File name:

AcroCEF.exe

Full analysis: https://app.any.run/tasks/39b0946b-fb8b-4ce8-963d-401a1b726d37
Verdict: Malicious activity
Analysis date: June 21, 2025, 18:43:26
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 2 sections
MD5:

30CCC8D40C3A927D7B7FBA1E5F2BCAF9

SHA1:

8EDC71EFFB08A4509E54204713518C522B67A62B

SHA256:

0E8863AD2062D5775D5955AB971F585674416D20E1B1570BF9B0EFFC8E63C3B9

SSDEEP:

49152:V92X5xd4X5Rl+JbXEM3lZmslTY8ranKtLzfObDdEFP304YY3EVJzb3boSwijiGNM:R5T8rjAbpENaUOW+XGMw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • AcroCEF.exe (PID: 7048)
      • net.exe (PID: 6268)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • AcroCEF.exe (PID: 7048)

    • Executable content was dropped or overwritten

      • AcroCEF.exe (PID: 7048)
      • cmd.exe (PID: 4984)

    • Modifies hosts file to alter network resolution

      • AcroCEF.exe (PID: 7048)

    • Executing commands from a ".bat" file

      • AcroCEF.exe (PID: 7048)

    • Executes application which crashes

      • AcroCEF.exe (PID: 6368)

  • INFO

    • Checks supported languages

      • AcroCEF.exe (PID: 7048)
      • AcroCEF.exe (PID: 6368)

    • Failed to create an executable file in Windows directory

      • AcroCEF.exe (PID: 7048)

    • The sample compiled with chinese language support

      • AcroCEF.exe (PID: 7048)

    • Create files in a temporary directory

      • AcroCEF.exe (PID: 7048)

    • Checks proxy server information

      • WerFault.exe (PID: 4224)
      • slui.exe (PID: 4172)

    • Reads the software policy settings

      • WerFault.exe (PID: 4224)
      • slui.exe (PID: 4172)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 4224)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | DOS Executable Generic (100)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 0.37
CodeSize: 66560
InitializedDataSize: 37888
UninitializedDataSize: -
EntryPoint: 0x361ec
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Windows, Chinese (Simplified)
CompanyName: -
FileDescription: -
FileVersion: 1.0.0.0
InternalName: -
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: -
ProductName: -
ProductVersion: 1.0.0.0
Comments: -
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
9
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start acrocef.exe net.exe no specs conhost.exe no specs net1.exe no specs cmd.exe conhost.exe no specs acrocef.exe werfault.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
424\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4172C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4224C:\WINDOWS\system32\WerFault.exe -u -p 6368 -s 452C:\Windows\System32\WerFault.exe
AcroCEF.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
4844\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4984C:\WINDOWS\system32\cmd.exe /c C:\Users\admin\AppData\Local\Temp\$a6E2B.batC:\Windows\SysWOW64\cmd.exe
AcroCEF.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6268net stop "Kingsoft AntiVirus Service"C:\Windows\SysWOW64\net.exeAcroCEF.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6368"C:\Users\admin\Desktop\AcroCEF.exe"C:\Users\admin\Desktop\AcroCEF.exe
cmd.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe AcroCEF
Exit code:
3228369022
Version:
23.8.20533.0
Modules
Images
c:\users\admin\desktop\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6460C:\WINDOWS\system32\net1 stop "Kingsoft AntiVirus Service"C:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
7048"C:\Users\admin\Desktop\AcroCEF.exe" C:\Users\admin\Desktop\AcroCEF.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
10 050
Read events
10 050
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
4224WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_AcroCEF.exe_5797beffe02cff1fda6f2854e721f06c80b0a2d4_54f2ff2f_76fc4943-5ac2-4878-9ed9-6c6f05c8d9a6\Report.wer
MD5:
SHA256:
4224WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\AcroCEF.exe.6368.dmpbinary
MD5:F1953228269FF1D617CC8C33155340B4
SHA256:4E92C526002D612CD8FBD097A28B92ED6A1318A68BCC00263921669887A7E996
4224WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER705D.tmp.dmpbinary
MD5:1F6CDA9A758FFC212CB17387CE6DA9BE
SHA256:946B128841E76BD06CC988F3327289B2F5D04CC83A44DEAF0A9AC19C7142AAF6
7048AcroCEF.exeC:\Users\admin\Desktop\AcroCEF.exe.exeexecutable
MD5:CD53C61345139DD549495633C7195A9D
SHA256:2B2538D62A3D95CAA1EAAF402DDA55E9B0DC66E5A0B8F6C8FD3042550E48D56D
4224WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER709D.tmp.WERInternalMetadata.xmlxml
MD5:BF8530E400D2ABE9325B63200748AA0F
SHA256:B6B32334A37CCA2079B9CF961279D40B993B36E463DD2618FB1B5DCACC20C8C7
4224WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER70BD.tmp.xmlxml
MD5:06D5E4892262D70F7E64A66ACF0FB89A
SHA256:6D0DEB6C6BC9F861A4D1B79172B0CA4719D9F8947B629E6B61E95909A73F03BF
7048AcroCEF.exeC:\Users\admin\AppData\Local\Temp\$a6E2B.battext
MD5:113BEE4BE3F179C7386F1901D5CC104D
SHA256:DB77999654F42D8A07E61D1E02759EAB1C74DA5C39E6508FCD48F968B5CA0D54
4984cmd.exeC:\Users\admin\Desktop\AcroCEF.exeexecutable
MD5:CD53C61345139DD549495633C7195A9D
SHA256:2B2538D62A3D95CAA1EAAF402DDA55E9B0DC66E5A0B8F6C8FD3042550E48D56D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
20
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
184.24.77.7:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.24.77.7:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6700
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
2940
svchost.exe
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6700
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
184.24.77.7:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.24.77.7:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4224
WerFault.exe
20.189.173.21:443
watson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 184.24.77.7
  • 184.24.77.6
  • 184.24.77.40
  • 184.24.77.34
  • 184.24.77.29
  • 184.24.77.30
  • 184.24.77.41
  • 184.24.77.4
  • 184.24.77.38
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
watson.events.data.microsoft.com
  • 20.189.173.21
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
x1.c.lencr.org
  • 69.192.161.44
whitelisted
self.events.data.microsoft.com
  • 104.208.16.88
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AcroCEF.exe