File name:

nouacomandapdf.exe

Full analysis: https://app.any.run/tasks/2fa29c85-3786-4bd9-8c8a-e50c1927a3e6
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: April 19, 2025, 08:25:07
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-startup
formbook
stealer
xloader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

CECA2DFF2DDF27EE53AD866B23535B48

SHA1:

D9012C547137E1C643B436A25FEAB998A3A49C52

SHA256:

F3398E6A171A2DC31C171813ABA4ABA9E9D81921A65151F8C16D63DF8E638C88

SSDEEP:

24576:KLDaQzqiLsDj2w7iSKTF/vLl+OMQDXSh8eA0ArTa4Di:sDagqiLsDj2w7iSKTF/vLl+OBDCh8eAp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the login/logoff helper path in the registry

      • reg.exe (PID: 8088)
      • reg.exe (PID: 8128)

    • Create files in the Startup directory

      • cmd.exe (PID: 7980)

    • FORMBOOK has been detected (YARA)

      • skype.exe (PID: 1324)
      • skype.exe (PID: 2100)

    • FORMBOOK has been detected

      • systray.exe (PID: 7548)
      • control.exe (PID: 1616)

  • SUSPICIOUS

    • Hides command output

      • cmd.exe (PID: 7716)
      • cmd.exe (PID: 7980)
      • cmd.exe (PID: 7876)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 7716)
      • cmd.exe (PID: 7876)
      • cmd.exe (PID: 7980)

    • Starts CMD.EXE for commands execution

      • skype.exe (PID: 7824)
      • nouacomandapdf.exe (PID: 7648)
      • systray.exe (PID: 7548)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 7716)
      • cmd.exe (PID: 7876)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 7980)
      • nouacomandapdf.exe (PID: 7648)

    • Reads security settings of Internet Explorer

      • nouacomandapdf.exe (PID: 7648)

    • Starts itself from another location

      • nouacomandapdf.exe (PID: 7648)

    • The executable file from the user directory is run by the CMD process

      • skype.exe (PID: 2100)

    • Deletes system .NET executable

      • cmd.exe (PID: 7488)

  • INFO

    • Reads the computer name

      • nouacomandapdf.exe (PID: 7648)
      • skype.exe (PID: 7824)
      • skype.exe (PID: 1324)
      • skype.exe (PID: 2100)
      • AddInProcess32.exe (PID: 5008)
      • AddInProcess32.exe (PID: 7196)

    • Checks supported languages

      • nouacomandapdf.exe (PID: 7648)
      • skype.exe (PID: 1324)
      • skype.exe (PID: 7824)
      • skype.exe (PID: 2100)
      • AddInProcess32.exe (PID: 5008)
      • AddInProcess32.exe (PID: 7196)

    • Reads the machine GUID from the registry

      • nouacomandapdf.exe (PID: 7648)
      • skype.exe (PID: 7824)
      • skype.exe (PID: 1324)
      • skype.exe (PID: 2100)

    • Auto-launch of the file from Startup directory

      • cmd.exe (PID: 7980)

    • Manual execution by a user

      • skype.exe (PID: 1324)
      • systray.exe (PID: 7548)
      • autochk.exe (PID: 7560)
      • control.exe (PID: 1616)

    • Process checks computer location settings

      • nouacomandapdf.exe (PID: 7648)

    • Reads the software policy settings

      • slui.exe (PID: 7456)

    • Checks proxy server information

      • slui.exe (PID: 7456)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:17 08:47:44+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 80
CodeSize: 643072
InitializedDataSize: 26112
UninitializedDataSize: -
EntryPoint: 0x9efde
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 4.6.8.10
ProductVersionNumber: 4.6.8.10
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: 5@26F<?GIBHD;3?IA5?
CompanyName: AA=AGB5B633365H<BF
FileDescription: I8E6AA<63J>45BF
FileVersion: 4.6.8.10
InternalName: order pdf.exe
LegalCopyright: Copyright © 1997 AA=AGB5B633365H<BF
OriginalFileName: order pdf.exe
ProductName: I8E6AA<63J>45BF
ProductVersion: 4.6.8.10
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
149
Monitored processes
24
Malicious processes
7
Suspicious processes
4

Behavior graph

Click at the process to see the details
start nouacomandapdf.exe cmd.exe no specs conhost.exe no specs ping.exe no specs skype.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs cmd.exe conhost.exe no specs ping.exe no specs reg.exe reg.exe ping.exe no specs #FORMBOOK skype.exe no specs addinprocess32.exe no specs #FORMBOOK skype.exe no specs addinprocess32.exe no specs slui.exe #FORMBOOK systray.exe no specs cmd.exe no specs conhost.exe no specs autochk.exe no specs #FORMBOOK control.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1324"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe
explorer.exe
User:
admin
Company:
AA=AGB5B633365H<BF
Integrity Level:
MEDIUM
Description:
I8E6AA<63J>45BF
Exit code:
0
Version:
4.6.8.10
Modules
Images
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\skype\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
1616"C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Control Panel
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\control.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2100"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe
cmd.exe
User:
admin
Company:
AA=AGB5B633365H<BF
Integrity Level:
MEDIUM
Description:
I8E6AA<63J>45BF
Exit code:
0
Version:
4.6.8.10
Modules
Images
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\skype\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
5008"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeskype.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AddInProcess.exe
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
5800ping 127.0.0.1 -n 19 C:\Windows\SysWOW64\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7196"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeskype.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AddInProcess.exe
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7456C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7488/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\SysWOW64\cmd.exesystray.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7548"C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Systray .exe stub
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\systray.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
7560"C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Auto Check Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\autochk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
5 107
Read events
5 105
Write events
2
Delete events
0

Modification events

(PID) Process:(8088) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:Shell
Value:
explorer.exe,C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe,
(PID) Process:(8128) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:Shell
Value:
explorer.exe,C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe,
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
7648nouacomandapdf.exeC:\Users\admin\AppData\Local\Temp\skype.exeexecutable
MD5:CECA2DFF2DDF27EE53AD866B23535B48
SHA256:F3398E6A171A2DC31C171813ABA4ABA9E9D81921A65151F8C16D63DF8E638C88
7980cmd.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exeexecutable
MD5:CECA2DFF2DDF27EE53AD866B23535B48
SHA256:F3398E6A171A2DC31C171813ABA4ABA9E9D81921A65151F8C16D63DF8E638C88
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
49
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
20.109.210.53:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
7152
SIHClient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7152
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
20.109.210.53:443
https://slscr.update.microsoft.com/sls/ping
unknown
7152
SIHClient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7152
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
GET
200
13.95.31.18:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
7152
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
GET
304
20.109.210.53:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.23:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7152
SIHClient.exe
20.109.210.53:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.159.23
  • 40.126.31.1
  • 20.190.159.129
  • 40.126.31.3
  • 20.190.159.73
  • 20.190.159.0
  • 20.190.159.75
  • 20.190.159.68
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.30
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
nouacomandapdf.exe