| File name: | 2025-06-02_12a5be8d6ff0e551423dcb790fa6051d_amadey_elex_stop |
| Full analysis: | https://app.any.run/tasks/4a9a985b-aba5-4530-91a7-c501601aab53 |
| Verdict: | Malicious activity |
| Analysis date: | June 02, 2025, 12:35:31 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections |
| MD5: | 12A5BE8D6FF0E551423DCB790FA6051D |
| SHA1: | E9613D2574A1DA79F7B1F3440C48C12153E58C13 |
| SHA256: | C30BD854ABD792D51120C929A54B758C6C4EF26E6A6D7DE237480BA06AF0A273 |
| SSDEEP: | 49152:FjpwdAZU6wms4bss4bss4yNus48jpwdAZU6wA:FNwaAAyw8Nww |
MALICIOUS
Executing a file with an untrusted certificate
- 2025-06-02_12a5be8d6ff0e551423dcb790fa6051d_amadey_elex_stop.exe (PID: 1012)
- 2025-06-02_12a5be8d6ff0e551423dcb790fa6051d_amadey_elex_stop.exe (PID: 208)
SUSPICIOUS
Reads security settings of Internet Explorer
- 2025-06-02_12a5be8d6ff0e551423dcb790fa6051d_amadey_elex_stop.exe (PID: 208)
- AdobeARM.exe (PID: 5324)
Application launched itself
- AdobeARM.exe (PID: 5324)
INFO
Checks supported languages
- 2025-06-02_12a5be8d6ff0e551423dcb790fa6051d_amadey_elex_stop.exe (PID: 208)
- acrobat_sl.exe (PID: 616)
- AdobeARM.exe (PID: 6564)
- AdobeARM.exe (PID: 5324)
Checks proxy server information
- AdobeARM.exe (PID: 5324)
- slui.exe (PID: 8008)
Application launched itself
- Acrobat.exe (PID: 4172)
- AcroCEF.exe (PID: 5512)
Process checks whether UAC notifications are on
- AdobeARM.exe (PID: 5324)
Reads the software policy settings
- slui.exe (PID: 8008)
Reads the computer name
- 2025-06-02_12a5be8d6ff0e551423dcb790fa6051d_amadey_elex_stop.exe (PID: 208)
- AdobeARM.exe (PID: 5324)
Process checks computer location settings
- 2025-06-02_12a5be8d6ff0e551423dcb790fa6051d_amadey_elex_stop.exe (PID: 208)
- AdobeARM.exe (PID: 5324)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable Microsoft Visual Basic 6 (52.6) |
|---|---|---|
| .exe | | | Win32 Executable MS Visual C++ (generic) (20) |
| .exe | | | Win64 Executable (generic) (17.7) |
| .dll | | | Win32 Dynamic Link Library (generic) (4.2) |
| .exe | | | Win32 Executable (generic) (2.8) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2013:11:21 16:57:18+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 9 |
| CodeSize: | 195584 |
| InitializedDataSize: | 138752 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x11e1e |
| OSVersion: | 5 |
| ImageVersion: | - |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.701.3.3014 |
| ProductVersionNumber: | 1.701.3.3014 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Unknown (0x50004) |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unknown (000B) |
| CompanyName: | Adobe Systems Incorporated |
| EnglishName: | English |
| FileDescription: | Adobe Reader and Acrobat Manager Helper |
| FileVersion: | 1.701.3.3014 |
| LanguageId: | 0409 |
| LegalCopyright: | Copyright 2013 Adobe Systems Incorporated |
| ProductVersion: | 1.701.3.3014 |
Total processes
144
Monitored processes
15
Malicious processes
1
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 208 | "C:\Users\admin\Desktop\2025-06-02_12a5be8d6ff0e551423dcb790fa6051d_amadey_elex_stop.exe" | C:\Users\admin\Desktop\2025-06-02_12a5be8d6ff0e551423dcb790fa6051d_amadey_elex_stop.exe | explorer.exe | ||||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: HIGH Description: Adobe Reader and Acrobat Manager Helper Exit code: 0 Version: 1.701.3.3014 Modules
| |||||||||||||||
| 616 | "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat_sl.exe" | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe | — | AdobeARM.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: HIGH Description: Adobe Acrobat SpeedLauncher Exit code: 0 Version: 22.3.20310.0 Modules
| |||||||||||||||
| 1012 | "C:\Users\admin\Desktop\2025-06-02_12a5be8d6ff0e551423dcb790fa6051d_amadey_elex_stop.exe" | C:\Users\admin\Desktop\2025-06-02_12a5be8d6ff0e551423dcb790fa6051d_amadey_elex_stop.exe | — | explorer.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe Reader and Acrobat Manager Helper Exit code: 3221226540 Version: 1.701.3.3014 Modules
| |||||||||||||||
| 2108 | "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" --type=renderer /prefetch:1 /l /slMode | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe | — | Acrobat.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Exit code: 0 Version: 23.1.20093.0 Modules
| |||||||||||||||
| 4172 | "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" /l /slMode | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe | — | acrobat_sl.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: HIGH Description: Adobe Acrobat Exit code: 0 Version: 23.1.20093.0 Modules
| |||||||||||||||
| 5324 | "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe | 2025-06-02_12a5be8d6ff0e551423dcb790fa6051d_amadey_elex_stop.exe | ||||||||||||
User: admin Company: Adobe Inc. Integrity Level: HIGH Description: Adobe Reader and Acrobat Manager Exit code: 0 Version: 1.824.460.1042 Modules
| |||||||||||||||
| 5512 | "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --slMode | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe | — | acrobat_sl.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: HIGH Description: Adobe AcroCEF Exit code: 0 Version: 23.1.20093.0 Modules
| |||||||||||||||
| 5800 | "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --user-data-dir="C:\Users\admin\AppData\Local\CEF\User Data" --first-renderer-process --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --touch-events=enabled --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2300 --field-trial-handle=1680,i,9832315482309076324,14332914644140599869,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1 | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe | — | AcroCEF.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe AcroCEF Exit code: 0 Version: 23.1.20093.0 Modules
| |||||||||||||||
| 5864 | "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\admin\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2184 --field-trial-handle=1680,i,9832315482309076324,14332914644140599869,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe | — | AcroCEF.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: HIGH Description: Adobe AcroCEF Exit code: 0 Version: 23.1.20093.0 Modules
| |||||||||||||||
| 6036 | "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\admin\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2156 --field-trial-handle=1680,i,9832315482309076324,14332914644140599869,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe | — | AcroCEF.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe AcroCEF Exit code: 0 Version: 23.1.20093.0 Modules
| |||||||||||||||
Total events
5 494
Read events
5 477
Write events
12
Delete events
5
Modification events
| (PID) Process: | (5324) AdobeARM.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe ARM\1.0\ARM |
| Operation: | delete value | Name: | iNotify |
Value: | |||
| (PID) Process: | (5324) AdobeARM.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe ARM\1.0\ARM |
| Operation: | write | Name: | iSpeedLauncherLogonTime |
Value: 8F304F4AC773DB01 | |||
| (PID) Process: | (5324) AdobeARM.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe ARM\1.0\ARM |
| Operation: | write | Name: | iLastProcessedPdfExtension |
Value: | |||
| (PID) Process: | (5324) AdobeARM.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (5324) AdobeARM.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (5324) AdobeARM.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (5324) AdobeARM.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe ARM\1.0\ARM |
| Operation: | write | Name: | iLastProcessedMAU |
Value: | |||
| (PID) Process: | (5324) AdobeARM.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Adobe\Adobe ARM\1.0\ARM\Cleanup |
| Operation: | write | Name: | tFiles |
Value: C:\WINDOWS\Temp\ArmUI.ini:*?C:\WINDOWS\Temp\ArmReport.ini | |||
| (PID) Process: | (5324) AdobeARM.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Adobe\Adobe ARM\1.0\ARM\Cleanup |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (4172) Acrobat.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934 |
| Operation: | write | Name: | DisplayName |
Value: Adobe Acrobat Reader Protected Mode | |||
Executable files
0
Suspicious files
53
Text files
13
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 208 | 2025-06-02_12a5be8d6ff0e551423dcb790fa6051d_amadey_elex_stop.exe | C:\Users\admin\AppData\Local\Temp\AdobeARM.log | text | |
MD5:F46BAF7F9627E10FF3337F01EDBAA291 | SHA256:F8B836BD9B91DB77274B2E1B332159BAF78716AF00EFDD2BE8F6A844CD4B1AD7 | |||
| 5324 | AdobeARM.exe | C:\Windows\Temp\ArmReport.ini | text | |
MD5:14715CFF689DBE0FD8228DF9E75439AC | SHA256:0D11D37FC2CE2A59B026EF81F768A8A80A6EFDBA8688DBA890415B53C69DE4DF | |||
| 5324 | AdobeARM.exe | C:\Windows\Temp\ArmUI.ini | text | |
MD5:B0DF20BAA9DEE27BDBC3285C7D6D4C57 | SHA256:76362509A8CA3E4A9FDC854C56674083EF77CA2C53628CE0ACF4BB4C42D73894 | |||
| 5512 | AcroCEF.exe | C:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index | binary | |
MD5:54CB446F628B2EA4A5BCE5769910512E | SHA256:FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D | |||
| 5324 | AdobeARM.exe | C:\Windows\Temp\AdobeARM.log | text | |
MD5:A79EA5E6F01CE585343875805E27FA37 | SHA256:C7FBE57684BD253E436A6D1A70BFF1EF583B0A829BBF2FF5BDC5FCC2263E894F | |||
| 5512 | AcroCEF.exe | C:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index | binary | |
MD5:973D1D31D67FEEDB2C460E0FD778376D | SHA256:F8881CE26ECA5F52CD5E98B2437D721084D5333C75E044BB4A36E21FB435A6DB | |||
| 6036 | AcroCEF.exe | C:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\MANIFEST-000001 | binary | |
MD5:5AF87DFD673BA2115E2FCF5CFDB727AB | SHA256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 | |||
| 5512 | AcroCEF.exe | C:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index | binary | |
MD5:9F77720864DF63181B7300650CC113CE | SHA256:683062638B12DE011E4DFEFA919AA93AF173B9B53858ACCA1DF042E34CFE25A0 | |||
| 5512 | AcroCEF.exe | C:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000001.dbtmp | text | |
MD5:46295CAC801E5D4857D09837238A6394 | SHA256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 | |||
| 5512 | AcroCEF.exe | C:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\MANIFEST-000001 | binary | |
MD5:5AF87DFD673BA2115E2FCF5CFDB727AB | SHA256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
20
DNS requests
6
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5796 | svchost.exe | GET | 200 | 2.16.164.99:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
536 | RUXIMICS.exe | GET | 200 | 2.16.164.99:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
536 | RUXIMICS.exe | GET | 200 | 23.219.150.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5796 | svchost.exe | GET | 200 | 23.219.150.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
536 | RUXIMICS.exe | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5496 | MoUsoCoreWorker.exe | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5796 | svchost.exe | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5796 | svchost.exe | 2.16.164.99:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
536 | RUXIMICS.exe | 2.16.164.99:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
5796 | svchost.exe | 23.219.150.101:80 | www.microsoft.com | AKAMAI-AS | CL | whitelisted |
536 | RUXIMICS.exe | 23.219.150.101:80 | www.microsoft.com | AKAMAI-AS | CL | whitelisted |
5496 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
acroipm2.adobe.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |