File name:

dekont.pdf.exe

Full analysis: https://app.any.run/tasks/4bfcc9fa-fd0c-445c-ad73-a19ca9e9928a
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 12:35:08
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
formbook
stealer
xloader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

C7C545BDD0BA6ABA5DC454DF13B928E4

SHA1:

616F2FB37D07CF17C69326FCEF5C91005F5B13A0

SHA256:

3FBCEC3B7E1D2B8EFEF9E2AB1BE54A55E2252166CD357FC2EE9CB42581851365

SSDEEP:

24576:iZI/a8TemkRa6mvZyi/9d76/e3QLmfC7JmOGoMKMQYi/0PiFRW3EZEYv:iZI/a8Tem2a6mvZyi/9d76/e3QLmfC7t

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • FORMBOOK has been detected

      • cscript.exe (PID: 7664)

    • FORMBOOK has been detected (YARA)

      • cscript.exe (PID: 7664)

  • SUSPICIOUS

    • Application launched itself

      • dekont.pdf.exe (PID: 7308)

    • Starts a Microsoft application from unusual location

      • dekont.pdf.exe (PID: 7308)
      • dekont.pdf.exe (PID: 7624)

    • Process drops legitimate windows executable

      • dekont.pdf.exe (PID: 7308)

    • Starts CMD.EXE for commands execution

      • cscript.exe (PID: 7664)

  • INFO

    • Checks supported languages

      • dekont.pdf.exe (PID: 7308)
      • dekont.pdf.exe (PID: 7624)

    • Reads the computer name

      • dekont.pdf.exe (PID: 7308)
      • dekont.pdf.exe (PID: 7624)

    • Reads the machine GUID from the registry

      • dekont.pdf.exe (PID: 7308)

    • Manual execution by a user

      • cscript.exe (PID: 7664)

    • Checks proxy server information

      • slui.exe (PID: 7888)

    • Reads the software policy settings

      • slui.exe (PID: 7888)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Formbook

(PID) Process(7664) cscript.exe
C2www.lectro-hub.online/m13o/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
Decoy C2 (64)un20250227-23.fun
mallelectricarsgb.bond
emvmaasbn.pro
ewaraja.xyz
olar-systems-panels-18238.bond
anjau2.cfd
ental-implants-58831.bond
riferrari.shop
ypham-japan.shop
imilarityapi.xyz
ealthywayzone.online
r33bz.online
ureformula.shop
arlsjrmenu.net
ziugsyw.xyz
osmetic-packaging-jobs.click
uaizhan.xyz
99game.xyz
otdrones.shop
rettvollmar.shop
uslim-dating-iocc5xdbns61.today
nomy.app
egreen.green
elegelhg.watch
twuytr.online
ishwasher-jobs-678341.today
imorraes.shop
88p2p.xyz
viddeos.red
iverlakes.online
yroisland.net
hufi.pink
egalregistration.net
rice-artificial-886827482.click
ailyhotdealstoday.world
adenauno1240.online
verythingchat.xyz
ushgroup.info
crypt.xyz
bjcwedding.xyz
arlist.app
owbest.click
partmentflatart.xyz
yperfakeverse.xyz
etafusion.tech
railers.info
onstruction-jobs-92972.bond
evala.online
ngin.live
peekr.app
awspro4d.net
3-nine.net
nifiedway.sbs
aceseek.online
ompresormx1.today
ipsexshop.shop
zit.world
rendvault.fashion
italbitez.info
ertifiedfasting.info
eliverynacional.online
ainiceria.pro
ealdirectiveteam.info
lberche.info
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2068:08:07 00:26:41+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 640512
InitializedDataSize: 2560
UninitializedDataSize: -
EntryPoint: 0x9e562
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: Microsoft Corporation
FileDescription: Compatibility Database
FileVersion: 1.0.0.0
InternalName: xpNF.exe
LegalCopyright: Copyright © Microsoft Corporation. All rights reserved.
LegalTrademarks: -
OriginalFileName: xpNF.exe
ProductName: Compatibility Database
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start dekont.pdf.exe no specs dekont.pdf.exe no specs #FORMBOOK cscript.exe no specs cmd.exe no specs conhost.exe no specs slui.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
7308"C:\Users\admin\Desktop\dekont.pdf.exe" C:\Users\admin\Desktop\dekont.pdf.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Compatibility Database
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\dekont.pdf.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7624"C:\Users\admin\Desktop\dekont.pdf.exe"C:\Users\admin\Desktop\dekont.pdf.exedekont.pdf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Compatibility Database
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\dekont.pdf.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7664"C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
Formbook
(PID) Process(7664) cscript.exe
C2www.lectro-hub.online/m13o/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
Decoy C2 (64)un20250227-23.fun
mallelectricarsgb.bond
emvmaasbn.pro
ewaraja.xyz
olar-systems-panels-18238.bond
anjau2.cfd
ental-implants-58831.bond
riferrari.shop
ypham-japan.shop
imilarityapi.xyz
ealthywayzone.online
r33bz.online
ureformula.shop
arlsjrmenu.net
ziugsyw.xyz
osmetic-packaging-jobs.click
uaizhan.xyz
99game.xyz
otdrones.shop
rettvollmar.shop
uslim-dating-iocc5xdbns61.today
nomy.app
egreen.green
elegelhg.watch
twuytr.online
ishwasher-jobs-678341.today
imorraes.shop
88p2p.xyz
viddeos.red
iverlakes.online
yroisland.net
hufi.pink
egalregistration.net
rice-artificial-886827482.click
ailyhotdealstoday.world
adenauno1240.online
verythingchat.xyz
ushgroup.info
crypt.xyz
bjcwedding.xyz
arlist.app
owbest.click
partmentflatart.xyz
yperfakeverse.xyz
etafusion.tech
railers.info
onstruction-jobs-92972.bond
evala.online
ngin.live
peekr.app
awspro4d.net
3-nine.net
nifiedway.sbs
aceseek.online
ompresormx1.today
ipsexshop.shop
zit.world
rendvault.fashion
italbitez.info
ertifiedfasting.info
eliverynacional.online
ainiceria.pro
ealdirectiveteam.info
lberche.info
7708/c del "C:\Users\admin\Desktop\dekont.pdf.exe"C:\Windows\SysWOW64\cmd.execscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7716\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7888C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 544
Read events
3 544
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
20
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5556
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1804
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7888
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
www.arlsjrmenu.net
unknown
www.imilarityapi.xyz
malicious
www.etafusion.tech
malicious
www.rice-artificial-886827482.click
unknown
www.rendvault.fashion
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
dekont.pdf.exe