Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 12, 2021, 9:30 a.m.	Oct. 12, 2021, 9:32 a.m.

Size	61.2KB
Type	PDF document, version 1.7
MD5	`4bcd422bbc3db021a18e1298bf1577d7`
SHA256	`9964a814b379e4cdbf3769d940e00162e7310ec8bd7a4072474c47d6634811f4`
CRC32	`06FCB2B7`
ssdeep	`768:I3ArOLYLMd3KrdrAyPIYy1I+LYSxr6vi/+DSM/VLpLxmLJLeHLuh:sArMH8rqyPuf1N6vi/+ekxuRMuh`
Yara	PDF_Format_Z - PDF Format

AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" C:\Users\test22\AppData\Local\Temp\PO-08YGK.pdf
896

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 12, 2021, 9:30 a.m.	process_identifier: 896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e983000 process_handle: 0xffffffff	1	0	0

cmdline

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --locale=ko-kr --backgroundcolor=16514043

parent_process

acrord32.exe

martian_process

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --locale=ko-kr --backgroundcolor=16514043

PO-08YGK.pdf