Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Dec. 9, 2021, 4:54 p.m.	Dec. 9, 2021, 4:56 p.m.

Size	91.1KB
Type	PDF document, version 1.4
MD5	`11b4f71af56677c1715f738d2788d8e4`
SHA256	`d45db6f7dd160e227d2b3602ea38a27fc7e722584f6d7d1d1bc75d6e646054a4`
CRC32	`F1216F70`
ssdeep	`1536:E1ZgQ6HMh3VQ2UMgH3tMjXB53Sl1nF7nO9vHPWLG51o6/vvXWGpOGoWXT+fc5Xrs:66sh3VrUMgXu53+1nA5vWLo1owkGyG7s`
Yara	PDF_Format_Z - PDF Format PDF_Suspicious_Link_Z - PDF Suspicious Link

AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" C:\Users\test22\AppData\Local\Temp\13253144463.pdf
1408

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Dec. 9, 2021, 4:54 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70fc3000 process_handle: 0xffffffff	1	0	0

cmdline

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --locale=ko-kr --backgroundcolor=16514043

parent_process

acrord32.exe

martian_process

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --locale=ko-kr --backgroundcolor=16514043

13253144463.pdf