Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
Navan - Itinerary.pdf.scr.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
 |
|
|
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG
|
ASCII text
|
dropped
|
||
|
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)
|
ASCII text
|
dropped
|
||
|
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG
|
ASCII text
|
dropped
|
||
|
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)
|
ASCII text
|
dropped
|
||
|
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)
|
JSON data
|
dropped
|
||
|
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\b5a9ce74-f230-4109-b7bd-9657976775a4.tmp
|
JSON data
|
modified
|
||
|
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log
|
data
|
dropped
|
||
|
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG
|
ASCII text
|
dropped
|
||
|
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)
|
ASCII text
|
dropped
|
||
|
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
|
SQLite 3.x database, last written using SQLite version 3040000, file counter 15, database pages 21, cookie 0x5, schema 4,
UTF-8, version-valid-for 15
|
dropped
|
||
|
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal
|
SQLite Rollback Journal
|
dropped
|
||
|
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D
|
Certificate, Version=3
|
dropped
|
||
|
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
|
Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks,
0x1 compression
|
dropped
|
||
|
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D
|
data
|
dropped
|
||
|
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
|
data
|
modified
|
||
|
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID
|
JSON data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface
|
JSON data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface
|
JSON data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD
|
JSON data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner
|
JSON data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner
|
JSON data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention
|
JSON data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner
|
JSON data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner
|
JSON data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner
|
JSON data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner
|
JSON data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner
|
JSON data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention
|
JSON data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner
|
JSON data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards
|
JSON data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020
|
JSON data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json
|
JSON data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents
|
SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8,
version-valid-for 25
|
dropped
|
||
|
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal
|
SQLite Rollback Journal
|
dropped
|
||
|
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\NavanItinerary[1].pdf
|
PDF document, version 1.4, 2 pages
|
modified
|
||
|
C:\Users\user\AppData\Local\Temp\MSIf87bf.LOG
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\NavanItinerary.pdf
|
PDF document, version 1.4, 2 pages
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-21 07-18-19-461.log
|
ASCII text, with very long lines (393)
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log
|
ASCII text, with very long lines (393), with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt
|
ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\acrocef_low\124b6abb-1a10-40d6-a4b3-c90e90b087b5.tmp
|
gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\acrocef_low\2de96242-2280-41f5-b989-9672aa29f6d9.tmp
|
gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\acrocef_low\62626088-0d00-4dbd-b759-863a97c17b43.tmp
|
gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\acrocef_low\fc488cb0-f2fc-4313-91a0-ff3644bb20b2.tmp
|
gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 634912
|
dropped
|
There are 37 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe
|
"C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe"
|
|
|
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
|
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
|
|
|
|
C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
|
"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user~1\AppData\Local\Temp\NavanItinerary.pdf"
|
||
|
C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
|
"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
|
||
|
C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
|
"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService
--lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0"
--lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2264
--field-trial-handle=1500,i,10956060416113398511,1382103396325876287,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker
/prefetch:8
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
stem-mellows.cyou
|
|
||
|
http://x1.i.lencr.org/
|
unknown
|
||
|
https://www.adobe.co
|
unknown
|
||
|
https://discokeyus.lat/yv
|
unknown
|
||
|
necklacebudi.lat
|
|||
|
https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiionY
|
unknown
|
||
|
https://discokeyus.lat/p
|
unknown
|
||
|
https://raw.githubusercontent.com/u
|
unknown
|
||
|
https://discokeyus.lat/
|
unknown
|
||
|
https://raw.githubusercontent.com/4
|
unknown
|
||
|
https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiion=
|
unknown
|
||
|
sustainskelet.lat
|
|||
|
crosshuaht.lat
|
|||
|
https://raw.githubusercontent.com/6
|
unknown
|
||
|
rapeflowwj.lat
|
|||
|
https://discokeyus.lat/api
|
172.67.197.170
|
||
|
grannyejh.lat
|
|||
|
aspecteirs.lat
|
|||
|
energyaffai.lat
|
|||
|
discokeyus.lat
|
|||
|
https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiion8z
|
unknown
|
||
|
https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiion
|
185.199.110.133
|
||
|
https://raw.githubusercontent.com/
|
unknown
|
||
|
https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/NavanItinerary.pdf
|
185.199.110.133
|
There are 14 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
stem-mellows.cyou
|
unknown
|
|
|
|
bg.microsoft.map.fastly.net
|
199.232.210.172
|
||
|
raw.githubusercontent.com
|
185.199.110.133
|
||
|
discokeyus.lat
|
172.67.197.170
|
||
|
x1.i.lencr.org
|
unknown
|
||
|
grannyejh.lat
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
185.199.110.133
|
raw.githubusercontent.com
|
Netherlands
|
||
|
172.67.197.170
|
discokeyus.lat
|
United States
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
|
LangID
|
||
|
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
|
C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.FriendlyAppName
|
||
|
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
|
C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.ApplicationCompany
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
38C1000
|
heap
|
page read and write
|
|
|
|
2F7F000
|
stack
|
page read and write
|
||
|
345D000
|
stack
|
page read and write
|
||
|
122A000
|
heap
|
page read and write
|
||
|
CEE000
|
heap
|
page read and write
|
||
|
C4A000
|
heap
|
page read and write
|
||
|
F8D000
|
stack
|
page read and write
|
||
|
1188000
|
heap
|
page read and write
|
||
|
2B37000
|
heap
|
page read and write
|
||
|
331D000
|
stack
|
page read and write
|
||
|
351E000
|
stack
|
page read and write
|
||
|
CEC000
|
heap
|
page read and write
|
||
|
D06000
|
heap
|
page read and write
|
||
|
2FBE000
|
stack
|
page read and write
|
||
|
C9F000
|
heap
|
page read and write
|
||
|
3220000
|
heap
|
page read and write
|
||
|
704E6000
|
unkown
|
page readonly
|
||
|
38C1000
|
heap
|
page read and write
|
||
|
38A0000
|
heap
|
page read and write
|
||
|
387F000
|
stack
|
page read and write
|
||
|
2D2F000
|
stack
|
page read and write
|
||
|
F4F000
|
stack
|
page read and write
|
||
|
673000
|
unkown
|
page readonly
|
||
|
398B000
|
heap
|
page read and write
|
||
|
3A4A000
|
trusted library allocation
|
page read and write
|
||
|
398B000
|
heap
|
page read and write
|
||
|
2ADF000
|
stack
|
page read and write
|
||
|
C63000
|
heap
|
page read and write
|
||
|
500000
|
unkown
|
page readonly
|
||
|
11D9000
|
heap
|
page read and write
|
||
|
3740000
|
remote allocation
|
page read and write
|
||
|
34AF000
|
stack
|
page read and write
|
||
|
D30000
|
heap
|
page read and write
|
||
|
E4E000
|
stack
|
page read and write
|
||
|
321D000
|
stack
|
page read and write
|
||
|
B5C000
|
stack
|
page read and write
|
||
|
2B30000
|
heap
|
page read and write
|
||
|
11CF000
|
stack
|
page read and write
|
||
|
704ED000
|
unkown
|
page read and write
|
||
|
C10000
|
heap
|
page read and write
|
||
|
C1E000
|
heap
|
page read and write
|
||
|
361F000
|
stack
|
page read and write
|
||
|
3937000
|
heap
|
page read and write
|
||
|
CED000
|
heap
|
page read and write
|
||
|
37AD000
|
trusted library allocation
|
page read and write
|
||
|
30BF000
|
stack
|
page read and write
|
||
|
CFC000
|
heap
|
page read and write
|
||
|
452000
|
remote allocation
|
page execute and read and write
|
||
|
10CE000
|
stack
|
page read and write
|
||
|
C9D000
|
heap
|
page read and write
|
||
|
C4C000
|
heap
|
page read and write
|
||
|
377E000
|
stack
|
page read and write
|
||
|
37A0000
|
trusted library allocation
|
page read and write
|
||
|
321F000
|
stack
|
page read and write
|
||
|
1222000
|
heap
|
page read and write
|
||
|
349D000
|
stack
|
page read and write
|
||
|
DF5000
|
heap
|
page read and write
|
||
|
BF0000
|
heap
|
page read and write
|
||
|
CEC000
|
heap
|
page read and write
|
||
|
A8C000
|
stack
|
page read and write
|
||
|
66C000
|
unkown
|
page write copy
|
||
|
1100000
|
heap
|
page read and write
|
||
|
11B1000
|
heap
|
page read and write
|
||
|
377E000
|
stack
|
page read and write
|
||
|
37BD000
|
trusted library allocation
|
page read and write
|
||
|
1150000
|
heap
|
page read and write
|
||
|
311E000
|
stack
|
page read and write
|
||
|
CF0000
|
heap
|
page read and write
|
||
|
36EE000
|
stack
|
page read and write
|
||
|
3CBA000
|
heap
|
page read and write
|
||
|
C63000
|
heap
|
page read and write
|
||
|
C91000
|
heap
|
page read and write
|
||
|
398B000
|
heap
|
page read and write
|
||
|
CD2000
|
heap
|
page read and write
|
||
|
35EE000
|
stack
|
page read and write
|
||
|
3851000
|
trusted library allocation
|
page read and write
|
||
|
37CE000
|
trusted library allocation
|
page read and write
|
||
|
3CAC000
|
stack
|
page read and write
|
||
|
66D000
|
unkown
|
page write copy
|
||
|
C9F000
|
heap
|
page read and write
|
||
|
1233000
|
heap
|
page read and write
|
||
|
66C000
|
unkown
|
page read and write
|
||
|
11C7000
|
heap
|
page read and write
|
||
|
29DE000
|
stack
|
page read and write
|
||
|
119C000
|
heap
|
page read and write
|
||
|
367D000
|
stack
|
page read and write
|
||
|
30DD000
|
stack
|
page read and write
|
||
|
1180000
|
heap
|
page read and write
|
||
|
37C5000
|
trusted library allocation
|
page read and write
|
||
|
38C0000
|
heap
|
page read and write
|
||
|
3740000
|
remote allocation
|
page read and write
|
||
|
3A42000
|
trusted library allocation
|
page read and write
|
||
|
C83000
|
heap
|
page read and write
|
||
|
C1B000
|
heap
|
page read and write
|
||
|
D8B000
|
stack
|
page read and write
|
||
|
D35000
|
heap
|
page read and write
|
||
|
3630000
|
heap
|
page read and write
|
||
|
114E000
|
stack
|
page read and write
|
||
|
33AE000
|
stack
|
page read and write
|
||
|
CFB000
|
heap
|
page read and write
|
||
|
335D000
|
stack
|
page read and write
|
||
|
2980000
|
heap
|
page read and write
|
||
|
2C2E000
|
stack
|
page read and write
|
||
|
C9F000
|
heap
|
page read and write
|
||
|
2B1D000
|
stack
|
page read and write
|
||
|
3A80000
|
heap
|
page read and write
|
||
|
108F000
|
stack
|
page read and write
|
||
|
3871000
|
trusted library allocation
|
page read and write
|
||
|
704EF000
|
unkown
|
page readonly
|
||
|
CF8000
|
heap
|
page read and write
|
||
|
501000
|
unkown
|
page execute read
|
||
|
B6F000
|
stack
|
page read and write
|
||
|
D06000
|
heap
|
page read and write
|
||
|
400000
|
remote allocation
|
page execute and read and write
|
||
|
500000
|
unkown
|
page readonly
|
||
|
3080000
|
heap
|
page read and write
|
||
|
D06000
|
heap
|
page read and write
|
||
|
10FA000
|
stack
|
page read and write
|
||
|
31DD000
|
stack
|
page read and write
|
||
|
DF0000
|
heap
|
page read and write
|
||
|
672000
|
unkown
|
page read and write
|
||
|
BE0000
|
heap
|
page read and write
|
||
|
C83000
|
heap
|
page read and write
|
||
|
C9F000
|
heap
|
page read and write
|
||
|
3A30000
|
trusted library allocation
|
page read and write
|
||
|
1242000
|
heap
|
page read and write
|
||
|
C4C000
|
heap
|
page read and write
|
||
|
501000
|
unkown
|
page execute read
|
||
|
38D9000
|
heap
|
page read and write
|
||
|
3937000
|
heap
|
page read and write
|
||
|
C9D000
|
heap
|
page read and write
|
||
|
11CA000
|
heap
|
page read and write
|
||
|
3873000
|
trusted library allocation
|
page read and write
|
||
|
37A5000
|
trusted library allocation
|
page read and write
|
||
|
704D0000
|
unkown
|
page readonly
|
||
|
1246000
|
heap
|
page read and write
|
||
|
144F000
|
stack
|
page read and write
|
||
|
1170000
|
heap
|
page read and write
|
||
|
38FE000
|
heap
|
page read and write
|
||
|
CD2000
|
heap
|
page read and write
|
||
|
704D1000
|
unkown
|
page execute read
|
||
|
1263000
|
heap
|
page read and write
|
||
|
359D000
|
stack
|
page read and write
|
||
|
37A7000
|
trusted library allocation
|
page read and write
|
||
|
37B6000
|
trusted library allocation
|
page read and write
|
||
|
3BAB000
|
stack
|
page read and write
|
||
|
3AB0000
|
heap
|
page read and write
|
||
|
3740000
|
remote allocation
|
page read and write
|
||
|
37B0000
|
trusted library allocation
|
page read and write
|
||
|
38C1000
|
heap
|
page read and write
|
||
|
C98000
|
heap
|
page read and write
|
||
|
673000
|
unkown
|
page readonly
|
There are 142 hidden memdumps, click here to show them.