Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.15 01:11
wwbizsrvs.exe
11.15 01:11
op.exe
11.15 01:11
msf.exe
11.15 01:11
lum250.exe
11.15 01:11
msf443.exe
11.13 04:11
hello.exe
11.13 03:11
espsemhvcioff.exe
11.13 02:11
Geek_se.exe
11.13 02:11
cred64.dll
11.13 02:11
svhost.exe

Latest News
11.15 09:11
DoorDash Wants to Give...
11.15 09:11
Homebrew pH Meter Uses...
11.15 09:11
France’s Proparco Anch...
11.15 09:11
Vietnamese Hacker Grou...
11.15 08:11
Alibaba Sales Disappoi...
11.15 08:11
BofA Strategists Say B...
11.15 08:11
Chinese SilkSpecter Ha...
11.15 08:11
Dark Web Profile: Cade...
11.15 08:11
Trump’s Anti-Regulatio...
11.15 08:11
체크멀, ‘2024 대한민국 디지털 이노...

Summary | ZeroBOX

free-mega-vip-roblox.pdf

PDF Suspicious Link PDF

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 9, 2021, 9:15 a.m.	Aug. 9, 2021, 9:17 a.m.

Size	41.5KB
Type	PDF document, version 1.4
MD5	`bd2cde8cfd6faa5405a6d3b337cd1543`
SHA256	`5ae6fccbbeb36d5271c2f06ee18b6f86091260b8c2ae224298e071f5084dcd0c`
CRC32	`793DA671`
ssdeep	`768:RhhJCQpMt7bhg/LOo5g7baa32NimyMreISQBIYl3MznyEK+:NTa9bhBoEaTN6KfqYl8bK+`
Yara	PDF_Suspicious_Link_Z - PDF Suspicious Link PDF_Format_Z - PDF Format

AcroRd32.exe "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" C:\Users\test22\AppData\Local\Temp\free-mega-vip-roblox.pdf
2064
- Adobe_Updater.exe "C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe" -doActionAppID=reader9rdr-en_US
  2396
- Adobe_Updater.exe "C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe" -AU_LAUNCH_MODE=1 -AU_DISPLAY_LANG=en_US -AU_LAUNCH_APPID=reader9rdr-en_US
  3048
explorer.exe C:\Windows\Explorer.EXE
1248

Name	Response	Post-Analysis Lookup
swupmf.adobe.com	CNAME ssl.adobe.com.edgekey.net CNAME e4578.dscb.akamaiedge.net A 23.212.12.57	23.212.12.57

IP Address	Status	Action
164.124.101.2	Active	Moloch
23.212.12.57	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 9, 2021, 9:15 a.m.		1	1	0

Performs some HTTP requests (2 events)

request	GET http://swupmf.adobe.com/manifest/60/win/reader9rdr-en_US.upd
request	GET http://swupmf.adobe.com/manifest/60/win/AdobeUpdater.upd

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 9, 2021, 9:15 a.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71093000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:08 a.m.	process_identifier: 1248 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000005410000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0
NtProtectVirtualMemory Aug. 9, 2021, 9:16 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71b22000 process_handle: 0xffffffff	1	0	0

One or more non-whitelisted processes were created (2 events)

parent_process	acrord32.exe				martian_process	"C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe" -AU_LAUNCH_MODE=1 -AU_DISPLAY_LANG=en_US -AU_LAUNCH_APPID=reader9rdr-en_US
parent_process	acrord32.exe				martian_process	"C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe" -doActionAppID=reader9rdr-en_US