Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.15 01:11
wwbizsrvs.exe
11.15 01:11
op.exe
11.15 01:11
msf.exe
11.15 01:11
lum250.exe
11.15 01:11
msf443.exe
11.13 04:11
hello.exe
11.13 03:11
espsemhvcioff.exe
11.13 02:11
Geek_se.exe
11.13 02:11
cred64.dll
11.13 02:11
svhost.exe

Latest News
11.15 04:11
LG유플러스, 네트워크 협력사와 동반성장...
11.15 04:11
중고 골프채 사이트 1등골프, 인기 브랜...
11.15 04:11
Safeguarding Healthcar...
11.15 04:11
Musk’s X Sues to Block...
11.15 04:11
[CEO 보안칼럼] “다윗은 언제나 골리...
11.15 04:11
자민경 달팽이 크림, PX 누적 판매 1...
11.15 04:11
라쿠텐·쉽너지, 일본 역직구 판매자 위한...
11.15 04:11
명지대, 서울마이칼리지 점프업 사업 ‘서...
11.15 04:11
JioStar Eyes India Str...
11.15 04:11
Meta to Appeal Orders ...

Summary | ZeroBOX

1.pdf

PDF

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 5, 2021, 10:31 a.m.	Aug. 5, 2021, 10:34 a.m.

Size	693.6KB
Type	PDF document, version 2.0
MD5	`a0c7e9dc69e439cb431e6dea9f0d5930`
SHA256	`359ab5e0b57da0307ca9472e5b225dcd0f9dc9bf2efd2f15b1ca45b78791b6bc`
CRC32	`308D9976`
ssdeep	`12288:e9wwBpdbie7g84OTKuBqOX1BNVT5m+YH+JARGEwuxkIOcaj/5vDTWjaOyG2:Xkdz7y2DBJ1dYHoARzTkjcwvDTWOL`
Yara	PDF_Format_Z - PDF Format

AcroRd32.exe "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" C:\Users\test22\AppData\Local\Temp\1.pdf
2004
- Adobe_Updater.exe "C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe" -doActionAppID=reader9rdr-en_US
  2460
- Adobe_Updater.exe "C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe" -AU_LAUNCH_MODE=1 -AU_DISPLAY_LANG=en_US -AU_LAUNCH_APPID=reader9rdr-en_US
  2112
explorer.exe C:\Windows\Explorer.EXE
1248

Name	Response	Post-Analysis Lookup
swupmf.adobe.com	CNAME ssl.adobe.com.edgekey.net CNAME e4578.dscb.akamaiedge.net A 23.212.12.57 A 23.40.44.138	104.109.240.143

IP Address	Status	Action
164.124.101.2	Active	Moloch
23.212.12.57	Active	Moloch
23.40.44.138	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 5, 2021, 10:32 a.m.		1	1	0

Performs some HTTP requests (2 events)

request	GET http://swupmf.adobe.com/manifest/60/win/reader9rdr-en_US.upd
request	GET http://swupmf.adobe.com/manifest/60/win/AdobeUpdater.upd

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 5, 2021, 10:31 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fe73000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Aug. 5, 2021, 10:25 a.m.	process_identifier: 1248 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000006c00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0
NtProtectVirtualMemory Aug. 5, 2021, 10:33 a.m.	process_identifier: 2112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71b22000 process_handle: 0xffffffff	1	0	0

File has been identified by 7 AntiVirus engines on VirusTotal as malicious (7 events)

ALYac	Trojan.PDF.208091A
Kaspersky	UDS:Trojan-Dropper.PDF.Agent.a
ViRobot	Trojan.Win32.S.FakePDF.710268
McAfee-GW-Edition	Artemis
AhnLab-V3	Exploit/PDF.FakeDocu
McAfee	Artemis!A0C7E9DC69E4
Qihoo-360	susp.pdf.jsexp.gen

One or more non-whitelisted processes were created (2 events)

parent_process	acrord32.exe				martian_process	"C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe" -AU_LAUNCH_MODE=1 -AU_DISPLAY_LANG=en_US -AU_LAUNCH_APPID=reader9rdr-en_US
parent_process	acrord32.exe				martian_process	"C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe" -doActionAppID=reader9rdr-en_US