.com/","sameAs":["https://www.facebook.com/21twelveinteractive/","https://www.instagram.com/21twelveinteractive/","https://www.linkedin.com/company/21twelve-interactive/","https://www.pinterest.com/21twelveinteractive/","https://twitter.com/21twelveI"],"logo":{"@type":"ImageObject","@id":"https://www.21twelveinteractive.com/#logo","inLanguage":"en-US","url":"https://www.21twelveinteractive.com/wp-content/uploads/2018/06/icon.png","width":200,"height":200,"caption":"21Twelve Interactive LLP"},"image":{"@id":"https://www.21twelveinteractive.com/#logo"}},{"@type":"WebSite","@id":"https://www.21twelveinteractive.com/#website","url":"https://www.21twelveinteractive.com/","name":"21Twelve Interactive","description":"Imagination Turns to Innovation","publisher":{"@id":"https://www.21twelveinteractive.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":"https://www.21twelveinteractive.com/?s={search_term_string}","query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}</script> equals www.facebook.com (Facebook)
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: <script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://www.21twelveinteractive.com/#organization","name":"21Twelve Interactive LLP","url":"https://www.21twelveinteractive.com/","sameAs":["https://www.facebook.com/21twelveinteractive/","https://www.instagram.com/21twelveinteractive/","https://www.linkedin.com/company/21twelve-interactive/","https://www.pinterest.com/21twelveinteractive/","https://twitter.com/21twelveI"],"logo":{"@type":"ImageObject","@id":"https://www.21twelveinteractive.com/#logo","inLanguage":"en-US","url":"https://www.21twelveinteractive.com/wp-content/uploads/2018/06/icon.png","width":200,"height":200,"caption":"21Twelve Interactive LLP"},"image":{"@id":"https://www.21twelveinteractive.com/#logo"}},{"@type":"WebSite","@id":"https://www.21twelveinteractive.com/#website","url":"https://www.21twelveinteractive.com/","name":"21Twelve Interactive","description":"Imagination Turns to Innovation","publisher":{"@id":"https://www.21twelveinteractive.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":"https://www.21twelveinteractive.com/?s={search_term_string}","query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}</script> equals www.linkedin.com (Linkedin)
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: <script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://www.21twelveinteractive.com/#organization","name":"21Twelve Interactive LLP","url":"https://www.21twelveinteractive.com/","sameAs":["https://www.facebook.com/21twelveinteractive/","https://www.instagram.com/21twelveinteractive/","https://www.linkedin.com/company/21twelve-interactive/","https://www.pinterest.com/21twelveinteractive/","https://twitter.com/21twelveI"],"logo":{"@type":"ImageObject","@id":"https://www.21twelveinteractive.com/#logo","inLanguage":"en-US","url":"https://www.21twelveinteractive.com/wp-content/uploads/2018/06/icon.png","width":200,"height":200,"caption":"21Twelve Interactive LLP"},"image":{"@id":"https://www.21twelveinteractive.com/#logo"}},{"@type":"WebSite","@id":"https://www.21twelveinteractive.com/#website","url":"https://www.21twelveinteractive.com/","name":"21Twelve Interactive","description":"Imagination Turns to Innovation","publisher":{"@id":"https://www.21twelveinteractive.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":"https://www.21twelveinteractive.com/?s={search_term_string}","query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}</script> equals www.twitter.com (Twitter)
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: "https://www.facebook.com/21twelveinteractive/", equals www.facebook.com (Facebook)
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: "https://www.linkedin.com/company/21twelve-interactive/", equals www.linkedin.com (Linkedin)
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: "sameAs" :["https://www.facebook.com/21twelveinteractive/", "https://twitter.com/21twelveI", "https://www.linkedin.com/company/13266555", "https://plus.google.com/u/0/b/117296032389086012359/117296032389086012359"] equals www.facebook.com (Facebook)
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: "sameAs" :["https://www.facebook.com/21twelveinteractive/", "https://twitter.com/21twelveI", "https://www.linkedin.com/company/13266555", "https://plus.google.com/u/0/b/117296032389086012359/117296032389086012359"] equals www.linkedin.com (Linkedin)
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: "sameAs" :["https://www.facebook.com/21twelveinteractive/", "https://twitter.com/21twelveI", "https://www.linkedin.com/company/13266555", "https://plus.google.com/u/0/b/117296032389086012359/117296032389086012359"] equals www.twitter.com (Twitter)
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: <li><a title="Facebook" href="https://www.facebook.com/21twelveinteractive/" target="_blank"><i class="fa fa-facebook"></i>Facebook</a></li> equals www.facebook.com (Facebook)
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: <li><a title="Linkedin" href="https://www.linkedin.com/company/21twelve-interactive/" target="_blank"><i class="fa fa-linkedin"></i>Linkedin</a></li> equals www.linkedin.com (Linkedin)
        Source: unknownDNS traffic detected: queries for: 21twelveinteractive.com
        Source: RegAsm.exe, 00000014.00000002.486413359.0000000000FE1000.00000004.00000020.sdmpString found in binary or memory: http://apps.identrust.com/roots/ds
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000014.00000002.486413359.0000000000FE1000.00000004.00000020.sdmpString found in binary or memory: http://cps.letsencrypt.org0
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmpString found in binary or memory: http://crl.i
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: http://css3-mediaqueries-js.googlecode.com/svn/trunk/css3-mediaqueries.js
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmpString found in binary or memory: http://r3.i.lencr.org/0
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmpString found in binary or memory: http://r3.i2
        Source: RegAsm.exe, 00000014.00000002.486413359.0000000000FE1000.00000004.00000020.sdmpString found in binary or memory: http://r3.o.le
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmpString found in binary or memory: http://r3.o.lencr.org0
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmpString found in binary or memory: https://21twelveinteractive.com/
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmpString found in binary or memory: https://21twelveinteractive.com//dstro
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmpString found in binary or memory: https://21twelveinteractive.com/173855x
        Source: RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmpString found in binary or memory: https://21twelveinteractive.com/2
        Source: RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmpString found in binary or memory: https://21twelveinteractive.com/5
        Source: RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmpString found in binary or memory: https://21twelveinteractive.com/L
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmpString found in binary or memory: https://21twelveinteractive.com/U5W
        Source: RegAsm.exe, 00000005.00000002.474366584.0000000001300000.00000040.00000001.sdmp, RegAsm.exe, 00000014.00000002.486227915.0000000000D00000.00000040.00000001.sdmpString found in binary or memory: https://21twelveinteractive.com/fg/janomo_ZhyUp244.bin
        Source: RegAsm.exe, 00000014.00000002.486393836.0000000000FC1000.00000004.00000020.sdmpString found in binary or memory: https://21twelveinteractive.com/fg/janomo_ZhyUp244.binan
        Source: RegAsm.exe, 00000014.00000002.486393836.0000000000FC1000.00000004.00000020.sdmpString found in binary or memory: https://21twelveinteractive.com/fg/janomo_ZhyUp244.bind
        Source: RegAsm.exe, 00000014.00000002.486393836.0000000000FC1000.00000004.00000020.sdmpString found in binary or memory: https://21twelveinteractive.com/fg/janomo_ZhyUp244.binnt
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmpString found in binary or memory: https://21twelveinteractive.com/ileapp
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmpString found in binary or memory: https://21twelveinteractive.com/n
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmpString found in binary or memory: https://21twelveinteractive.com/nDl
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmpString found in binary or memory: https://21twelveinteractive.com/opmobi
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://api.w.org/
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.1/jquery.min.js
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://embed.tawk.to/5dabf4d6df22d91339a00b9d/default
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://fonts.gstatic.com
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://oss.maxcdn.com/respond/1.4.2/respond.min.js
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://r6k8z9y5.rocketcdn.me/wp-content/uploads/2019/10/new-logo1.svg
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://r6k8z9y5.rocketcdn.me/wp-content/uploads/2020/02/21twelve-logo-bg.png
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://schema.org
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://schema.org/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/21twelveI/
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://web.whatsapp.com/send?phone=13474740020
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://wordpress.org/plugins/mailchimp-for-wp/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/#organization
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/21twelve-interactive-portfolio/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/about-us/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/admin-dashboard-design/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/android-app-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/android-game-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/angularjs-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/banner-brochure-design/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/blog/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/cakephp-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/codeigniter-development/
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/comments/feed/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/contact-us/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/content-writing/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/corporate-website-designs/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/cross-platform-mobile-app-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/custom-cms-website-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/digital-branding/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/drupal-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/ecommerce-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/ecommerce-magento-2-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/ecommerce-magento-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/feed/
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/feed/atom/
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/feed/rss/
        Source: RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmpString found in binary or memory: https://www.21twelveinteractive.com/fg/janomo_ZhyUp244.bin
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmpString found in binary or memory: https://www.21twelveinteractive.com/fg/janomo_ZhyUp244.bin0
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmpString found in binary or memory: https://www.21twelveinteractive.com/fg/janomo_ZhyUp244.bin0100
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmpString found in binary or memory: https://www.21twelveinteractive.com/fg/janomo_ZhyUp244.bin2e
        Source: RegAsm.exe, 00000014.00000002.486393836.0000000000FC1000.00000004.00000020.sdmpString found in binary or memory: https://www.21twelveinteractive.com/fg/janomo_ZhyUp244.binDH
        Source: RegAsm.exe, 00000014.00000002.486393836.0000000000FC1000.00000004.00000020.sdmpString found in binary or memory: https://www.21twelveinteractive.com/fg/janomo_ZhyUp244.binMH
        Source: RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmpString found in binary or memory: https://www.21twelveinteractive.com/fg/janomo_ZhyUp244.bincefb9XX
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmpString found in binary or memory: https://www.21twelveinteractive.com/fg/janomo_ZhyUp244.binmobi
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/game-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/hire-android-app-developer/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/hire-cross-platform-app-developer/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/hire-drupal-developer/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/hire-ipad-app-developer/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/hire-iphone-app-developer/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/hire-joomla-developer/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/hire-magento-2-developer/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/hire-magento-developer/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/hire-php-developer/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/hire-unity-3d-game-developer/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/hire-wordpress-developer/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/hybrid-app-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/ipad-application-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/ipad-game-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/iphone-app-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/iphone-game-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/joomla-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/js-framework-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/laravel-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/logo-design/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/markup/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/meteor-js-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/mobile-app-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/mobile-responsive-website-design/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/node-js-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/opencart-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/parallax-website-design/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/pay-per-click-services/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/php-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/prestashop-development/
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/privacy-policy/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/psd-to-bootstrap/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/psd-to-drupal/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/psd-to-email-template/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/psd-to-html/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/psd-to-html5/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/psd-to-joomla/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/psd-to-magento/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/psd-to-mobile-template/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/psd-to-wordpress/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/quality-assurance/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/react-js-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/react-native-app-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/ruby-on-rails-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/search-engine-optimization/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/services/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/shopify-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/sketch-to-psd-design/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/social-media-marketing/
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/terms-and-condition/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/the-crew/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/unity-3d-2d-game-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/virtuemart-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/website-design/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/windows-app-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/woocommerce-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wordpress-development-agency/
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wordpress-development/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/work-process/
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.486393836.0000000000FC1000.00000004.00000020.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/css/browsers.min.css
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/css/formreset.min.css
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/css/formsmain.min.css
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/css/readyclass.min.css
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/images/spinner.gif
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/js/gravityforms.min.js
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/js/jquery.json.min.js
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/js/jquery.maskedinput.min.js
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/js/placeholders.jquery.min.js
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/js_composer/assets/css/vc-ie8.min.css
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/js_composer/assets/css/vc_lte_ie9.min.css
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/mailchimp-for-wp/assets/css/form-basic.min.cs
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/mailchimp-for-wp/assets/js/forms.min.js
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/structured-content/dist/blocks.style.build.cs
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/plugins/wp-rocket/assets/js/lazyload/16.1/lazyload.mi
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/css/animate.css
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/css/custom.css
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/css/pages/84.css
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/images/flag/aus.png
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/images/flag/india.png
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/images/flag/usa.png
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/js/main.min.js
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/js/plugin.min.js
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/js/snow.js
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/bootstrap/css/bootstra
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/bootstrap/js/bootstrap
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/fonts-awesome/css/font
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/jquery.jPlayer/jquery.
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/megatron-icon/css/styl
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/owl-carousel/assets/ow
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/perfect-scrollbar/css/
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/prettyPhoto/css/pretty
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/slick/css/slick.min.cs
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/slick/js/slick.min.js
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/g5plus-framework/xmenu/assets/css/ami
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/g5plus-framework/xmenu/assets/js/app.
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/style.css
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/themes/21twelve/style.min.css
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/uploads/2018/01/new-logo.svg
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/uploads/2019/04/Favicon1.png
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/uploads/2019/10/new-logo1.svg
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/uploads/2020/02/conatact-left2.png
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-content/uploads/2020/03/WhatsApp.svg
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-includes/css/dist/block-library/style.min.css
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-includes/js/wp-embed.min.js
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-includes/wlwmanifest.xml
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/wp-json/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/xmlrpc.php
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/xmlrpc.php?rsd
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.21twelveinteractive.com/zend-development/
        Source: RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/21twelveinteractive/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.linkedin.com/company/21twelve-interactive/
        Source: RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://www.pinterest.com/21twelveinteractive/
        Source: RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: https://yoast.com/wordpress/plugins/seo/
        Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
        Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
        Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
        Source: unknownHTTPS traffic detected: 103.53.43.36:443 -> 192.168.2.3:49726 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 103.53.43.36:443 -> 192.168.2.3:49729 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 103.53.43.36:443 -> 192.168.2.3:49735 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 103.53.43.36:443 -> 192.168.2.3:49737 version: TLS 1.2
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess Stats: CPU usage > 98%
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_020F06B6 NtSetInformationThread,
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_020F0740 NtSetInformationThread,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_0130694F NtQueryInformationProcess,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_013005BD EnumWindows,NtSetInformationThread,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_013064DF NtProtectVirtualMemory,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01305BAD NtSetInformationThread,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_0130696A NtQueryInformationProcess,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01306997 NtQueryInformationProcess,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_013069CD NtQueryInformationProcess,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_0130070D NtSetInformationThread,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01306B0D NtQueryInformationProcess,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01306B73 NtQueryInformationProcess,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01306B47 NtQueryInformationProcess,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01306B91 NtQueryInformationProcess,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01306BCB NtQueryInformationProcess,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_0130063A NtSetInformationThread,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01306A29 NtQueryInformationProcess,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01306A05 NtQueryInformationProcess,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01306A79 NtQueryInformationProcess,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01300651 NtSetInformationThread,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01306A49 NtQueryInformationProcess,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01306ABA NtQueryInformationProcess,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01300696 NtSetInformationThread,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01306A99 NtQueryInformationProcess,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01306AE7 NtQueryInformationProcess,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_013006D6 NtSetInformationThread,
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 17_2_02232877 NtWriteVirtualMemory,
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 19_2_021664D1 NtProtectVirtualMemory,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D064DF NtProtectVirtualMemory,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D005BD EnumWindows,NtSetInformationThread,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D05BAD NtSetInformationThread,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D006D6 NtSetInformationThread,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D00696 NtSetInformationThread,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D00651 NtSetInformationThread,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D0063A NtSetInformationThread,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D0070D NtSetInformationThread,
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_004014A8
        Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: filename1.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exe, 00000000.00000000.200454158.0000000000424000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameparag.exe vs f4b1bde3-706a-40d2-8ace-693803810b6f.exe
        Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exe, 00000000.00000002.417651196.00000000020C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs f4b1bde3-706a-40d2-8ace-693803810b6f.exe
        Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exe, 00000000.00000002.418675329.0000000002930000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameparag.exeFE2XWhine Caps3 vs f4b1bde3-706a-40d2-8ace-693803810b6f.exe
        Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exeBinary or memory string: OriginalFilenameparag.exe vs f4b1bde3-706a-40d2-8ace-693803810b6f.exe
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dll
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dll
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dll
        Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: classification engineClassification label: mal96.troj.evad.winEXE@12/1@4/1
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\subfolder1Jump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7012:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6936:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5544:120:WilError_01
        Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
        Source: C:\Users\user\subfolder1\filename1.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
        Source: C:\Users\user\subfolder1\filename1.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exeVirustotal: Detection: 56%
        Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exeMetadefender: Detection: 21%
        Source: f4b1bde3-706a-40d2-8ace-693803810b6f.exeReversingLabs: Detection: 67%
        Source: unknownProcess created: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe 'C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe'
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
        Source: unknownProcess created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe'
        Source: C:\Users\user\subfolder1\filename1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'
        Source: C:\Users\user\subfolder1\filename1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'
        Source: Window RecorderWindow detected: More than 3 window changes detected

        Data Obfuscation:

        barindex
        Yara detected GuLoaderShow sources
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7000, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6920, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5672, type: MEMORY
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_0040B040 pushad ; ret
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_0040BC1E push cs; ret
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_0040D4D9 push edi; iretd
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_0040C085 push cs; iretd
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_0040C248 push esp; iretd
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_0040C24E push esp; iretd
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_0040BE79 push ss; ret
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_0040BAD8 push FFFFFFB7h; retf
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_0040BB82 push cs; ret
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_0040BF99 push cs; iretd
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_020F2FEE push edx; iretd
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_020F3476 push 94DA5B5Eh; ret
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_020F34D2 push 94DA5B5Eh; ret
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeCode function: 0_2_020F58FF push 214EAEE9h; retf
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01304968 push ds; ret
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01304555 push ds; ret
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_0130494F push ds; ret
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_013045A5 push ds; ret
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01304759 push ds; ret
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_0130478D push ds; ret
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 17_2_02230220 push ebx; retf
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 17_2_02233224 push ebx; retf
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 17_2_02233A28 push ebx; retf
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 17_2_02230A2C push ebx; retf
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 17_2_02231234 push ebx; retf
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 17_2_02235E34 push ebx; retf
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 17_2_02235A38 push ebx; retf
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 17_2_02230A3C push ebx; retf
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 17_2_02232606 push ebx; retf
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 17_2_02231204 push ebx; retf
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 17_2_02234E09 push ebx; retf
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\subfolder1\filename1.exeJump to dropped file
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeRDTSC instruction interceptor: First address: 00000000020F2E56 second address: 00000000020F2E56 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FAB64BF8D18h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FAB64BF8D2Ah 0x00000020 test si, AC01h 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 pushad 0x00000029 mov eax, 000000ABh 0x0000002e cpuid 0x00000030 popad 0x00000031 cmp ecx, 00000000h 0x00000034 jne 00007FAB64BF8CD7h 0x00000036 test ax, 000006F5h 0x0000003a push ecx 0x0000003b call 00007FAB64BF8D4Fh 0x00000040 call 00007FAB64BF8D28h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeRDTSC instruction interceptor: First address: 00000000020F0C85 second address: 00000000020F0C85 instructions:
        Source: C:\Users\user\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 0000000002232E56 second address: 0000000002232E56 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FAB64BF8D18h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FAB64BF8D2Ah 0x00000020 test si, AC01h 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 pushad 0x00000029 mov eax, 000000ABh 0x0000002e cpuid 0x00000030 popad 0x00000031 cmp ecx, 00000000h 0x00000034 jne 00007FAB64BF8CD7h 0x00000036 test ax, 000006F5h 0x0000003a push ecx 0x0000003b call 00007FAB64BF8D4Fh 0x00000040 call 00007FAB64BF8D28h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
        Source: C:\Users\user\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 0000000002162E56 second address: 0000000002162E56 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FAB64BF8E58h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FAB64BF8E6Ah 0x00000020 test si, AC01h 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 pushad 0x00000029 mov eax, 000000ABh 0x0000002e cpuid 0x00000030 popad 0x00000031 cmp ecx, 00000000h 0x00000034 jne 00007FAB64BF8E17h 0x00000036 test ax, 000006F5h 0x0000003a push ecx 0x0000003b call 00007FAB64BF8E8Fh 0x00000040 call 00007FAB64BF8E68h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
        Source: C:\Users\user\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 0000000002230C85 second address: 0000000002230C85 instructions:
        Source: C:\Users\user\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 0000000002160C85 second address: 0000000002160C85 instructions:
        Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeEvasive API call chain: GetPEB, DecisionNodes, Sleep
        Tries to detect Any.runShow sources
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeFile opened: C:\Program Files\qga\qga.exe
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\qga\qga.exe
        Source: C:\Users\user\subfolder1\filename1.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: C:\Users\user\subfolder1\filename1.exeFile opened: C:\Program Files\qga\qga.exe
        Source: C:\Users\user\subfolder1\filename1.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: C:\Users\user\subfolder1\filename1.exeFile opened: C:\Program Files\qga\qga.exe
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\qga\qga.exe
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: RegAsm.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
        Tries to detect virtualization through RDTSC time measurementsShow sources
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeRDTSC instruction interceptor: First address: 00000000020F2E56 second address: 00000000020F2E56 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FAB64BF8D18h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FAB64BF8D2Ah 0x00000020 test si, AC01h 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 pushad 0x00000029 mov eax, 000000ABh 0x0000002e cpuid 0x00000030 popad 0x00000031 cmp ecx, 00000000h 0x00000034 jne 00007FAB64BF8CD7h 0x00000036 test ax, 000006F5h 0x0000003a push ecx 0x0000003b call 00007FAB64BF8D4Fh 0x00000040 call 00007FAB64BF8D28h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeRDTSC instruction interceptor: First address: 00000000020F3047 second address: 00000000020F3047 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FAB64BFB964h 0x0000001d popad 0x0000001e jmp 00007FAB64BF8E6Ah 0x00000020 test bl, al 0x00000022 call 00007FAB64BF8E79h 0x00000027 lfence 0x0000002a rdtsc
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeRDTSC instruction interceptor: First address: 00000000020F0C85 second address: 00000000020F0C85 instructions:
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 0000000001303047 second address: 0000000001303047 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FAB64BFB964h 0x0000001d popad 0x0000001e jmp 00007FAB64BF8E6Ah 0x00000020 test bl, al 0x00000022 call 00007FAB64BF8E79h 0x00000027 lfence 0x0000002a rdtsc
        Source: C:\Users\user\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 0000000002232E56 second address: 0000000002232E56 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FAB64BF8D18h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FAB64BF8D2Ah 0x00000020 test si, AC01h 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 pushad 0x00000029 mov eax, 000000ABh 0x0000002e cpuid 0x00000030 popad 0x00000031 cmp ecx, 00000000h 0x00000034 jne 00007FAB64BF8CD7h 0x00000036 test ax, 000006F5h 0x0000003a push ecx 0x0000003b call 00007FAB64BF8D4Fh 0x00000040 call 00007FAB64BF8D28h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
        Source: C:\Users\user\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 0000000002162E56 second address: 0000000002162E56 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FAB64BF8E58h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FAB64BF8E6Ah 0x00000020 test si, AC01h 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 pushad 0x00000029 mov eax, 000000ABh 0x0000002e cpuid 0x00000030 popad 0x00000031 cmp ecx, 00000000h 0x00000034 jne 00007FAB64BF8E17h 0x00000036 test ax, 000006F5h 0x0000003a push ecx 0x0000003b call 00007FAB64BF8E8Fh 0x00000040 call 00007FAB64BF8E68h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
        Source: C:\Users\user\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 0000000002233047 second address: 0000000002233047 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FAB64BFB824h 0x0000001d popad 0x0000001e jmp 00007FAB64BF8D2Ah 0x00000020 test bl, al 0x00000022 call 00007FAB64BF8D39h 0x00000027 lfence 0x0000002a rdtsc
        Source: C:\Users\user\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 0000000002230C85 second address: 0000000002230C85 instructions:
        Source: C:\Users\user\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 0000000002163047 second address: 0000000002163047 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FAB64BFB824h 0x0000001d popad 0x0000001e jmp 00007FAB64BF8D2Ah 0x00000020 test bl, al 0x00000022 call 00007FAB64BF8D39h 0x00000027 lfence 0x0000002a rdtsc
        Source: C:\Users\user\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 0000000002160C85 second address: 0000000002160C85 instructions:
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000D03047 second address: 0000000000D03047 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FAB64BFB824h 0x0000001d popad 0x0000001e jmp 00007FAB64BF8D2Ah 0x00000020 test bl, al 0x00000022 call 00007FAB64BF8D39h 0x00000027 lfence 0x0000002a rdtsc
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01301563 rdtsc
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5356Thread sleep time: -150000s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
        Source: RegAsm.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

        Anti Debugging:

        barindex
        Contains functionality to hide a thread from the debuggerShow sources
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_013005BD NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00020040,00000000,B95DDAB0,00000FFF
        Hides threads from debuggersShow sources
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeThread information set: HideFromDebugger
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebugger
        Source: C:\Users\user\subfolder1\filename1.exeThread information set: HideFromDebugger
        Source: C:\Users\user\subfolder1\filename1.exeThread information set: HideFromDebugger
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeProcess queried: DebugPort
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess queried: DebugPort
        Source: C:\Users\user\subfolder1\filename1.exeProcess queried: DebugPort
        Source: C:\Users\user\subfolder1\filename1.exeProcess queried: DebugPort
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess queried: DebugPort
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01301563 rdtsc
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01303D88 LdrInitializeThunk,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01305183 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_013051FC mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01306003 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01301C95 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01302CDB mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01305FD1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01305FCE mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01305264 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01304A42 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_013016F0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01301EEC mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01301EEE mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D02CDB mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D01C95 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D06003 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D051FC mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D05183 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D016F0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D01EEC mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D01EEE mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D04A42 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D05264 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D05FD1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 20_2_00D05FCE mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_00F22CDB mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_00F21C95 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_00F26003 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_00F251FC mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_00F25183 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_00F216F0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_00F21EEE mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_00F21EEC mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_00F25264 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_00F24A42 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_00F25FD1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_00F25FCE mov eax, dword ptr fs:[00000030h]

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 1300000
        Source: C:\Users\user\subfolder1\filename1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: D00000
        Source: C:\Users\user\subfolder1\filename1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: F20000
        Source: C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe'
        Source: C:\Users\user\subfolder1\filename1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'
        Source: C:\Users\user\subfolder1\filename1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'
        Source: RegAsm.exe, 00000005.00000002.517993849.0000000001AE0000.00000002.00000001.sdmp, filename1.exe, 00000011.00000002.473666743.0000000000DC0000.00000002.00000001.sdmp, filename1.exe, 00000013.00000002.492980873.0000000000CC0000.00000002.00000001.sdmp, RegAsm.exe, 00000014.00000002.492955227.00000000015E0000.00000002.00000001.sdmp, RegAsm.exe, 00000016.00000002.520054549.0000000001820000.00000002.00000001.sdmpBinary or memory string: Program Manager
        Source: RegAsm.exe, 00000005.00000002.517993849.0000000001AE0000.00000002.00000001.sdmp, filename1.exe, 00000011.00000002.473666743.0000000000DC0000.00000002.00000001.sdmp, filename1.exe, 00000013.00000002.492980873.0000000000CC0000.00000002.00000001.sdmp, RegAsm.exe, 00000014.00000002.492955227.00000000015E0000.00000002.00000001.sdmp, RegAsm.exe, 00000016.00000002.520054549.0000000001820000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: RegAsm.exe, 00000005.00000002.517993849.0000000001AE0000.00000002.00000001.sdmp, filename1.exe, 00000011.00000002.473666743.0000000000DC0000.00000002.00000001.sdmp, filename1.exe, 00000013.00000002.492980873.0000000000CC0000.00000002.00000001.sdmp, RegAsm.exe, 00000014.00000002.492955227.00000000015E0000.00000002.00000001.sdmp, RegAsm.exe, 00000016.00000002.520054549.0000000001820000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: RegAsm.exe, 00000005.00000002.517993849.0000000001AE0000.00000002.00000001.sdmp, filename1.exe, 00000011.00000002.473666743.0000000000DC0000.00000002.00000001.sdmp, filename1.exe, 00000013.00000002.492980873.0000000000CC0000.00000002.00000001.sdmp, RegAsm.exe, 00000014.00000002.492955227.00000000015E0000.00000002.00000001.sdmp, RegAsm.exe, 00000016.00000002.520054549.0000000001820000.00000002.00000001.sdmpBinary or memory string: Progmanlock

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsNative API1Registry Run Keys / Startup Folder1Process Injection112Masquerading1OS Credential DumpingSecurity Software Discovery721Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobDLL Side-Loading1Registry Run Keys / Startup Folder1Virtualization/Sandbox Evasion22LSASS MemoryVirtualization/Sandbox Evasion22Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)DLL Side-Loading1Process Injection112Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsSystem Information Discovery21SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 356310 Sample: f4b1bde3-706a-40d2-8ace-693... Startdate: 22/02/2021 Architecture: WINDOWS Score: 96 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected GuLoader 2->49 51 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->51 7 f4b1bde3-706a-40d2-8ace-693803810b6f.exe 2->7         started        10 filename1.exe 2->10         started        12 filename1.exe 2->12         started        process3 signatures4 53 Writes to foreign memory regions 7->53 55 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 7->55 57 Tries to detect Any.run 7->57 14 RegAsm.exe 1 15 7->14         started        59 Multi AV Scanner detection for dropped file 10->59 61 Tries to detect virtualization through RDTSC time measurements 10->61 63 Hides threads from debuggers 10->63 19 RegAsm.exe 14 10->19         started        21 RegAsm.exe 1 12->21         started        process5 dnsIp6 31 21twelveinteractive.com 103.53.43.36, 443, 49726, 49729 PUBLIC-DOMAIN-REGISTRYUS India 14->31 33 www.21twelveinteractive.com 14->33 29 C:\Users\user\subfolder1\filename1.exe, PE32 14->29 dropped 37 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 14->37 39 Tries to detect Any.run 14->39 41 Tries to detect virtualization through RDTSC time measurements 14->41 43 Contains functionality to hide a thread from the debugger 14->43 23 conhost.exe 14->23         started        35 www.21twelveinteractive.com 19->35 45 Hides threads from debuggers 19->45 25 conhost.exe 19->25         started        27 conhost.exe 21->27         started        file7 signatures8 process9

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        f4b1bde3-706a-40d2-8ace-693803810b6f.exe56%VirustotalBrowse
        f4b1bde3-706a-40d2-8ace-693803810b6f.exe24%MetadefenderBrowse
        f4b1bde3-706a-40d2-8ace-693803810b6f.exe68%ReversingLabsWin32.Trojan.Vebzenpak

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\subfolder1\filename1.exe24%MetadefenderBrowse
        C:\Users\user\subfolder1\filename1.exe68%ReversingLabsWin32.Trojan.Vebzenpak

        Unpacked PE Files

        No Antivirus matches

        Domains

        SourceDetectionScannerLabelLink
        21twelveinteractive.com5%VirustotalBrowse
        www.21twelveinteractive.com1%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/slick/js/slick.min.js0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/fg/janomo_ZhyUp244.bin01000%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/opencart-development/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/laravel-development/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/quality-assurance/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/owl-carousel/assets/ow0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/wp-json/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/psd-to-html/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/terms-and-condition/0%Avira URL Cloudsafe
        http://r3.o.le0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/about-us/0%Avira URL Cloudsafe
        https://21twelveinteractive.com/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/hire-unity-3d-game-developer/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/hire-android-app-developer/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/psd-to-wordpress/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/ruby-on-rails-development/0%Avira URL Cloudsafe
        https://21twelveinteractive.com/fg/janomo_ZhyUp244.bin0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/xmlrpc.php?rsd0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/react-native-app-development/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/wordpress-development/0%Avira URL Cloudsafe
        https://21twelveinteractive.com/nDl0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/hire-magento-developer/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/xmlrpc.php0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/psd-to-html5/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/js/main.min.js0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/ipad-application-development/0%Avira URL Cloudsafe
        https://r6k8z9y5.rocketcdn.me/wp-content/uploads/2020/02/21twelve-logo-bg.png0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/php-development/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/feed/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/wp-content/uploads/2019/10/new-logo1.svg0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/wordpress-development-agency/0%Avira URL Cloudsafe
        https://21twelveinteractive.com/fg/janomo_ZhyUp244.bind0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/woocommerce-development/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/wp-content/uploads/2020/02/conatact-left2.png0%Avira URL Cloudsafe
        http://css3-mediaqueries-js.googlecode.com/svn/trunk/css3-mediaqueries.js0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/hybrid-app-development/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/jquery.jPlayer/jquery.0%Avira URL Cloudsafe
        http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
        http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
        http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
        https://www.21twelveinteractive.com/#organization0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/images/flag/india.png0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/wp-content/plugins/mailchimp-for-wp/assets/js/forms.min.js0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/cakephp-development/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/wp-content/plugins/structured-content/dist/blocks.style.build.cs0%Avira URL Cloudsafe
        http://cps.letsencrypt.org00%URL Reputationsafe
        http://cps.letsencrypt.org00%URL Reputationsafe
        http://cps.letsencrypt.org00%URL Reputationsafe
        https://www.21twelveinteractive.com/wp-content/plugins/wp-rocket/assets/js/lazyload/16.1/lazyload.mi0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/css/formreset.min.css0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/wp-content/plugins/mailchimp-for-wp/assets/css/form-basic.min.cs0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/psd-to-drupal/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/markup/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/js/snow.js0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/wp-content/plugins/js_composer/assets/css/vc-ie8.min.css0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/fg/janomo_ZhyUp244.bincefb9XX0%Avira URL Cloudsafe
        https://21twelveinteractive.com/173855x0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/android-game-development/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/codeigniter-development/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/css/formsmain.min.css0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/joomla-development/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/js-framework-development/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/website-design/0%Avira URL Cloudsafe
        https://21twelveinteractive.com/U5W0%Avira URL Cloudsafe
        https://21twelveinteractive.com/fg/janomo_ZhyUp244.binnt0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/images/spinner.gif0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/drupal-development/0%Avira URL Cloudsafe
        https://21twelveinteractive.com//dstro0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/corporate-website-designs/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/wp-content/uploads/2020/03/WhatsApp.svg0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/hire-ipad-app-developer/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/blog/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/cross-platform-mobile-app-development/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/unity-3d-2d-game-development/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/css/animate.css0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/psd-to-email-template/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/social-media-marketing/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/sketch-to-psd-design/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/services/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/mobile-app-development/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/megatron-icon/css/styl0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/prettyPhoto/css/pretty0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/android-app-development/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/css/pages/84.css0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/shopify-development/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/comments/feed/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/hire-cross-platform-app-developer/0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/images/flag/aus.png0%Avira URL Cloudsafe
        https://21twelveinteractive.com/L0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/fg/janomo_ZhyUp244.binmobi0%Avira URL Cloudsafe
        https://www.21twelveinteractive.com/wp-content/themes/21twelve/style.css0%Avira URL Cloudsafe
        https://r6k8z9y5.rocketcdn.me/wp-content/uploads/2019/10/new-logo1.svg0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        21twelveinteractive.com
        		103.53.43.36
        		truefalseunknown
        www.21twelveinteractive.com
        		unknown
        		unknownfalseunknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/slick/js/slick.min.jsRegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.21twelveinteractive.com/fg/janomo_ZhyUp244.bin0100RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.21twelveinteractive.com/opencart-development/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.21twelveinteractive.com/laravel-development/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.21twelveinteractive.com/quality-assurance/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/owl-carousel/assets/owRegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.21twelveinteractive.com/wp-json/RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.21twelveinteractive.com/psd-to-html/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.21twelveinteractive.com/terms-and-condition/RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://r3.o.leRegAsm.exe, 00000014.00000002.486413359.0000000000FE1000.00000004.00000020.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.21twelveinteractive.com/about-us/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://21twelveinteractive.com/RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.21twelveinteractive.com/hire-unity-3d-game-developer/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.21twelveinteractive.comRegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.21twelveinteractive.com/hire-android-app-developer/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.21twelveinteractive.com/psd-to-wordpress/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://oss.maxcdn.com/respond/1.4.2/respond.min.jsRegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
          		high
          https://www.21twelveinteractive.com/ruby-on-rails-development/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://21twelveinteractive.com/fg/janomo_ZhyUp244.binRegAsm.exe, 00000005.00000002.474366584.0000000001300000.00000040.00000001.sdmp, RegAsm.exe, 00000014.00000002.486227915.0000000000D00000.00000040.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.21twelveinteractive.com/xmlrpc.php?rsdRegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.21twelveinteractive.com/react-native-app-development/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.21twelveinteractive.com/wordpress-development/RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://21twelveinteractive.com/nDlRegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.21twelveinteractive.com/hire-magento-developer/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.21twelveinteractive.com/xmlrpc.phpRegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.21twelveinteractive.com/psd-to-html5/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/js/main.min.jsRegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.21twelveinteractive.com/ipad-application-development/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://twitter.com/21twelveI/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
            		high
            https://r6k8z9y5.rocketcdn.me/wp-content/uploads/2020/02/21twelve-logo-bg.pngRegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.21twelveinteractive.com/php-development/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.21twelveinteractive.com/feed/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.21twelveinteractive.com/wp-content/uploads/2019/10/new-logo1.svgRegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.21twelveinteractive.com/wordpress-development-agency/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://21twelveinteractive.com/fg/janomo_ZhyUp244.bindRegAsm.exe, 00000014.00000002.486393836.0000000000FC1000.00000004.00000020.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.21twelveinteractive.com/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.21twelveinteractive.com/woocommerce-development/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.21twelveinteractive.com/wp-content/uploads/2020/02/conatact-left2.pngRegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://css3-mediaqueries-js.googlecode.com/svn/trunk/css3-mediaqueries.jsRegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.21twelveinteractive.com/hybrid-app-development/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/jquery.jPlayer/jquery.RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://cps.root-x1.letsencrypt.org0RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://www.21twelveinteractive.com/#organizationRegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/images/flag/india.pngRegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.21twelveinteractive.com/wp-content/plugins/mailchimp-for-wp/assets/js/forms.min.jsRegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.jsRegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
              		high
              https://www.instagram.com/21twelveinteractive/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                		high
                https://www.21twelveinteractive.com/cakephp-development/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.21twelveinteractive.com/wp-content/plugins/structured-content/dist/blocks.style.build.csRegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://cps.letsencrypt.org0RegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmp, RegAsm.exe, 00000014.00000002.486413359.0000000000FE1000.00000004.00000020.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                https://www.21twelveinteractive.com/wp-content/plugins/wp-rocket/assets/js/lazyload/16.1/lazyload.miRegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/css/formreset.min.cssRegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.21twelveinteractive.com/wp-content/plugins/mailchimp-for-wp/assets/css/form-basic.min.csRegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.21twelveinteractive.com/psd-to-drupal/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.21twelveinteractive.com/markup/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/js/snow.jsRegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://schema.orgRegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                  		high
                  https://www.21twelveinteractive.com/wp-content/plugins/js_composer/assets/css/vc-ie8.min.cssRegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://embed.tawk.to/5dabf4d6df22d91339a00b9d/defaultRegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                    		high
                    https://www.21twelveinteractive.com/fg/janomo_ZhyUp244.bincefb9XXRegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://21twelveinteractive.com/173855xRegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.21twelveinteractive.com/android-game-development/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.21twelveinteractive.com/codeigniter-development/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/css/formsmain.min.cssRegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://schema.org/RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                      		high
                      https://www.21twelveinteractive.com/joomla-development/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.21twelveinteractive.com/js-framework-development/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.21twelveinteractive.com/website-design/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://21twelveinteractive.com/U5WRegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://21twelveinteractive.com/fg/janomo_ZhyUp244.binntRegAsm.exe, 00000014.00000002.486393836.0000000000FC1000.00000004.00000020.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.21twelveinteractive.com/wp-content/plugins/gravityforms/images/spinner.gifRegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.21twelveinteractive.com/drupal-development/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://21twelveinteractive.com//dstroRegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.21twelveinteractive.com/corporate-website-designs/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.21twelveinteractive.com/wp-content/uploads/2020/03/WhatsApp.svgRegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.21twelveinteractive.com/hire-ipad-app-developer/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.21twelveinteractive.com/blog/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.21twelveinteractive.com/cross-platform-mobile-app-development/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.21twelveinteractive.com/unity-3d-2d-game-development/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/css/animate.cssRegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.21twelveinteractive.com/psd-to-email-template/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.21twelveinteractive.com/social-media-marketing/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.21twelveinteractive.com/sketch-to-psd-design/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.21twelveinteractive.com/services/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.21twelveinteractive.com/mobile-app-development/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/megatron-icon/css/stylRegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/plugins/prettyPhoto/css/prettyRegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.21twelveinteractive.com/android-app-development/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/css/pages/84.cssRegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.21twelveinteractive.com/shopify-development/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.pinterest.com/21twelveinteractive/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                        		high
                        https://www.21twelveinteractive.com/comments/feed/RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.21twelveinteractive.com/hire-cross-platform-app-developer/RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.21twelveinteractive.com/wp-content/themes/21twelve/assets/images/flag/aus.pngRegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://web.whatsapp.com/send?phone=13474740020RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                          		high
                          https://21twelveinteractive.com/LRegAsm.exe, 00000014.00000002.486363644.0000000000FA7000.00000004.00000020.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.21twelveinteractive.com/fg/janomo_ZhyUp244.binmobiRegAsm.exe, 00000005.00000002.517980335.00000000016E7000.00000004.00000020.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://yoast.com/wordpress/plugins/seo/RegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                            		high
                            https://www.21twelveinteractive.com/wp-content/themes/21twelve/style.cssRegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://r6k8z9y5.rocketcdn.me/wp-content/uploads/2019/10/new-logo1.svgRegAsm.exe, 00000005.00000002.529692576.0000000002F00000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.494810701.0000000002A00000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            103.53.43.36
                            		unknownIndia
                            		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                            General Information

                            Joe Sandbox Version:31.0.0 Emerald
                            Analysis ID:356310
                            Start date:22.02.2021
                            Start time:22:06:04
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 7m 21s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Sample file name:f4b1bde3-706a-40d2-8ace-693803810b6f.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:29
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal96.troj.evad.winEXE@12/1@4/1
                            EGA Information:
                            • Successful, ratio: 50%
                            HDC Information:
                            • Successful, ratio: 3.3% (good quality ratio 2.7%)
                            • Quality average: 43.4%
                            • Quality standard deviation: 22.7%
                            HCA Information:
                            • Successful, ratio: 74%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .exe
                            Warnings:
                            Show All
                            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                            • TCP Packets have been reduced to 100
                            • Excluded IPs from analysis (whitelisted): 40.88.32.150, 104.42.151.234, 104.43.193.48, 13.64.90.137, 184.30.20.56, 8.253.204.120, 67.26.83.254, 8.253.95.249, 8.248.143.254, 8.248.131.254, 40.126.31.137, 40.126.31.141, 20.190.159.134, 40.126.31.6, 20.190.159.138, 40.126.31.135, 20.190.159.132, 40.126.31.8, 51.104.139.180, 13.107.42.23, 13.107.5.88, 52.155.217.156
                            • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, client-office365-tas.msedge.net, ocos-office365-s2s.msedge.net, config.edge.skype.com.trafficmanager.net, www.tm.lg.prod.aadmsa.akadns.net, e-0009.e-msedge.net, config-edge-skype.l-0014.l-msedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, l-0014.config.skype.com, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, login.live.com, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, config.edge.skype.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, afdo-tas-offload.trafficmanager.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, dub2.current.a.prd.aadg.trafficmanager.net, blobcollector.events.data.trafficmanager.net, l-0014.l-msedge.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                            • Execution Graph export aborted for target RegAsm.exe, PID 7000 because there are no executed function
                            • Execution Graph export aborted for target filename1.exe, PID 6732 because there are no executed function
                            • Execution Graph export aborted for target filename1.exe, PID 6844 because there are no executed function
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            22:07:48AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\subfolder1\filename1.exe
                            22:07:54API Interceptor16x Sleep call for process: RegAsm.exe modified
                            22:07:56AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\subfolder1\filename1.exe

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASN

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            PUBLIC-DOMAIN-REGISTRYUSLIQUIDACION INTERBANCARIA 02_22_2021.xlsGet hashmaliciousBrowse
                            • 208.91.199.223
                            document-550193913.xlsGet hashmaliciousBrowse
                            • 208.91.199.118
                            document-550193913.xlsGet hashmaliciousBrowse
                            • 208.91.199.118
                            SecuriteInfo.com.Trojan.Packed2.42850.3598.exeGet hashmaliciousBrowse
                            • 208.91.199.225
                            SecuriteInfo.com.Trojan.Inject4.6572.1879.exeGet hashmaliciousBrowse
                            • 208.91.199.224
                            ffkjg5CVrO.exeGet hashmaliciousBrowse
                            • 208.91.199.223
                            7Lf8J7h7os.exeGet hashmaliciousBrowse
                            • 208.91.199.223
                            Shipping Details_PDF.exeGet hashmaliciousBrowse
                            • 208.91.198.143
                            YKRAB010B_KHE_Preminary Packing List.xlsx.exeGet hashmaliciousBrowse
                            • 208.91.199.225
                            RTM DIAS - CTM.exeGet hashmaliciousBrowse
                            • 208.91.198.143
                            AWB & Shipping Doc.exeGet hashmaliciousBrowse
                            • 208.91.199.223
                            AWB & Shipping Doc.exeGet hashmaliciousBrowse
                            • 208.91.199.223
                            PAYMENT INVOICE-9876543456789.exeGet hashmaliciousBrowse
                            • 208.91.199.224
                            SecuriteInfo.com.Artemis249E62CF9BAE.exeGet hashmaliciousBrowse
                            • 208.91.198.143
                            SecuriteInfo.com.Exploit.Siggen3.10204.3307.xlsGet hashmaliciousBrowse
                            • 103.50.162.157
                            document-573042818.xlsGet hashmaliciousBrowse
                            • 103.50.162.157
                            document-573042818.xlsGet hashmaliciousBrowse
                            • 103.50.162.157
                            document-573042818.xlsGet hashmaliciousBrowse
                            • 103.50.162.157
                            document-750895311.xlsGet hashmaliciousBrowse
                            • 103.50.162.157
                            19_02_2021.exeGet hashmaliciousBrowse
                            • 111.118.215.254

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            37f463bf4616ecd445d4a1937da06e19LIQUIDACION INTERBANCARIA 02_22_2021.xlsGet hashmaliciousBrowse
                            • 103.53.43.36
                            document-550193913.xlsGet hashmaliciousBrowse
                            • 103.53.43.36
                            GUEROLA INDUSTRIES N#U00ba de cuenta.exeGet hashmaliciousBrowse
                            • 103.53.43.36
                            receipt145.htmGet hashmaliciousBrowse
                            • 103.53.43.36
                            xerox for hycite.htmGet hashmaliciousBrowse
                            • 103.53.43.36
                            SecuriteInfo.com.Heur.15528.xlsGet hashmaliciousBrowse
                            • 103.53.43.36
                            Muligheds.exeGet hashmaliciousBrowse
                            • 103.53.43.36
                            DHL_6368638172 documento de recibo,pdf.exeGet hashmaliciousBrowse
                            • 103.53.43.36
                            PDF.exeGet hashmaliciousBrowse
                            • 103.53.43.36
                            pagamento.exeGet hashmaliciousBrowse
                            • 103.53.43.36
                            message_zdm (2).htmlGet hashmaliciousBrowse
                            • 103.53.43.36
                            Statement-ID28865611496334.vbsGet hashmaliciousBrowse
                            • 103.53.43.36
                            Statement-ID21488878391791.vbsGet hashmaliciousBrowse
                            • 103.53.43.36
                            frank_2021-02-22_02-03.exeGet hashmaliciousBrowse
                            • 103.53.43.36
                            Statement-ID72347595684775.vbsGet hashmaliciousBrowse
                            • 103.53.43.36
                            MR52.vbsGet hashmaliciousBrowse
                            • 103.53.43.36
                            Scan_medcal equipment sample_pdf.exeGet hashmaliciousBrowse
                            • 103.53.43.36
                            rfq02212021.exeGet hashmaliciousBrowse
                            • 103.53.43.36
                            RE ICA 40 Sdn Bhd- Purchase Order#6769704.exeGet hashmaliciousBrowse
                            • 103.53.43.36
                            RFQ-#09503.exeGet hashmaliciousBrowse
                            • 103.53.43.36

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\subfolder1\filename1.exe
                            Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):118784
                            Entropy (8bit):5.390824175915418
                            Encrypted:false
                            SSDEEP:1536:kyPJsmDD03vxnl1eE2Kg58CXEleTxHyb5aVU:kCsE03vxnlIt5b9E0VU
                            MD5:1364F8C4C00B87E5D938E9F95AF828F4
                            SHA1:4DAFECB2752FE653EDBEE9CE9794DEDA34325D5F
                            SHA-256:9A7B0ABC37831A4C9DC1676CC3FC7C0278E413A845ACE42FF4C82E21FC744653
                            SHA-512:6713D07FADF92133E3B2FFB734AD0F89E205B0764E3C012CB3503531BB7AC50F4E9541262D2BB974F7494EA0733C0872D4A76DD296B217C0137E594B920D3EC5
                            Malicious:true
                            Antivirus:
                            • Antivirus: Metadefender, Detection: 24%, Browse
                            • Antivirus: ReversingLabs, Detection: 68%
                            Reputation:low
                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O...................D..H..=.....Rich...........PE..L...+~.`.................P...@...............`....@..........................................................................Y..(....@.. U..................................................................(... ....................................text....N.......P.................. ..`.data...<....`.......`..............@....rsrc... U...@...`...p..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):5.390824175915418
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.15%
                            • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:f4b1bde3-706a-40d2-8ace-693803810b6f.exe
                            File size:118784
                            MD5:1364f8c4c00b87e5d938e9f95af828f4
                            SHA1:4dafecb2752fe653edbee9ce9794deda34325d5f
                            SHA256:9a7b0abc37831a4c9dc1676cc3fc7c0278e413a845ace42ff4c82e21fc744653
                            SHA512:6713d07fadf92133e3b2ffb734ad0f89e205b0764e3c012cb3503531bb7ac50f4e9541262d2bb974f7494ea0733c0872d4a76dd296b217c0137e594b920d3ec5
                            SSDEEP:1536:kyPJsmDD03vxnl1eE2Kg58CXEleTxHyb5aVU:kCsE03vxnlIt5b9E0VU
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................D...H...=.......Rich............PE..L...+~.`.................P...@...............`....@................

                            File Icon

                            Icon Hash:8030b296b2b29616

                            Static PE Info

                            General

                            Entrypoint:0x4014a8
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                            DLL Characteristics:
                            Time Stamp:0x602E7E2B [Thu Feb 18 14:48:11 2021 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:4730b340d48d7ad3023c8e9665279a07

                            Entrypoint Preview

                            Instruction
                            push 004022D0h
                            call 00007FAB6482EE85h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            xor byte ptr [eax], al
                            add byte ptr [eax], al
                            cmp byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            setnb byte ptr [ebp+74EFA7F5h]
                            inc eax
                            call far 6F90h : C0DAA766h
                            sbb eax, dword ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ecx], al
                            add byte ptr [eax], al
                            add byte ptr [edx+00h], al
                            push es
                            push eax
                            add dword ptr [ecx], 62h
                            outsd
                            insb
                            imul esi, dword ptr [esi+00h], 00000314h
                            add byte ptr [eax], al
                            dec esp
                            xor dword ptr [eax], eax
                            sbb edi, edi
                            or edx, esi
                            lds eax, edx
                            fst dword ptr [ecx]
                            dec ebp
                            or byte ptr [ebx+5Ah], FFFFFFD1h
                            jnp 00007FAB6482EED8h
                            inc ecx
                            sbb al, AEh
                            call 00007FABC8499357h
                            fimul dword ptr [edi-63h]
                            push ds
                            sub al, 1Eh
                            cmp ah, byte ptr [ecx+4F3A5193h]
                            lodsd
                            xor ebx, dword ptr [ecx-48EE309Ah]
                            or al, 00h
                            stosb
                            add byte ptr [eax-2Dh], ah
                            xchg eax, ebx
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            sub eax, dword ptr [eax+eax]
                            add byte ptr [edi], bh
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add eax, 434E5500h
                            push edx
                            inc ebp
                            add byte ptr [41000601h], cl
                            jne 00007FAB6482EF0Ah
                            outsd
                            je 00007FAB6482EF01h
                            add byte ptr [ecx], bl
                            add dword ptr [eax], eax
                            inc edx
                            add byte ptr [edx], ah
                            add eax, 41000624h

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x159f40x28.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x240000x5520.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
                            IMAGE_DIRECTORY_ENTRY_IAT0x10000x114.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x14ec00x15000False0.376511346726data5.91962877849IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            .data0x160000xd43c0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                            .rsrc0x240000x55200x6000False0.263875325521data3.75302149721IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountry
                            RT_ICON0x241a80x128GLS_BINARY_LSB_FIRST
                            RT_ICON0x242d00xff8PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                            RT_ICON0x252c80x25a8data
                            RT_ICON0x278700x10a8data
                            RT_ICON0x289180x988data
                            RT_GROUP_ICON0x292a00x4cdata
                            RT_VERSION0x292ec0x234dataChineseTaiwan

                            Imports

                            DLLImport
                            MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaAryMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaExitProc, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, __vbaNew2, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarDup, __vbaStrComp, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

                            Version Infos

                            DescriptionData
                            Translation0x0404 0x04b0
                            InternalNameparag
                            FileVersion1.00
                            CompanyNameWhine Caps
                            CommentsWhine Caps
                            ProductNameboliv
                            ProductVersion1.00
                            OriginalFilenameparag.exe

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            ChineseTaiwan

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Feb 22, 2021 22:07:48.777015924 CET49726443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:48.933082104 CET44349726103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:48.933263063 CET49726443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:48.972296000 CET49726443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:49.128247023 CET44349726103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:49.130306959 CET44349726103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:49.130333900 CET44349726103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:49.130351067 CET44349726103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:49.130553007 CET49726443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:49.182723045 CET49726443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:49.339215040 CET44349726103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:49.339370966 CET49726443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:49.358275890 CET49726443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:49.554413080 CET44349726103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:51.038583040 CET44349726103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:51.038682938 CET49726443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:51.465137005 CET49729443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:51.619775057 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:51.619947910 CET49729443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:51.620728970 CET49729443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:51.774965048 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:51.777450085 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:51.777473927 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:51.777489901 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:51.777554035 CET49729443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:51.777602911 CET49729443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:51.783005953 CET49729443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:51.937287092 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:51.937422037 CET49729443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:51.938126087 CET49729443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:52.132713079 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:53.719063044 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:53.719094038 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:53.719108105 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:53.719120979 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:53.719134092 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:53.719146967 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:53.719158888 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:53.719175100 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:53.719187975 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:53.719201088 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:53.719383955 CET49729443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:53.719414949 CET49729443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:53.873522997 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:53.873553991 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:53.873567104 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:53.873579979 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:53.873593092 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:53.873610973 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:53.873639107 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:53.873655081 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:53.873672009 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:53.873684883 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:53.873697042 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:53.873708963 CET49729443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:53.873713017 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:53.873730898 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:53.873747110 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:53.873750925 CET49729443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:53.873771906 CET49729443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:53.873810053 CET49729443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:53.873852015 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:53.873895884 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:53.873912096 CET49729443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:53.873961926 CET49729443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:53.874033928 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:53.874051094 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:53.874068022 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:53.874100924 CET49729443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:53.874109030 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:53.874140978 CET49729443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:53.874182940 CET49729443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:54.027833939 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:54.027863979 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:54.027887106 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:54.027905941 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:54.027921915 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:54.027926922 CET49729443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:54.027937889 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:54.027955055 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:54.027967930 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:54.027968884 CET49729443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:54.027982950 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:54.027996063 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:54.028007984 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:54.028018951 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:54.028023005 CET49729443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:54.028033972 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:54.028047085 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:54.028101921 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:54.028119087 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:54.028183937 CET49729443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:54.028316975 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:54.028330088 CET49729443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:54.028337955 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:54.028377056 CET49729443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:54.028381109 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:54.028400898 CET44349729103.53.43.36192.168.2.3
                            Feb 22, 2021 22:07:54.028414011 CET49729443192.168.2.3103.53.43.36
                            Feb 22, 2021 22:07:54.028448105 CET49729443192.168.2.3103.53.43.36

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Feb 22, 2021 22:06:44.481205940 CET5062053192.168.2.38.8.8.8
                            Feb 22, 2021 22:06:44.531315088 CET53506208.8.8.8192.168.2.3
                            Feb 22, 2021 22:06:45.380598068 CET6493853192.168.2.38.8.8.8
                            Feb 22, 2021 22:06:45.432338953 CET53649388.8.8.8192.168.2.3
                            Feb 22, 2021 22:06:46.563235998 CET6015253192.168.2.38.8.8.8
                            Feb 22, 2021 22:06:46.614936113 CET53601528.8.8.8192.168.2.3
                            Feb 22, 2021 22:06:47.374510050 CET5754453192.168.2.38.8.8.8
                            Feb 22, 2021 22:06:47.423060894 CET53575448.8.8.8192.168.2.3
                            Feb 22, 2021 22:06:48.416963100 CET5598453192.168.2.38.8.8.8
                            Feb 22, 2021 22:06:48.468799114 CET53559848.8.8.8192.168.2.3
                            Feb 22, 2021 22:07:09.694788933 CET6418553192.168.2.38.8.8.8
                            Feb 22, 2021 22:07:09.743638039 CET53641858.8.8.8192.168.2.3
                            Feb 22, 2021 22:07:10.753132105 CET6511053192.168.2.38.8.8.8
                            Feb 22, 2021 22:07:10.806780100 CET53651108.8.8.8192.168.2.3
                            Feb 22, 2021 22:07:12.244568110 CET5836153192.168.2.38.8.8.8
                            Feb 22, 2021 22:07:12.296725988 CET53583618.8.8.8192.168.2.3
                            Feb 22, 2021 22:07:13.255645037 CET6349253192.168.2.38.8.8.8
                            Feb 22, 2021 22:07:13.304260015 CET53634928.8.8.8192.168.2.3
                            Feb 22, 2021 22:07:14.286277056 CET6083153192.168.2.38.8.8.8
                            Feb 22, 2021 22:07:14.334932089 CET53608318.8.8.8192.168.2.3
                            Feb 22, 2021 22:07:15.848207951 CET6010053192.168.2.38.8.8.8
                            Feb 22, 2021 22:07:15.897042036 CET53601008.8.8.8192.168.2.3
                            Feb 22, 2021 22:07:16.988033056 CET5319553192.168.2.38.8.8.8
                            Feb 22, 2021 22:07:17.045253038 CET53531958.8.8.8192.168.2.3
                            Feb 22, 2021 22:07:18.216005087 CET5014153192.168.2.38.8.8.8
                            Feb 22, 2021 22:07:18.264832973 CET53501418.8.8.8192.168.2.3
                            Feb 22, 2021 22:07:19.466372013 CET5302353192.168.2.38.8.8.8
                            Feb 22, 2021 22:07:19.514960051 CET53530238.8.8.8192.168.2.3
                            Feb 22, 2021 22:07:20.941638947 CET4956353192.168.2.38.8.8.8
                            Feb 22, 2021 22:07:20.993490934 CET53495638.8.8.8192.168.2.3
                            Feb 22, 2021 22:07:21.650358915 CET5135253192.168.2.38.8.8.8
                            Feb 22, 2021 22:07:21.727567911 CET53513528.8.8.8192.168.2.3
                            Feb 22, 2021 22:07:22.238274097 CET5934953192.168.2.38.8.8.8
                            Feb 22, 2021 22:07:22.287533998 CET53593498.8.8.8192.168.2.3
                            Feb 22, 2021 22:07:23.456315041 CET5708453192.168.2.38.8.8.8
                            Feb 22, 2021 22:07:23.505074024 CET53570848.8.8.8192.168.2.3
                            Feb 22, 2021 22:07:27.604310036 CET5882353192.168.2.38.8.8.8
                            Feb 22, 2021 22:07:27.652932882 CET53588238.8.8.8192.168.2.3
                            Feb 22, 2021 22:07:39.135535002 CET5756853192.168.2.38.8.8.8
                            Feb 22, 2021 22:07:39.184226990 CET53575688.8.8.8192.168.2.3
                            Feb 22, 2021 22:07:48.335050106 CET5054053192.168.2.38.8.8.8
                            Feb 22, 2021 22:07:48.760562897 CET53505408.8.8.8192.168.2.3
                            Feb 22, 2021 22:07:50.681535959 CET5436653192.168.2.38.8.8.8
                            Feb 22, 2021 22:07:50.732038975 CET53543668.8.8.8192.168.2.3
                            Feb 22, 2021 22:07:51.051738024 CET5303453192.168.2.38.8.8.8
                            Feb 22, 2021 22:07:51.417208910 CET5776253192.168.2.38.8.8.8
                            Feb 22, 2021 22:07:51.462747097 CET53530348.8.8.8192.168.2.3
                            Feb 22, 2021 22:07:51.469007015 CET53577628.8.8.8192.168.2.3
                            Feb 22, 2021 22:08:33.344796896 CET5872253192.168.2.38.8.8.8
                            Feb 22, 2021 22:08:33.349323034 CET5659653192.168.2.38.8.8.8
                            Feb 22, 2021 22:08:33.351274014 CET6410153192.168.2.38.8.8.8
                            Feb 22, 2021 22:08:33.393704891 CET53587228.8.8.8192.168.2.3
                            Feb 22, 2021 22:08:33.397980928 CET53565968.8.8.8192.168.2.3
                            Feb 22, 2021 22:08:33.408348083 CET53641018.8.8.8192.168.2.3
                            Feb 22, 2021 22:08:47.900338888 CET5543553192.168.2.38.8.8.8
                            Feb 22, 2021 22:08:48.323601007 CET53554358.8.8.8192.168.2.3
                            Feb 22, 2021 22:08:50.696456909 CET5071353192.168.2.38.8.8.8
                            Feb 22, 2021 22:08:50.747922897 CET53507138.8.8.8192.168.2.3
                            Feb 22, 2021 22:08:56.175055027 CET5613253192.168.2.38.8.8.8
                            Feb 22, 2021 22:08:56.257810116 CET53561328.8.8.8192.168.2.3

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                            Feb 22, 2021 22:07:48.335050106 CET192.168.2.38.8.8.80x9dceStandard query (0)21twelveinteractive.comA (IP address)IN (0x0001)
                            Feb 22, 2021 22:07:51.051738024 CET192.168.2.38.8.8.80x2dfaStandard query (0)www.21twelveinteractive.comA (IP address)IN (0x0001)
                            Feb 22, 2021 22:08:47.900338888 CET192.168.2.38.8.8.80x5ce4Standard query (0)21twelveinteractive.comA (IP address)IN (0x0001)
                            Feb 22, 2021 22:08:50.696456909 CET192.168.2.38.8.8.80xe5b0Standard query (0)www.21twelveinteractive.comA (IP address)IN (0x0001)

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                            Feb 22, 2021 22:07:48.760562897 CET8.8.8.8192.168.2.30x9dceNo error (0)21twelveinteractive.com103.53.43.36A (IP address)IN (0x0001)
                            Feb 22, 2021 22:07:50.732038975 CET8.8.8.8192.168.2.30xd241No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                            Feb 22, 2021 22:07:51.462747097 CET8.8.8.8192.168.2.30x2dfaNo error (0)www.21twelveinteractive.com21twelveinteractive.comCNAME (Canonical name)IN (0x0001)
                            Feb 22, 2021 22:07:51.462747097 CET8.8.8.8192.168.2.30x2dfaNo error (0)21twelveinteractive.com103.53.43.36A (IP address)IN (0x0001)
                            Feb 22, 2021 22:08:48.323601007 CET8.8.8.8192.168.2.30x5ce4No error (0)21twelveinteractive.com103.53.43.36A (IP address)IN (0x0001)
                            Feb 22, 2021 22:08:50.747922897 CET8.8.8.8192.168.2.30xe5b0No error (0)www.21twelveinteractive.com21twelveinteractive.comCNAME (Canonical name)IN (0x0001)
                            Feb 22, 2021 22:08:50.747922897 CET8.8.8.8192.168.2.30xe5b0No error (0)21twelveinteractive.com103.53.43.36A (IP address)IN (0x0001)

                            HTTPS Packets

                            TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                            Feb 22, 2021 22:07:49.130351067 CET103.53.43.36443192.168.2.349726CN=mail.21twelveinteractive.com CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Thu Feb 18 18:38:55 CET 2021 Wed Oct 07 21:21:40 CEST 2020Wed May 19 19:38:55 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                            CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021
                            Feb 22, 2021 22:07:51.777489901 CET103.53.43.36443192.168.2.349729CN=mail.21twelveinteractive.com CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Thu Feb 18 18:38:55 CET 2021 Wed Oct 07 21:21:40 CEST 2020Wed May 19 19:38:55 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                            CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021
                            Feb 22, 2021 22:08:48.693511009 CET103.53.43.36443192.168.2.349735CN=mail.21twelveinteractive.com CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Thu Feb 18 18:38:55 CET 2021 Wed Oct 07 21:21:40 CEST 2020Wed May 19 19:38:55 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                            CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021
                            Feb 22, 2021 22:08:51.115323067 CET103.53.43.36443192.168.2.349737CN=mail.21twelveinteractive.com CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Thu Feb 18 18:38:55 CET 2021 Wed Oct 07 21:21:40 CEST 2020Wed May 19 19:38:55 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                            CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021

                            Code Manipulations

                            Statistics

                            Behavior

                            Click to jump to process

                            System Behavior

                            Analysis Process: f4b1bde3-706a-40d2-8ace-693803810b6f.exe PID: 4112 Parent PID: 5628

                            General

                            Start time:22:06:51
                            Start date:22/02/2021
                            Path:C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe'
                            Imagebase:0x400000
                            File size:118784 bytes
                            MD5 hash:1364F8C4C00B87E5D938E9F95AF828F4
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Visual Basic
                            Reputation:low

                            Analysis Process: RegAsm.exe PID: 5672 Parent PID: 4112

                            General

                            Start time:22:07:21
                            Start date:22/02/2021
                            Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Users\user\Desktop\f4b1bde3-706a-40d2-8ace-693803810b6f.exe'
                            Imagebase:0xee0000
                            File size:53248 bytes
                            MD5 hash:529695608EAFBED00ACA9E61EF333A7C
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Analysis Process: conhost.exe PID: 5544 Parent PID: 5672

                            General

                            Start time:22:07:21
                            Start date:22/02/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6b2800000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Analysis Process: filename1.exe PID: 6732 Parent PID: 3388

                            General

                            Start time:22:07:56
                            Start date:22/02/2021
                            Path:C:\Users\user\subfolder1\filename1.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Users\user\subfolder1\filename1.exe'
                            Imagebase:0x400000
                            File size:118784 bytes
                            MD5 hash:1364F8C4C00B87E5D938E9F95AF828F4
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Visual Basic
                            Antivirus matches:
                            • Detection: 24%, Metadefender, Browse
                            • Detection: 68%, ReversingLabs
                            Reputation:low

                            Analysis Process: filename1.exe PID: 6844 Parent PID: 3388

                            General

                            Start time:22:08:04
                            Start date:22/02/2021
                            Path:C:\Users\user\subfolder1\filename1.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Users\user\subfolder1\filename1.exe'
                            Imagebase:0x400000
                            File size:118784 bytes
                            MD5 hash:1364F8C4C00B87E5D938E9F95AF828F4
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Visual Basic
                            Reputation:low

                            Analysis Process: RegAsm.exe PID: 6920 Parent PID: 6732

                            General

                            Start time:22:08:23
                            Start date:22/02/2021
                            Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Users\user\subfolder1\filename1.exe'
                            Imagebase:0x870000
                            File size:53248 bytes
                            MD5 hash:529695608EAFBED00ACA9E61EF333A7C
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Analysis Process: conhost.exe PID: 6936 Parent PID: 6920

                            General

                            Start time:22:08:23
                            Start date:22/02/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6b2800000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Analysis Process: RegAsm.exe PID: 7000 Parent PID: 6844

                            General

                            Start time:22:08:32
                            Start date:22/02/2021
                            Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Users\user\subfolder1\filename1.exe'
                            Imagebase:0xb50000
                            File size:53248 bytes
                            MD5 hash:529695608EAFBED00ACA9E61EF333A7C
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Analysis Process: conhost.exe PID: 7012 Parent PID: 7000

                            General

                            Start time:22:08:33
                            Start date:22/02/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6b2800000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Disassembly

                            Code Analysis

                            Reset < >