Loading ...

Play interactive tourEdit tour

Analysis Report NOAH FORMBOOK_crypted.exe

Overview

General Information

Sample Name:NOAH FORMBOOK_crypted.exe
Analysis ID:286158
MD5:786f7116b110303287aed5571dad3789
SHA1:1ac724333f61654bb7560721e6420c014bcba932
SHA256:704e900ae3d5645795927711e8f35d8b424ffcbbc4535f71346ea0feafebf14a

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Benign windows process drops PE files
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • NOAH FORMBOOK_crypted.exe (PID: 6492 cmdline: 'C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exe' MD5: 786F7116B110303287AED5571DAD3789)
    • RegSvcs.exe (PID: 6532 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 71369277D09DA0830C8C59F9E22BB23A)
      • explorer.exe (PID: 3384 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • help.exe (PID: 7036 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)
          • cmd.exe (PID: 4704 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • pvbxnlcpxt.exe (PID: 6932 cmdline: C:\Program Files (x86)\Lbvnhor5\pvbxnlcpxt.exe MD5: 71369277D09DA0830C8C59F9E22BB23A)
          • conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.471664478.00000000005E0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000002.471664478.00000000005E0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b277:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c27a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000002.471664478.00000000005E0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18359:$sqlite3step: 68 34 1C 7B E1
    • 0x1846c:$sqlite3step: 68 34 1C 7B E1
    • 0x18388:$sqlite3text: 68 38 2A 90 C5
    • 0x184ad:$sqlite3text: 68 38 2A 90 C5
    • 0x1839b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x184c3:$sqlite3blob: 68 53 D8 7F 8C
    00000006.00000002.471104134.00000000001C0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000002.471104134.00000000001C0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b277:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c27a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 22 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ad8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a477:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b47a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.RegSvcs.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17559:$sqlite3step: 68 34 1C 7B E1
        • 0x1766c:$sqlite3step: 68 34 1C 7B E1
        • 0x17588:$sqlite3text: 68 38 2A 90 C5
        • 0x176ad:$sqlite3text: 68 38 2A 90 C5
        • 0x1759b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x176c3:$sqlite3blob: 68 53 D8 7F 8C
        1.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.RegSvcs.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b277:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c27a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: NOAH FORMBOOK_crypted.exeAvira: detected
          Multi AV Scanner detection for submitted fileShow sources
          Source: NOAH FORMBOOK_crypted.exeVirustotal: Detection: 33%Perma Link
          Source: NOAH FORMBOOK_crypted.exeReversingLabs: Detection: 29%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000006.00000002.471664478.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.471104134.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.214384893.000000000458C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.258000845.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.472050354.0000000000750000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.213957115.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.259423324.0000000000E30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.259381222.0000000000E00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: NOAH FORMBOOK_crypted.exeJoe Sandbox ML: detected
          Source: 1.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4x nop then pop ebx1_2_00407AFD
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4x nop then pop esi1_2_004172A2
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop esi6_2_001D72A2
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop ebx6_2_001C7AFD
          Source: Joe Sandbox ViewASN Name: GOOGLE-2US GOOGLE-2US
          Source: Joe Sandbox ViewASN Name: AEROTEK-ASTR AEROTEK-ASTR
          Source: Joe Sandbox ViewASN Name: PLI-ASCH PLI-ASCH
          Source: help.exe, 00000006.00000002.475498473.000000000388F000.00000004.00000001.sdmpString found in binary or memory: http://ameliyatsizomuztedavisi.com/wp-content/plugins/under-construction-page/themes/css/bootstrap.m
          Source: help.exe, 00000006.00000002.475498473.000000000388F000.00000004.00000001.sdmpString found in binary or memory: http://ameliyatsizomuztedavisi.com/wp-content/plugins/under-construction-page/themes/css/common.css?
          Source: help.exe, 00000006.00000002.475498473.000000000388F000.00000004.00000001.sdmpString found in binary or memory: http://ameliyatsizomuztedavisi.com/wp-content/plugins/under-construction-page/themes/css/font-awesom
          Source: help.exe, 00000006.00000002.475498473.000000000388F000.00000004.00000001.sdmpString found in binary or memory: http://ameliyatsizomuztedavisi.com/wp-content/plugins/under-construction-page/themes/images/favicon.
          Source: help.exe, 00000006.00000002.475498473.000000000388F000.00000004.00000001.sdmpString found in binary or memory: http://ameliyatsizomuztedavisi.com/wp-content/plugins/under-construction-page/themes/mad_designer/ma
          Source: help.exe, 00000006.00000002.475498473.000000000388F000.00000004.00000001.sdmpString found in binary or memory: http://ameliyatsizomuztedavisi.com/wp-content/plugins/under-construction-page/themes/mad_designer/st
          Source: help.exe, 00000006.00000002.475498473.000000000388F000.00000004.00000001.sdmpString found in binary or memory: http://ameliyatsizomuztedavisi.com/wp-login.php
          Source: explorer.exe, 00000002.00000000.241639386.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: help.exe, 00000006.00000002.475498473.000000000388F000.00000004.00000001.sdmpString found in binary or memory: http://survey-smiles.com
          Source: explorer.exe, 00000002.00000000.241639386.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.241639386.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.241639386.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.241639386.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.241639386.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.241639386.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.241639386.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.241639386.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.241639386.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.241639386.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.241639386.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.241639386.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.241639386.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.241639386.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.241639386.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.241639386.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.241639386.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.241639386.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: help.exe, 00000006.00000002.475140208.0000000003519000.00000004.00000001.sdmpString found in binary or memory: http://www.nordstromcolumbia.com
          Source: help.exe, 00000006.00000002.475140208.0000000003519000.00000004.00000001.sdmpString found in binary or memory: http://www.nordstromcolumbia.com/aa3/
          Source: explorer.exe, 00000002.00000000.241639386.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.241639386.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.241639386.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.241639386.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.241639386.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.241639386.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.241639386.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: help.exe, 00000006.00000002.475498473.000000000388F000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
          Source: pvbxnlcpxt.exe, 00000015.00000002.462163590.0000000000E28000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000006.00000002.471664478.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.471104134.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.214384893.000000000458C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.258000845.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.472050354.0000000000750000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.213957115.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.259423324.0000000000E30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.259381222.0000000000E00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\help.exeDropped file: C:\Users\user\AppData\Roaming\9K242ASW\9K2logri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\help.exeDropped file: C:\Users\user\AppData\Roaming\9K242ASW\9K2logrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000006.00000002.471664478.00000000005E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.471664478.00000000005E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.471104134.00000000001C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.471104134.00000000001C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.214384893.000000000458C000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.214384893.000000000458C000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.258000845.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.258000845.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.472050354.0000000000750000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.472050354.0000000000750000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.213957115.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.213957115.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.259423324.0000000000E30000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.259423324.0000000000E30000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.259381222.0000000000E00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.259381222.0000000000E00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeCode function: 0_2_05AB0862 NtQuerySystemInformation,0_2_05AB0862
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeCode function: 0_2_05AB0831 NtQuerySystemInformation,0_2_05AB0831
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_00419CB0 NtCreateFile,1_2_00419CB0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_00419D60 NtReadFile,1_2_00419D60
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_00419DE0 NtClose,1_2_00419DE0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_00419E90 NtAllocateVirtualMemory,1_2_00419E90
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_00419CAB NtCreateFile,1_2_00419CAB
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_00419DDB NtClose,1_2_00419DDB
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_01069910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_01069910
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_010699A0 NtCreateSection,LdrInitializeThunk,1_2_010699A0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_01069840 NtDelayExecution,LdrInitializeThunk,1_2_01069840
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_01069860 NtQuerySystemInformation,LdrInitializeThunk,1_2_01069860
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_010698F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_010698F0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_01069A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_01069A00
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_01069A20 NtResumeThread,LdrInitializeThunk,1_2_01069A20
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_01069A50 NtCreateFile,LdrInitializeThunk,1_2_01069A50
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_01069540 NtReadFile,LdrInitializeThunk,1_2_01069540
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_010695D0 NtClose,LdrInitializeThunk,1_2_010695D0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_01069710 NtQueryInformationToken,LdrInitializeThunk,1_2_01069710
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_01069780 NtMapViewOfSection,LdrInitializeThunk,1_2_01069780
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_010697A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_010697A0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_01069660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_01069660
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_010696E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_010696E0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_01069950 NtQueueApcThread,1_2_01069950
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_010699D0 NtCreateProcessEx,1_2_010699D0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_01069820 NtEnumerateKey,1_2_01069820
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_0106B040 NtSuspendThread,1_2_0106B040
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_010698A0 NtWriteVirtualMemory,1_2_010698A0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_01069B00 NtSetValueKey,1_2_01069B00
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_0106A3B0 NtGetContextThread,1_2_0106A3B0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_01069A10 NtQuerySection,1_2_01069A10
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_01069A80 NtOpenDirectoryObject,1_2_01069A80
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_01069520 NtWaitForSingleObject,1_2_01069520
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_0106AD30 NtSetContextThread,1_2_0106AD30
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_01069560 NtWriteFile,1_2_01069560
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_010695F0 NtQueryInformationFile,1_2_010695F0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_0106A710 NtOpenProcessToken,1_2_0106A710
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_01069730 NtQueryVirtualMemory,1_2_01069730
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_01069760 NtOpenProcess,1_2_01069760
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_01069770 NtSetInformationFile,1_2_01069770
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_0106A770 NtOpenThread,1_2_0106A770
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_01069FE0 NtCreateMutant,1_2_01069FE0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_01069610 NtEnumerateValueKey,1_2_01069610
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_01069650 NtQueryValueKey,1_2_01069650
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_01069670 NtQueryInformationProcess,1_2_01069670
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_010696D0 NtCreateKey,1_2_010696D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B89860 NtQuerySystemInformation,LdrInitializeThunk,6_2_00B89860
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B89840 NtDelayExecution,LdrInitializeThunk,6_2_00B89840
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B899A0 NtCreateSection,LdrInitializeThunk,6_2_00B899A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B895D0 NtClose,LdrInitializeThunk,6_2_00B895D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B89910 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_00B89910
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B89560 NtWriteFile,LdrInitializeThunk,6_2_00B89560
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B89540 NtReadFile,LdrInitializeThunk,6_2_00B89540
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B896E0 NtFreeVirtualMemory,LdrInitializeThunk,6_2_00B896E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B896D0 NtCreateKey,LdrInitializeThunk,6_2_00B896D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B89610 NtEnumerateValueKey,LdrInitializeThunk,6_2_00B89610
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B89660 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_00B89660
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B89650 NtQueryValueKey,LdrInitializeThunk,6_2_00B89650
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B89A50 NtCreateFile,LdrInitializeThunk,6_2_00B89A50
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B89780 NtMapViewOfSection,LdrInitializeThunk,6_2_00B89780
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B89FE0 NtCreateMutant,LdrInitializeThunk,6_2_00B89FE0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B89710 NtQueryInformationToken,LdrInitializeThunk,6_2_00B89710
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B89B00 NtSetValueKey,LdrInitializeThunk,6_2_00B89B00
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B89770 NtSetInformationFile,LdrInitializeThunk,6_2_00B89770
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B898A0 NtWriteVirtualMemory,6_2_00B898A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B898F0 NtReadVirtualMemory,6_2_00B898F0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B89820 NtEnumerateKey,6_2_00B89820
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B8B040 NtSuspendThread,6_2_00B8B040
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B895F0 NtQueryInformationFile,6_2_00B895F0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B899D0 NtCreateProcessEx,6_2_00B899D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B8AD30 NtSetContextThread,6_2_00B8AD30
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B89520 NtWaitForSingleObject,6_2_00B89520
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B89950 NtQueueApcThread,6_2_00B89950
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B89A80 NtOpenDirectoryObject,6_2_00B89A80
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B89A20 NtResumeThread,6_2_00B89A20
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B89A10 NtQuerySection,6_2_00B89A10
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B89A00 NtProtectVirtualMemory,6_2_00B89A00
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B89670 NtQueryInformationProcess,6_2_00B89670
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B8A3B0 NtGetContextThread,6_2_00B8A3B0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B897A0 NtUnmapViewOfSection,6_2_00B897A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B89730 NtQueryVirtualMemory,6_2_00B89730
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B8A710 NtOpenProcessToken,6_2_00B8A710
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B8A770 NtOpenThread,6_2_00B8A770
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B89760 NtOpenProcess,6_2_00B89760
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_001D9CB0 NtCreateFile,6_2_001D9CB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_001D9D60 NtReadFile,6_2_001D9D60
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_001D9DE0 NtClose,6_2_001D9DE0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_001D9E90 NtAllocateVirtualMemory,6_2_001D9E90
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_001D9CAB NtCreateFile,6_2_001D9CAB
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_001D9DDB NtClose,6_2_001D9DDB
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeCode function: 0_2_00D839360_2_00D83936
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeCode function: 0_2_017973380_2_01797338
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeCode function: 0_2_017989290_2_01798929
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeCode function: 0_2_017915000_2_01791500
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeCode function: 0_2_017911800_2_01791180
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeCode function: 0_2_017914EF0_2_017914EF
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeCode function: 0_2_017984B40_2_017984B4
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeCode function: 0_2_017917500_2_01791750
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeCode function: 0_2_017917400_2_01791740
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeCode function: 0_2_017973280_2_01797328
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeCode function: 0_2_017982680_2_01798268
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeCode function: 0_2_017982590_2_01798259
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeCode function: 0_2_05BF57E00_2_05BF57E0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_00402D891_2_00402D89
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_00409E2B1_2_00409E2B
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_00409E301_2_00409E30
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_0041DF741_2_0041DF74
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_0102F9001_2_0102F900
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_010441201_2_01044120
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_010E10021_2_010E1002
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_0103B0901_2_0103B090
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_0105EBB01_2_0105EBB0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_01020D201_2_01020D20
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_010F1D551_2_010F1D55
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_0103D5E01_2_0103D5E0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_0103841F1_2_0103841F
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_01046E301_2_01046E30
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B720A06_2_00B720A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B5B0906_2_00B5B090
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00C120A86_2_00C120A8
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B5841F6_2_00B5841F
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00C010026_2_00C01002
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B725816_2_00B72581
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B5D5E06_2_00B5D5E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B40D206_2_00B40D20
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00C11D556_2_00C11D55
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B641206_2_00B64120
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B4F9006_2_00B4F900
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00C12D076_2_00C12D07
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00C12EF76_2_00C12EF7
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00C122AE6_2_00C122AE
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B66E306_2_00B66E30
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B7EBB06_2_00B7EBB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00C11FF16_2_00C11FF1
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00C12B286_2_00C12B28
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_001C2D906_2_001C2D90
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_001C2D896_2_001C2D89
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_001C9E306_2_001C9E30
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_001C9E2B6_2_001C9E2B
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_001DDF746_2_001DDF74
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_001C2FB06_2_001C2FB0
          Source: C:\Windows\SysWOW64\help.exeCode function: String function: 00B4B150 appears 35 times
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: String function: 0102B150 appears 32 times
          Source: NOAH FORMBOOK_crypted.exe, 00000000.00000002.215357685.0000000005700000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEminem.dll< vs NOAH FORMBOOK_crypted.exe
          Source: NOAH FORMBOOK_crypted.exe, 00000000.00000000.206296839.0000000000D88000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameqmZx.exe, vs NOAH FORMBOOK_crypted.exe
          Source: NOAH FORMBOOK_crypted.exe, 00000000.00000002.215055823.0000000005680000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs NOAH FORMBOOK_crypted.exe
          Source: NOAH FORMBOOK_crypted.exe, 00000000.00000002.214113223.0000000004483000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameButterFly.dll< vs NOAH FORMBOOK_crypted.exe
          Source: NOAH FORMBOOK_crypted.exeBinary or memory string: OriginalFilenameqmZx.exe, vs NOAH FORMBOOK_crypted.exe
          Source: 00000006.00000002.471664478.00000000005E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.471664478.00000000005E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.471104134.00000000001C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.471104134.00000000001C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.214384893.000000000458C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.214384893.000000000458C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.258000845.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.258000845.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.472050354.0000000000750000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.472050354.0000000000750000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.213957115.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.213957115.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.259423324.0000000000E30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.259423324.0000000000E30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.259381222.0000000000E00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.259381222.0000000000E00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: NOAH FORMBOOK_crypted.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: NOAH FORMBOOK_crypted.exe, SecurityZone.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 0.0.NOAH FORMBOOK_crypted.exe.d20000.0.unpack, SecurityZone.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 0.2.NOAH FORMBOOK_crypted.exe.d20000.0.unpack, SecurityZone.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/9@0/3
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeCode function: 0_2_05AB06E6 AdjustTokenPrivileges,0_2_05AB06E6
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeCode function: 0_2_05AB06AF AdjustTokenPrivileges,0_2_05AB06AF
          Source: C:\Windows\explorer.exeFile created: C:\Program Files (x86)\Lbvnhor5Jump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\NOAH FORMBOOK_crypted.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4668:120:WilError_01
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeMutant created: \Sessions\1\BaseNamedObjects\WxgzIH
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_01
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\Lbvnhor5Jump to behavior
          Source: NOAH FORMBOOK_crypted.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Program Files (x86)\Lbvnhor5\pvbxnlcpxt.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
          Source: C:\Program Files (x86)\Lbvnhor5\pvbxnlcpxt.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Program Files (x86)\Lbvnhor5\pvbxnlcpxt.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\9K242ASW\9K2logri.iniJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: NOAH FORMBOOK_crypted.exeVirustotal: Detection: 33%
          Source: NOAH FORMBOOK_crypted.exeReversingLabs: Detection: 29%
          Source: unknownProcess created: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exe 'C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exe'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Program Files (x86)\Lbvnhor5\pvbxnlcpxt.exe C:\Program Files (x86)\Lbvnhor5\pvbxnlcpxt.exe
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Lbvnhor5\pvbxnlcpxt.exe C:\Program Files (x86)\Lbvnhor5\pvbxnlcpxt.exeJump to behavior
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3ad05575-8857-4850-9277-11b85bdb8e09}\InProcServer32Jump to behavior
          Source: C:\Windows\SysWOW64\help.exeFile written: C:\Users\user\AppData\Roaming\9K242ASW\9K2logri.iniJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
          Source: C:\Windows\SysWOW64\help.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
          Source: NOAH FORMBOOK_crypted.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
          Source: NOAH FORMBOOK_crypted.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000001.00000002.259929084.000000000111F000.00000040.00000001.sdmp, help.exe, 00000006.00000002.473097599.0000000000C3F000.00000040.00000001.sdmp
          Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: pvbxnlcpxt.exe, 00000015.00000002.463306353.0000000005030000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, help.exe
          Source: Binary string: RegSvcs.pdb source: help.exe, 00000006.00000002.474965753.000000000339F000.00000004.00000001.sdmp, pvbxnlcpxt.exe, pvbxnlcpxt.exe.2.dr
          Source: Binary string: help.pdbGCTL source: RegSvcs.exe, 00000001.00000002.259509314.0000000000E90000.00000040.00000001.sdmp
          Source: Binary string: help.pdb source: RegSvcs.exe, 00000001.00000002.259509314.0000000000E90000.00000040.00000001.sdmp
          Source: Binary string: mscorrc.pdb source: NOAH FORMBOOK_crypted.exe, 00000000.00000002.215055823.0000000005680000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeCode function: 0_2_00D83F19 push es; ret 0_2_00D83F1C
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeCode function: 0_2_00D83DDE push es; ret 0_2_00D83E7A
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeCode function: 0_2_00D83E85 push cs; iretd 0_2_00D83E8C
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeCode function: 0_2_00D83DA9 push es; ret 0_2_00D83E7A
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeCode function: 0_2_05BF399A push edi; retf 0_2_05BF39A1
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_0041786B push ss; iretd 1_2_0041786C
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_0041CE52 push eax; ret 1_2_0041CE58
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_0041CE5B push eax; ret 1_2_0041CEC2
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_0041CE05 push eax; ret 1_2_0041CE58
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_0041CEBC push eax; ret 1_2_0041CEC2
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_00416732 push esp; retf 1_2_0041673F
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_0107D0D1 push ecx; ret 1_2_0107D0E4
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00B9D0D1 push ecx; ret 6_2_00B9D0E4
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_001D786B push ss; iretd 6_2_001D786C
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_001DCE05 push eax; ret 6_2_001DCE58
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_001DDE3C push F74085F8h; ret 6_2_001DDE41
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_001DCE5B push eax; ret 6_2_001DCEC2
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_001DCE52 push eax; ret 6_2_001DCE58
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_001DCEBC push eax; ret 6_2_001DCEC2
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_001DDF38 push D9B4C6F7h; iretd 6_2_001DDF40
          Source: initial sampleStatic PE information: section name: .text entropy: 7.97481661621
          Source: C:\Windows\explorer.exeFile created: C:\Program Files (x86)\Lbvnhor5\pvbxnlcpxt.exeJump to dropped file
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\Lbvnhor5\pvbxnlcpxt.exeJump to dropped file

          Boot Survival:

          barindex
          Creates an undocumented autostart registry key Show sources
          Source: C:\Windows\SysWOW64\help.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run _Z7LMDJump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8A 0xAE 0xE7
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Lbvnhor5\pvbxnlcpxt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Lbvnhor5\pvbxnlcpxt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Lbvnhor5\pvbxnlcpxt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Lbvnhor5\pvbxnlcpxt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Lbvnhor5\pvbxnlcpxt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Lbvnhor5\pvbxnlcpxt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Lbvnhor5\pvbxnlcpxt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Lbvnhor5\pvbxnlcpxt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Lbvnhor5\pvbxnlcpxt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Lbvnhor5\pvbxnlcpxt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Lbvnhor5\pvbxnlcpxt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Lbvnhor5\pvbxnlcpxt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Lbvnhor5\pvbxnlcpxt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Lbvnhor5\pvbxnlcpxt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Lbvnhor5\pvbxnlcpxt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Lbvnhor5\pvbxnlcpxt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Lbvnhor5\pvbxnlcpxt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Lbvnhor5\pvbxnlcpxt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Lbvnhor5\pvbxnlcpxt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000000.00000002.213415142.00000000033B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.213487112.00000000033E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NOAH FORMBOOK_crypted.exe PID: 6492, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: NOAH FORMBOOK_crypted.exe, 00000000.00000002.213415142.00000000033B1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: NOAH FORMBOOK_crypted.exe, 00000000.00000002.213415142.00000000033B1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeRDTSC instruction interceptor: First address: 00000000004098D4 second address: 00000000004098DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 00000000001C98D4 second address: 00000000001C98DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 00000000001C9B4E second address: 00000000001C9B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 1_2_00409A80 rdtsc 1_2_00409A80
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Program Files (x86)\Lbvnhor5\pvbxnlcpxt.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\NOAH FORMBOOK_crypted.exe TID: 6496Thread sleep time: -56280s >= -30000sJump to behavior
          Source: C:\Users\user\