IOC Report
BigProject.exe

loading gif

Files

File Path
Type
Category
Malicious
BigProject.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
 malicious
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG
ASCII text
dropped
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)
ASCII text
dropped
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG
ASCII text
dropped
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)
ASCII text
dropped
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\3d1e02ca-7d74-4528-a57d-311e10c72d5b.tmp
JSON data
modified
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)
JSON data
dropped
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF3f0879.TMP (copy)
JSON data
dropped
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\cc0a8cc8-8a22-4222-80fc-8f4c3b556c85.tmp
JSON data
dropped
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log
data
dropped
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG
ASCII text
dropped
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)
ASCII text
dropped
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D
Certificate, Version=3
dropped
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
dropped
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D
data
dropped
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
data
modified
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID
JSON data
dropped
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface
JSON data
dropped
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface
JSON data
dropped
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD
JSON data
dropped
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner
JSON data
dropped
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner
JSON data
dropped
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention
JSON data
dropped
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner
JSON data
dropped
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner
JSON data
dropped
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner
JSON data
dropped
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner
JSON data
dropped
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner
JSON data
dropped
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention
JSON data
dropped
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner
JSON data
dropped
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards
JSON data
dropped
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020
JSON data
dropped
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING
data
dropped
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json
JSON data
dropped
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents
SQLite 3.x database, last written using SQLite version 3040000, file counter 19, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 19
dropped
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal
SQLite Rollback Journal
dropped
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin
data
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\NavanItinerary[1].pdf
PDF document, version 1.4, 2 pages
dropped
C:\Users\user\AppData\Local\Temp\MSIdf767.LOG
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\NavanItinerary.pdf
PDF document, version 1.4, 2 pages
dropped
C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-21 07-17-18-381.log
ASCII text, with very long lines (393)
dropped
C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log
ASCII text, with very long lines (393), with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt
ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\acrocef_low\050f90c8-2a23-42b8-958b-88e6ef30b61e.tmp
gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
dropped
C:\Users\user\AppData\Local\Temp\acrocef_low\a282d18c-4137-4d70-9022-174eb3ea79e8.tmp
gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
dropped
C:\Users\user\AppData\Local\Temp\acrocef_low\a4495932-3e99-4b80-a658-81d1588d2b8b.tmp
gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 647360
dropped
C:\Users\user\AppData\Local\Temp\acrocef_low\cb7ec70a-0f05-4528-b259-ac2297228a02.tmp
gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
dropped
There are 37 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\BigProject.exe
"C:\Users\user\Desktop\BigProject.exe"
 malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
 malicious
C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\NavanItinerary.pdf"
C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2108 --field-trial-handle=1508,i,10346652073434978683,7564369482762319465,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8

URLs

Name
IP
Malicious
stem-mellows.cyou
malicious
http://x1.i.lencr.org/
unknown
https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiionD
unknown
https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiionC
unknown
necklacebudi.lat
https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiionw
unknown
https://discokeyus.lat/apis
unknown
https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiion8Nzk
unknown
https://discokeyus.lat/api
172.67.197.170
aspecteirs.lat
https://discokeyus.lat/cYU5
unknown
energyaffai.lat
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
unknown
https://raw.githubusercontent.com/
unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.999
unknown
https://discokeyus.lat/v
unknown
https://raw.githubusercontent.com/Q
unknown
https://discokeyus.lat/
unknown
sustainskelet.lat
crosshuaht.lat
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
unknown
rapeflowwj.lat
grannyejh.lat
discokeyus.lat
https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiion
185.199.110.133
https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/NavanItinerary.pdf
185.199.110.133
There are 16 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
stem-mellows.cyou
unknown
 malicious
raw.githubusercontent.com
185.199.110.133
discokeyus.lat
172.67.197.170
x1.i.lencr.org
unknown
grannyejh.lat
unknown

IPs

IP
Domain
Country
Malicious
185.199.110.133
raw.githubusercontent.com
Netherlands
172.67.197.170
discokeyus.lat
United States

Registry

Path
Value
Malicious
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
LangID
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.FriendlyAppName
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.ApplicationCompany
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8
Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8
Blob

Memdumps

Base Address
Regiontype
Protect
Malicious
400000
remote allocation
page execute and read and write
 malicious
3A21000
heap
page read and write
 malicious
122E000
heap
page read and write
1130000
heap
page read and write
113E000
heap
page read and write
122D000
heap
page read and write
35FD000
stack
page read and write
30DF000
stack
page read and write
33B0000
trusted library allocation
page read and write
383E000
stack
page read and write
2E67000
heap
page read and write
DA2000
heap
page read and write
32AF000
stack
page read and write
D3C000
heap
page read and write
D8C000
heap
page read and write
3A3D000
heap
page read and write
11A0000
heap
page read and write
A6B000
stack
page read and write
146E000
stack
page read and write
3C80000
heap
page read and write
452000
remote allocation
page execute and read and write
15AE000
stack
page read and write
3A3E000
heap
page read and write
39DF000
stack
page read and write
D85000
heap
page read and write
A9C000
stack
page read and write
38DE000
stack
page read and write
33AF000
stack
page read and write
2E5E000
stack
page read and write
D93000
heap
page read and write
3E2C000
stack
page read and write
30E0000
heap
page read and write
B41000
unkown
page execute read
CB3000
unkown
page readonly
D77000
heap
page read and write
2FDE000
stack
page read and write
121C000
heap
page read and write
30F0000
heap
page read and write
122A000
heap
page read and write
CFD000
heap
page read and write
2D8E000
stack
page read and write
10D5000
heap
page read and write
CC0000
heap
page read and write
2E0E000
stack
page read and write
33AF000
stack
page read and write
11F0000
heap
page read and write
11AB000
heap
page read and write
11B9000
heap
page read and write
34AE000
stack
page read and write
3E84000
heap
page read and write
113B000
heap
page read and write
3CE0000
heap
page read and write
27FE000
stack
page read and write
344A000
trusted library allocation
page read and write
CB3000
unkown
page readonly
BE0000
heap
page read and write
3452000
trusted library allocation
page read and write
132F000
stack
page read and write
11B2000
heap
page read and write
BD0000
heap
page read and write
DAF000
stack
page read and write
CAC000
unkown
page read and write
38A0000
remote allocation
page read and write
111E000
stack
page read and write
2DFD000
stack
page read and write
D9F000
heap
page read and write
BD5000
heap
page read and write
CAD000
unkown
page write copy
3A20000
heap
page read and write
CAC000
unkown
page write copy
AF0000
heap
page read and write
3433000
trusted library allocation
page read and write
F1F000
stack
page read and write
D9D000
stack
page read and write
1183000
heap
page read and write
B6B000
stack
page read and write
D0B000
heap
page read and write
26FE000
stack
page read and write
3442000
trusted library allocation
page read and write
34B0000
trusted library allocation
page read and write
D28000
heap
page read and write
4034000
heap
page read and write
3A21000
heap
page read and write
3440000
trusted library allocation
page read and write
10D0000
heap
page read and write
2BBE000
stack
page read and write
2810000
heap
page read and write
2E7D000
stack
page read and write
3E31000
heap
page read and write
D11000
heap
page read and write
1226000
heap
page read and write
2E60000
heap
page read and write
2DCD000
stack
page read and write
35AF000
stack
page read and write
B00000
heap
page read and write
CE0000
heap
page read and write
38A0000
remote allocation
page read and write
D8A000
heap
page read and write
B41000
unkown
page execute read
3E30000
heap
page read and write
323E000
stack
page read and write
342C000
trusted library allocation
page read and write
E1E000
stack
page read and write
33B2000
trusted library allocation
page read and write
14AE000
stack
page read and write
B40000
unkown
page readonly
38A0000
remote allocation
page read and write
2F7E000
stack
page read and write
3E31000
heap
page read and write
B40000
unkown
page readonly
136E000
stack
page read and write
3A21000
heap
page read and write
DA5000
heap
page read and write
2CBE000
stack
page read and write
3A68000
heap
page read and write
11B9000
heap
page read and write
373E000
stack
page read and write
D98000
heap
page read and write
36FC000
stack
page read and write
DE0000
heap
page read and write
2B60000
heap
page read and write
3E59000
heap
page read and write
32A0000
heap
page read and write
CB2000
unkown
page read and write
2CFE000
stack
page read and write
3456000
trusted library allocation
page read and write
3D2C000
stack
page read and write
343B000
trusted library allocation
page read and write
There are 118 hidden memdumps, click here to show them.