Joe Sandbox - Report 27422

General Information

Analysis ID:	27422
Start time:	15:38:10
Start date:	16/11/2012
Overall analysis duration:	0h 3m 18s
Sample file name:	2c4513647290a7e9817eba83e383973e.pdf
Cookbook file name:	Ret Dump.jbs
Analysis system description:	XP SP3 (Office 2003 SP1, Java 1.5.0, Acrobat Reader 8.1.2, Internet Explorer 6, Flash 10.1.82.76)
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
SCAE enabled:	true
SCAE success:	false, ratio: 0%

Classification / Threat Score

Persistence, Installation, Boot Survival:
Hiding, Stealthiness, Detection and Removal Protection:
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection:
Spreading:
Exploiting:
Networking:
Data spying, Sniffing, Keylogging, Ebanking Fraud:

Matching Signatures

Behavior Signatures
Creates files inside the program directory
Creates temporary files
Queries a list of all running processes
Reads ini files
Spawns processes
Urls found in memory or binary data
Creates files inside the system directory
Creates mutexes	\BaseNamedObjects\oleacc-msaa-loaded \BaseNamedObjects\Global\AcrobatViewerIsRunning
Deletes Windows files
Drops PE files
Found strings which match to known bank urls
May tried to detect the virtual machine to hinder analysis (VM artifact strings found in memory)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Allocates a big amount of memory (probably used for heap spraying)
Creates an autostart registry key
Detected shellcode (checkout the disassembly section)
Document exploit detected (droppes PE files)
Document exploit detected (process start blacklist hit)
Modifies existing windows services
NOP-sled detected (often used during heap spraying before exploitation)
Uses ipconfig to modify the Windows network settings

Startup

system is xp2 AcroRd32.exe (PID: 1944 MD5: 80660C611B596FFE8AF4074B31AA6FB7) svohost.exe (PID: 860 MD5: 0E42C23E58D0A4657BE0CE06103045EE) cmd.exe (PID: 1784 MD5: 6D778E0F95447E6546553EEEA709D03C) attrib.exe (PID: 236 MD5: E6D680494C812B82A15600FD23C94424) cmd.exe (PID: 560 MD5: 6D778E0F95447E6546553EEEA709D03C) svohost.exe (PID: 1456 MD5: 0E42C23E58D0A4657BE0CE06103045EE) cmd.exe (PID: 1996 MD5: 6D778E0F95447E6546553EEEA709D03C) expand.exe (PID: 612 MD5: 9F06D6991CAB51B1199817A4479A799F) iexplore.exe (PID: 1396 MD5: 55794B97A7FAABD2910873C85274F409) cmd.exe (PID: 1928 MD5: 6D778E0F95447E6546553EEEA709D03C) ipconfig.exe (PID: 1052 MD5: 34781A7E9683F42C4B2FE6F09456568C) cmd.exe (PID: 2000 MD5: 6D778E0F95447E6546553EEEA709D03C) cmd.exe (PID: 1988 MD5: 6D778E0F95447E6546553EEEA709D03C) AcroRd32.exe (PID: 868 MD5: 80660C611B596FFE8AF4074B31AA6FB7) cleanup

system is xp2

AcroRd32.exe (PID: 1944 MD5: 80660C611B596FFE8AF4074B31AA6FB7)

svohost.exe (PID: 860 MD5: 0E42C23E58D0A4657BE0CE06103045EE)

cmd.exe (PID: 1784 MD5: 6D778E0F95447E6546553EEEA709D03C)

attrib.exe (PID: 236 MD5: E6D680494C812B82A15600FD23C94424)

cmd.exe (PID: 560 MD5: 6D778E0F95447E6546553EEEA709D03C)

svohost.exe (PID: 1456 MD5: 0E42C23E58D0A4657BE0CE06103045EE)

cmd.exe (PID: 1996 MD5: 6D778E0F95447E6546553EEEA709D03C)

expand.exe (PID: 612 MD5: 9F06D6991CAB51B1199817A4479A799F)

iexplore.exe (PID: 1396 MD5: 55794B97A7FAABD2910873C85274F409)

cmd.exe (PID: 1928 MD5: 6D778E0F95447E6546553EEEA709D03C)

ipconfig.exe (PID: 1052 MD5: 34781A7E9683F42C4B2FE6F09456568C)

cmd.exe (PID: 2000 MD5: 6D778E0F95447E6546553EEEA709D03C)

cmd.exe (PID: 1988 MD5: 6D778E0F95447E6546553EEEA709D03C)

AcroRd32.exe (PID: 868 MD5: 80660C611B596FFE8AF4074B31AA6FB7)

cleanup

Created / dropped Files

File Path	MD5
C:\2c4513647290a7e9817eba83e383973e.pdf	BDD37075F2067953484593D8615F5F2F
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svohost.exe	0E42C23E58D0A4657BE0CE06103045EE
C:\WINDOWS\system32\svohost.exe	0E42C23E58D0A4657BE0CE06103045EE
C:\WINDOWS\system32\wisptis.dll	9BF70B3A270331A70A7B2E4AE6C13A59
C:\WINDOWS\system32\wisptis.dll.tmp	01EDACD197D4BBD5A4CE55F82B3850D9
\Win32Pipes.0000035c.00000002	D9C586991FACF81AE3350D1F2468D551
\Win32Pipes.00000574.00000001	4ADD705E1F4B312A7E43B54C0B74AEF7
\Win32Pipes.000005b0.00000001	458E210DA4BA1F78026B0BEC1DC016B7

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

File type:	PDF document, version 1.7
File name:	2c4513647290a7e9817eba83e383973e.pdf
File size:	277468
MD5:	2c4513647290a7e9817eba83e383973e
SHA1:	0b13c003b80cff5090d98dad229ba1659be3b361
SHA256:	adae21425923eaef600da48610d0e34ac4006d12b2e507d32540f46d767e5244
SHA512:	8d50850e654b7ca109d0b31ff569ab44b04f77b09782dff1d61bb9c9b949ffddefbfaa06bf3d225db797c66e827d6af97a2c7f74b4c19d45b5add56460895d4b

String Analysis

URLs

String value	Source
http://cgi.adobe.com/special/acrobat/upda	AcroRd32.exe
http://download.adobe.com/pub/adobe/reader/all/7x/7.0/enu/reader.pdfadobe	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/inbo	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/inbox/:hidd	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/review	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:b	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:connectionstat	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:doc	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:docli	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:doctit	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:fold	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:hasconnect	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:isinitiat	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:isoffli	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:isonli	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:lastsy	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:latestversi	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:locati	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:meth	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:remoteu	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:serverrevie	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:workspa	AcroRd32.exe
http://ns.adobe.com/pdf/1.3/	AcroRd32.exe, 2c4513647290a7e9817eba83e383973e.pdf.dr
http://ns.adobe.com/xap/1.0/	AcroRd32.exe, 2c4513647290a7e9817eba83e383973e.pdf.dr
http://ns.adobe.com/xap/1.0/mm/	AcroRd32.exe, 2c4513647290a7e9817eba83e383973e.pdf.dr
http://purl.org/dc/elements/1.1/	AcroRd32.exe, 2c4513647290a7e9817eba83e383973e.pdf.dr
http://schemas.microsoft.com/sharepoint/soa	AcroRd32.exe
http://www.adobe.com$isocountry$special/products/acrobat/apip.htmlhttp://www.adobe.com$isocountry$mi	AcroRd32.exe
http://www.adobe.com/acrobat&do	AcroRd32.exe
http://www.adobe.com/acrobat/	AcroRd32.exe
http://www.adobe.com/acrobat/http://www.adobe.com/offer/110400http://www.adobe.com/acrofamily/main.h	AcroRd32.exe
http://www.adobe.com/acrobatthe	AcroRd32.exe
http://www.adobe.com/acrobatthis	AcroRd32.exe
http://www.adobe.com/go/sc_learn_morethis	AcroRd32.exe
http://www.adobe.com/products/acrobat/alternate.html&download	AcroRd32.exe
http://www.adobe.com/products/acrobat/readstep2.ht	AcroRd32.exe
http://www.adobe.com/support/expert_support/main.htmlhttp://www.adobe.com/support/products/acrobat.h	AcroRd32.exe
http://www.adobe.com/support/techdocs/332720.htmlhttp://www.adobe.com/support/jp/support/acro8j_prn.	AcroRd32.exe
http://www.dictionary.com/cgi-bin/dict.pl?ter	AcroRd32.exe
http://www.w3.org/1999/02/22-rdf-syntax-ns#	AcroRd32.exe, 2c4513647290a7e9817eba83e383973e.pdf.dr
http://www.w3.org/1999/xht	AcroRd32.exe
http://www.w3.org/1999/xhtml	AcroRd32.exe
https://idisk.mac.co	AcroRd32.exe
https://www.adobeereg.com/https://www.winsoft.fr/registration/registration1.jsp?pageid=regmp1adobe	AcroRd32.exe

Bank names

String value	Source
but rasterizes very complex transparent regions. Generally the best setting for printing and exporting most pages. With some printers, improves transition issues between bordering vector and raster objects.Maintains most of the page content as vectors, rasterizing only extremely complex areas. Produces high quality output that is generally resolution-independent. Higher occurrences of transparent regions will increase processing time. With some printers improves transition issues between bordering vector and raster objects.The entire page is printed or exported as vector data, to the greatest extent possible. This produces the highest quality resolution-independent output. Processing of complex pages may be very time and memory intensiveSelect an ICC Profile that describes the target output device. If 'Printer/PostScript Color Management' is selected, convert any ICC profiles to PostScript CSAs, and color will be managed in the printer RIP. If 'Same as Source (No Color Management)' is selected, embedded profiles are ignored, and only device values are sent.Emit this plate by converting it to one or more process colors.Emit this plateDon't emit this plateDouble-click on the plate entry to launch the Ink Manager.HorizontalVerticalHorizontal and VerticalPreparing Printing Flattening Multiple FilesCompositeAs ImageSimplexDuplex Flip Long EdgeDuplex Flip Short EdgeThe current setup requires a printer capable of printing both sides. The selected printer may not support it. Do you still want to continue printing?PreserveConvertConvert to AlternateMap to %SPOTNAMEDecalibrateDevice RGB: Device CMYK: Device Gray: Calibrated RGB: Calibrated CMYK: Calibrated Gray: Lab: AllDeviceCMYKNot DeviceCMYKRGBGrayCalGrayCalibratedLabDeviceDeviceCMYK and SpotSpot ColorImagesSolid ColorSmooth ShadesDeviceRGBDeviceGraySeparationsColor WarningsOutput Intent: Process PlatesSpot PlatesLeave Unchanged[No trap preset][Default]CenterChokeNeutral DensitySpreadMiterRoundBevelOverlapDensitySequenceNameTypeInkEmitSampleFrequencyAngleInDesignJ1I equals www.regions.com (Regions Bank)	AcroRd32.exe
that is used. Form XObjects are used to create a single description for complex objects that can appear many times in a single document, like background images, for example.Choose Composite or Separated output. Separations are only available on PostScript devices. Composite output will produce one page of output per page. Printing Separations will cause the document colors to be separated according to the parameters described in the ink list. InRip separations are only available on PostScript 3 devices.Choose Lines Per Inch and Dots Per Inch combinations from the Printer Description file (PPD).Select a threshold for the transparency flattener rasterization. Selecting a higher value will cause less of the document to be rasterized during flattening, but will increase printing time.Choose Convert all spots to process to force all spot colors to be converted to process colors on output.Select a threshold for the transparency flattener rasterization. Selecting a higher value causes less of the document to be rasterized, but increases printing time. The amount of rasterization that occurs depends on the amount of RAM available to the program, the complexity of the page, and the types of overlapping objects.The entire page will be rasterized. Use this setting for printing or exporting complex pages with many transparent objects. Ideal for fast output at low resolution; higher resolution will yield higher quality but increase processing time. Size of saved files or print spool files may be large.Maintains simpler vector objects, but rasterizes more complex areas involving transparency. Ideal for artwork with only a few transparent objects. Some printers may yield rough transitions between bordering vector and raster objects and make hairlines appear thicker. Appropriate for low-memory systems.Maintains most objects as vector data, but rasterizes very complex transparent regions. Generally the best setting for printing and exporting most pages. With some printers, improves transition issues between bordering vector a equals www.regions.com (Regions Bank)	AcroRd32.exe
WINTRUST.d equals www.wintrust.com (Wintrust Financial Corporation)	ipconfig.exe
d &hidden layer content and flatten visible layersDetect an&d merge image fragmentsCon&vert smooth lines to curvesDiscard embedded pri&nt settingsDiscard boo&kmarksDiscard embedded search &indexDiscard user related informationDiscard all co&mments, forms and multimediaDiscard document &information and metadataDiscard all &object dataDiscard &file attachmentsDiscard e&xternal cross referencesDiscard &hidden layer content and flatten visible layersDiscard p&rivate data of other applicationsTransparency SettingsFlattens transparent regions in the pageConversion WarningsAdd Header and Footer&Saved Settings:Sa&ve Settings...Save current settings as:&Delete&Left:&Right:&Top:&Bottom:&Page Number Format:&Date Format:Left Header TextCenter Header TextRight Header TextLeft Footer TextCenter Footer TextRight Footer Text&All Pages&Pages from:Save SettingsLine Separator:Line Width: Pa&ge Range Options...Page Range OptionsPage Nu&mber and Date Format...Page Number and Date FormatAppearance Options&Appearance Options...Text Background Color:&InsertIns&ertRe&moveIns&ert Date&Insert Page Number&PreviewPage &Range&Subset:All Pagesfrom:t&o:FontFo&ntSi&ze:&Align:Na&me:St&yle:Mar&gins (inches)Te&xt:S&tart Page Number:Repla&ce existing headers and footers on these pages&Shrink document to avoid overwriting the document's text and graphics&Keep position and size of header/footer text constant when printing on different page sizesBIUCPreviewPrevie&w Pageof %nBates Numbering Options&Number of Digits:&Start Number:&Prefix:&Suffix:Create LinkCreate Link from SelectionLink Appearance&Page:1234567890&Zoom:File:&Address:Link Action&Go to a page viewOpen a &fileOpen a &web page&Custom linkDocument StatusThis document has special status or special features.&Close&Do not show this dialog next time this document is opened.Legal &Notice...Signature &Properties...Document Management ProfileProfile* Indicates required fieldVersion CommentsEnter your version comments:Publish this document after check-inPreview SettingsR&efreshRasterized Complex R equals www.regions.com (Regions Bank)	AcroRd32.exe
exDiscard user related informationDiscard all co&mments, forms and multimediaDiscard document &information and metadataDiscard all &object dataDiscard &file attachmentsDiscard e&xternal cross referencesDiscard &hidden layer content and flatten visible layersDiscard p&rivate data of other applicationsTransparency SettingsFlattens transparent regions in the pageConversion WarningsAdd Header and Footer&Saved Settings:Sa&ve Settings...Save current settings as:&Delete&Left:&Right:&Top:&Bottom:&Page Number Format:&Date Format:Left Header TextCenter Header TextRight Header TextLeft Footer TextCenter Footer TextRight Footer Text&All Pages&Pages from:Save SettingsLine Separator:Line Width: Pa&ge Range Options...Page Range OptionsPage Nu&mber and Date Format...Page Number and Date FormatAppearance Options&Appearance Options...Text Background Color:&InsertIns&ertRe&moveIns&ert Date&Insert Page Number&PreviewPage &Range&Subset:All Pagesfrom:t&o:FontFo&ntSi&ze:&Align:Na&me:St&yle:Mar&gins (inches)Te&xt:S&tart Page Number:Repla&ce existing headers and footers on these pages&Shrink document to avoid overwriting the document's text and graphics&Keep position and size of header/footer text constant when printing on different page sizesBIUCPreviewPrevie&w Pageof %nBates Numbering Options&Number of Digits:&Start Number:&Prefix:&Suffix:Create LinkCreate Link from SelectionLink Appearance&Page:1234567890&Zoom:File:&Address:Link Action&Go to a page viewOpen a &fileOpen a &web page&Custom linkDocument StatusThis document has special status or special features.&Close&Do not show this dialog next time this document is opened.Legal &Notice...Signature &Properties...Document Management ProfileProfile* Indicates required fieldVersion CommentsEnter your version comments:Publish this document after check-inPreview SettingsR&efreshRasterized Complex RegionsTransparent ObjectsAll Affected ObjectsExpanded PatternsOutlined Strokes&HighlightApply to PDFApplyTransparency Flattener Preset OptionsFlattener PreviewC&urrent pageAll pages in &docume equals www.regions.com (Regions Bank)	AcroRd32.exe
raster objects.Maintains most of the page content as vectors, rasterizing only extremely complex areas. Produces high quality output that is generally resolution-independent. Higher occurrences of transparent regions will increase processing time. With some printers improves transition issues between bordering vector and raster objects.The entire page is printed or exported as vector data, to the greatest extent possible. This produces the highest quality resolution-independent output. Processing of complex pages may be very time and memory intensiveSelect an ICC Profile that describes the target output device. If 'Printer/PostScript Color Management' is selected, convert any ICC profiles to PostScript CSAs, and color will be managed in the printer RIP. If 'Same as Source (No Color Management)' is selected, embedded profiles are ignored, and only device values are sent.Emit this plate by converting it to one or more process colors.Emit this plateDon't emit this plateDouble-click on the plate entry to launch the Ink Manager.HorizontalVerticalHorizontal and VerticalPreparing Printing Flattening Multiple FilesCompositeAs ImageSimplexDuplex Flip Long EdgeDuplex Flip Short EdgeThe current setup requires a printer capable of printing both sides. The selected printer may not support it. Do you still want to continue printing?PreserveConvertConvert to AlternateMap to %SPOTNAMEDecalibrateDevice RGB: Device CMYK: Device Gray: Calibrated RGB: Calibrated CMYK: Calibrated Gray: Lab: AllDeviceCMYKNot DeviceCMYKRGBGrayCalGrayCalibratedLabDeviceDeviceCMYK and SpotSpot ColorImagesSolid ColorSmooth ShadesDeviceRGBDeviceGraySeparationsColor WarningsOutput Intent: Process PlatesSpot PlatesLeave Unchanged[No trap preset][Default]CenterChokeNeutral DensitySpreadMiterRoundBevelOverlapDensitySequenceNameTypeInkEmitSampleFrequencyAngleInDesignJ1InDesignJ2IllustratorIllustratorJQuarkXPressBlack & WhiteThis settings file is invalid. Please choose a different one.The settings file name was too long. Please enter a shorter file name.Setti equals www.regions.com (Regions Bank)	AcroRd32.exe

VM Artifacts

String value	Source
eSelectedavMCCreationDateavMCModificationDateavMCAuthoravMCTitleavMCSubjectavMCFileNameavMCKeywordsavMCCommentsavMCBookmarksavMCImagesavMCDocXMPavMCObjectDataavMCAttachmentsavCOEqualsavCOContainsavCONotEqualavCOLessThanavCOGreaterThanavCOIsNotavSearchArrangeWindowsavSearchArrangeWindowsToolTipavSearchArrangeWindowLeftavSearchArrangeWindowRightavSearchAndRedactCandidatesavSearchAndRedactCheckAllavSearchAndRedactUncheckAllavSearchAndRedactWarningavConfirmPasteavPasteButtonavReplaceButtonavBuiltInavMacRomanavMacExpertavWindowsavStandardavCustomavType1avMMavType3avTrueTypeavType0avCIDType0avCIDType2avUnknownavEmbeddedavEmbeddedOTavSubsetavSubsetOTavTypeavEncodingavSubstituteUnknownavSubstituteavSubstituteTypeavAppleMenuavSpecialCharactersMenuItemavNewBlankDocumentavDocManSubMenuavCheckOutMenuItemavCheckInMenuItemavUndoCheckOutMenuItemavApproveMenuItemavPublishMenuItemavRejectMenuItemavApplicationRightsMenuItemavSaveACopyMenuItemavQuitReaderMenuItemavPrintBadFromavPrintBadToavPrintInvalidRangeavPrintEmptyRangeavRedactSelectedTextMenuItemavRedactUndoavRedactRedoavCopySelectedGraphicMenuItemavSelectAllTextMenuItemavDeselectAllTextMenuItemavPrintSelectionMenuItemavGetInfoImageavImageInfoavConfirmCreateImageCatalogavAGMComDocResavAGMComPageResavAGMStmDocFontavAGMStmDocResavAGMDLCSAavAGMDLCRDavAGMDLGradavAGMStmImageavAGMStmOPIavAGMPRSepavAGMDLSepavAGMStmDocPSavAGMDocEPIavAGMPageEPIavAGMPCavAGMPPIavAGMPImageProgressavEmptyPageRangeavPrintDevIndependentavPrintSettingavPrintPanelDefSettingsavPrintPanelPSavPrintPanelTransparencyavPrintPanelTransparencyAmpavPrintPanelColoravPrintPanelMarksBleedsavPrintPanelLayersavFlatPresetsMenuItemavGeneralPrefsMenuItemHelpavFixedZoomMenuItemavFullScreenMenuItemWindowMenuavProofSetupMenuavProofCustomMenuItemavProofInkBlackMenuItemavProofPaperWhiteMenuItemavProofColorsMenuItemavOverprintPreviewMenuItemavPDFAPolicySubMenuavPDFAPolicyNeveravPDFAPolicyAlwaysavPDFAPolicyWhenCompliantavOpenLinkInNewWindowavFunctionKeyPaletteMenuItemavAdvancedMenuavPrintProductionSubMenuavDocumentProcessingSubMenuavLookUpDefinitionMenuItemavLookUpWordMenuItem2avTileMonitorsMenuItemavCantLoadResourceavServicesMenuItemavHideAcrobatMenuItemavHideReaderMenuItemavHideOthersMenuItemavShowAllMenuItemavMinimizeMenuItemavMinimizeAllMenuItemavZoomWindowMenuItemavBringAllToFrontMenuItemavReadingSplitavSpreadsheetSplitavRemoveSplitavHideThisButtonavShowToolbarsMenuItemHelpavHideToolbarsMenuItemavHideToolbarsMenuItemHelpavHideToolbarsWarningavShowHideToolbarButtonTipavZoomToolsContextMenuavPropertyToolbarMenuItemHelpavPropertyBarDefaultLabelavTaskButtonsSubMenuavTasksHomeTitleavTasksCreatePDFTitleavTasksCombineFilesTitleavTasksSearchTitleavTasksEngineeringTitleavTasksOutputTitleavTasksExportTitleavShowHowToMenuItemavHideHowToMenuItemavShowAllTaskButtonsMenuItemavHowToMoreTopicsTitleavTasksDockLeftavTasksDockRightavDockCloseMenuItemavTasksShowAtStartupavTasksShowAtStartupMenuItemavDefaultAutoShowTitleavLaunchReaderHelpavLaunchAcrobatHelpavLaunchAcrobatStandardHelpavAboutAcrobatExchMenuItemavAboutAcrobatExchMenuItemProavAboutAcrobatExchMenuItemPro3DavAboutAcrobatExchMenuItemStdavTasksHomeButtonavTasksPrevViewButtonavTasksNextViewButtonavTasksCloseButtonavAboutMenuItemHelpavAdobeExpertSupportURLavOnlineSupportURLavOnlineSupportURLReaderavAccessOnlineURLavDetectAndRepairAcrobatMenuItemavPageSizePointsavPageSizeCentimetersavPageSizePicasavPageSizeFeetavPageSizeYardsavPageSizeMetersavPageSizeKilometersavPageSizeMilesavPageSizeCustomavPageSizeStringPointsavPageSizeStringInchesavPageSizeStringMillimetersavPageSizeStringCentimetersavPageSizeStringPicasavPageSizeStringFeetavPageSizeStringYardsavPageSizeStringMetersavPageSizeStringKilometersavPageSizeStringMilesavPageSizeSquareForAreaUnitsavDistanceMeasurementavCompoundDistanceMeasurementavAreaMeasurementavUnitsavZoomavOpenRecentavCopyFileToClipboardMsgavPages1to2ofNav1ofNav1to2ofNavParens1ofNavEnteravTabavEscapeavDeleteavPageUpavPageDownavWhereIsHelpFileavSinglePageavOneColumnavTwoColumnsavTwoColumnsMenuItemHelpavTwoPagesavTwoPagesMenuItemHelpavTwoPagesLeftavTwoPagesRightavTwoColumnsLeftavTwoC	AcroRd32.exe
cumentsavSearchMatchWholeWordsavSearchCaseSensitiveavSearchBookmarksavSearchCommentsavSearchAttachmentsavHowPreciseavSearchTheInternetavRefineSearchWhatavSortByavRelevanceRankingavDateModifiedavFilenameavLocationavSortNoneavProximityavStemmingavSearchNoteavSearchSearchAcrossavSearchDependingavSearchOnlyPDFsavSearchExactWordavSearchAllWordsavSearchAnyWordsavSearchBooleanQueryavMCNoneSelectedavMCCreationDateavMCModificationDateavMCAuthoravMCTitleavMCSubjectavMCFileNameavMCKeywordsavMCCommentsavMCBookmarksavMCImagesavMCDocXMPavMCObjectDataavMCAttachmentsavCOEqualsavCOContainsavCONotEqualavCOLessThanavCOGreaterThanavCOIsNotavSearchArrangeWindowsavSearchArrangeWindowsToolTipavSearchArrangeWindowLeftavSearchArrangeWindowRightavSearchAndRedactCandidatesavSearchAndRedactCheckAllavSearchAndRedactUncheckAllavSearchAndRedactWarningavConfirmPasteavPasteButtonavReplaceButtonavBuiltInavMacRomanavMacExpertavWindowsavStandardavCustomavType1avMMavType3avTrueTypeavType0avCIDType0avCIDType2avUnknownavEmbeddedavEmbeddedOTavSubsetavSubsetOTavTypeavEncodingavSubstituteUnknownavSubstituteavSubstituteTypeavAppleMenuavSpecialCharactersMenuItemavNewBlankDocumentavDocManSubMenuavCheckOutMenuItemavCheckInMenuItemavUndoCheckOutMenuItemavApproveMenuItemavPublishMenuItemavRejectMenuItemavApplicationRightsMenuItemavSaveACopyMenuItemavQuitReaderMenuItemavPrintBadFromavPrintBadToavPrintInvalidRangeavPrintEmptyRangeavRedactSelectedTextMenuItemavRedactUndoavRedactRedoavCopySelectedGraphicMenuItemavSelectAllTextMenuItemavDeselectAllTextMenuItemavPrintSelectionMenuItemavGetInfoImageavImageInfoavConfirmCreateImageCatalogavAGMComDocResavAGMComPageResavAGMStmDocFontavAGMStmDocResavAGMDLCSAavAGMDLCRDavAGMDLGradavAGMStmImageavAGMStmOPIavAGMPRSepavAGMDLSepavAGMStmDocPSavAGMDocEPIavAGMPageEPIavAGMPCavAGMPPIavAGMPImageProgressavEmptyPageRangeavPrintDevIndependentavPrintSettingavPrintPanelDefSettingsavPrintPanelPSavPrintPanelTransparencyavPrintPanelTransparencyAmpavPrintPanelColoravPrintPanelMarksBleedsavPrintPanelLayersavFlatPresetsMenuItemavGeneralPrefsMenuItemHelpavFixedZoomMenuItemavFullScreenMenuItemWindowMenuavProofSetupMenuavProofCustomMenuItemavProofInkBlackMenuItemavProofPaperWhiteMenuItemavProofColorsMenuItemavOverprintPreviewMenuItemavPDFAPolicySubMenuavPDFAPolicyNeveravPDFAPolicyAlwaysavPDFAPolicyWhenCompliantavOpenLinkInNewWindowavFunctionKeyPaletteMenuItemavAdvancedMenuavPrintProductionSubMenuavDocumentProcessingSubMenuavLookUpDefinitionMenuItemavLookUpWordMenuItem2avTileMonitorsMenuItemavCantLoadResourceavServicesMenuItemavHideAcrobatMenuItemavHideReaderMenuItemavHideOthersMenuItemavShowAllMenuItemavMinimizeMenuItemavMinimizeAllMenuItemavZoomWindowMenuItemavBringAllToFrontMenuItemavReadingSplitavSpreadsheetSplitavRemoveSplitavHideThisButtonavShowToolbarsMenuItemHelpavHideToolbarsMenuItemavHideToolbarsMenuItemHelpavHideToolbarsWarningavShowHideToolbarButtonTipavZoomToolsContextMenuavPropertyToolbarMenuItemHelpavPropertyBarDefaultLabelavTaskButtonsSubMenuavTasksHomeTitleavTasksCreatePDFTitleavTasksCombineFilesTitleavTasksSearchTitleavTasksEngineeringTitleavTasksOutputTitleavTasksExportTitleavShowHowToMenuItemavHideHowToMenuItemavShowAllTaskButtonsMenuItemavHowToMoreTopicsTitleavTasksDockLeftavTasksDockRightavDockCloseMenuItemavTasksShowAtStartupavTasksShowAtStartupMenuItemavDefaultAutoShowTitleavLaunchReaderHelpavLaunchAcrobatHelpavLaunchAcrobatStandardHelpavAboutAcrobatExchMenuItemavAboutAcrobatExchMenuItemProavAboutAcrobatExchMenuItemPro3DavAboutAcrobatExchMenuItemStdavTasksHomeButtonavTasksPrevViewButtonavTasksNextViewButtonavTasksCloseButtonavAboutMenuItemHelpavAdobeExpertSupportURLavOnlineSupportURLavOnlineSupportURLReaderavAccessOnlineURLavDetectAndRepairAcrobatMenuItemavPageSizePointsavPageSizeCentimetersavPageSizePicasavPageSizeFeetavPageSizeYardsavPageSizeMetersavPageSizeKilometersavPageSizeMilesavPageSizeCustomavPageSizeStringPointsavPageSizeStringInchesavPageSizeStringMillimetersavPageSizeStringCentimetersavPageSizeStringPicasavPageSizeStringFeetavPageSizeStringYardsavPageSizeStringMetersavPageSizeStringKilometersavPageSizeStringMilesavPage	AcroRd32.exe
\??\C:\WINDOWS\system32\VBoxService.e	cmd.exe
\??\C:\WINDOWS\system32\VBoxTray.e	cmd.exe

Network Behavior

No network behavior found

Code Manipulation Behavior

System Behavior

Analysis Process: AcroRd32.exe PID: 1944 Parent PID: 532

General

Start time:	10:12:45
Start date:	24/01/2012
Path:	C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
Wow64 process (32bit):	false
Commandline:	unknown
Imagebase:	0x400000
File size:	341616 bytes
MD5 hash:	80660C611B596FFE8AF4074B31AA6FB7

Chronological Activities

Analysis Process: svohost.exe PID: 860 Parent PID: 1944

General

Start time:	10:13:18
Start date:	24/01/2012
Path:	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svohost.exe
Wow64 process (32bit):	false
Commandline:	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svohost.exe
Imagebase:	0x400000
File size:	69632 bytes
MD5 hash:	0E42C23E58D0A4657BE0CE06103045EE

Chronological Activities

Analysis Process: cmd.exe PID: 1784 Parent PID: 860

General

Start time:	10:13:18
Start date:	24/01/2012
Path:	C:\WINDOWS\system32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\system32\cmd.exe /c attrib C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svohost.exe -H
Imagebase:	0x4ad00000
File size:	389120 bytes
MD5 hash:	6D778E0F95447E6546553EEEA709D03C

Chronological Activities

Analysis Process: attrib.exe PID: 236 Parent PID: 1784

General

Start time:	10:13:19
Start date:	24/01/2012
Path:	C:\WINDOWS\system32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svohost.exe -H
Imagebase:	0x77dd0000
File size:	12288 bytes
MD5 hash:	E6D680494C812B82A15600FD23C94424

Chronological Activities

Analysis Process: cmd.exe PID: 560 Parent PID: 860

General

Start time:	10:13:19
Start date:	24/01/2012
Path:	C:\WINDOWS\system32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\system32\cmd.exe /c copy C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svohost.exe C:\WINDOWS\system32\svohost.exe /y
Imagebase:	0x7c900000
File size:	389120 bytes
MD5 hash:	6D778E0F95447E6546553EEEA709D03C

Chronological Activities

Analysis Process: svohost.exe PID: 1456 Parent PID: 860

General

Start time:	10:13:20
Start date:	24/01/2012
Path:	C:\WINDOWS\system32\svohost.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\system32\svohost.exe
Imagebase:	0x7c900000
File size:	69632 bytes
MD5 hash:	0E42C23E58D0A4657BE0CE06103045EE

Chronological Activities

Analysis Process: cmd.exe PID: 2000 Parent PID: 860

General

Start time:	10:13:20
Start date:	24/01/2012
Path:	C:\WINDOWS\system32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\system32\cmd.exe /c del /f C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svohost.exe >> NUL
Imagebase:	0x7c900000
File size:	389120 bytes
MD5 hash:	6D778E0F95447E6546553EEEA709D03C

Chronological Activities

Analysis Process: cmd.exe PID: 1988 Parent PID: 1944

General

Start time:	10:13:21
Start date:	24/01/2012
Path:	C:\WINDOWS\system32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c C:\2c4513647290a7e9817eba83e383973e.pdf
Imagebase:	0x4ad00000
File size:	389120 bytes
MD5 hash:	6D778E0F95447E6546553EEEA709D03C

Chronological Activities

Analysis Process: cmd.exe PID: 1996 Parent PID: 1456

General

Start time:	10:13:21
Start date:	24/01/2012
Path:	C:\WINDOWS\system32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\system32\cmd.exe /c expand C:\WINDOWS\system32\wisptis.dll.tmp C:\WINDOWS\system32\wisptis.dll
Imagebase:	0x4ad00000
File size:	389120 bytes
MD5 hash:	6D778E0F95447E6546553EEEA709D03C

Chronological Activities

Analysis Process: expand.exe PID: 612 Parent PID: 1996

General

Start time:	10:14:28
Start date:	24/01/2012
Path:	C:\WINDOWS\system32\expand.exe
Wow64 process (32bit):	false
Commandline:	expand C:\WINDOWS\system32\wisptis.dll.tmp C:\WINDOWS\system32\wisptis.dll
Imagebase:	0x7e410000
File size:	15872 bytes
MD5 hash:	9F06D6991CAB51B1199817A4479A799F

Chronological Activities

Analysis Process: AcroRd32.exe PID: 868 Parent PID: 1988

General

Start time:	10:14:29
Start date:	24/01/2012
Path:	C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe C:\2c4513647290a7e9817eba83e383973e.pdf
Imagebase:	0x400000
File size:	341616 bytes
MD5 hash:	80660C611B596FFE8AF4074B31AA6FB7

Chronological Activities

Analysis Process: iexplore.exe PID: 1396 Parent PID: 1456

General

Start time:	10:14:29
Start date:	24/01/2012
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Internet Explorer\IEXPLORE.EXE
Imagebase:	0x7c800000
File size:	93184 bytes
MD5 hash:	55794B97A7FAABD2910873C85274F409

Chronological Activities

Analysis Process: cmd.exe PID: 1928 Parent PID: 1396

General

Start time:	10:14:30
Start date:	24/01/2012
Path:	C:\WINDOWS\system32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\system32\cmd.exe /c ipconfig /all
Imagebase:	0x6f880000
File size:	389120 bytes
MD5 hash:	6D778E0F95447E6546553EEEA709D03C

Chronological Activities

Analysis Process: ipconfig.exe PID: 1052 Parent PID: 1928

General

Start time:	10:14:30
Start date:	24/01/2012
Path:	C:\WINDOWS\system32\ipconfig.exe
Wow64 process (32bit):	false
Commandline:	ipconfig /all
Imagebase:	0x7e410000
File size:	55808 bytes
MD5 hash:	34781A7E9683F42C4B2FE6F09456568C

Chronological Activities

Disassembly

Shellcode Analysis

Function 0A0BE000, API count: 0, instr count: 7316

Function 0A0BFC94, API count: 0, instr count: 9

Function 0A0BFCDF, API count: 0, instr count: 35

Function 0A0BFCE0, API count: 16, instr count: 268

APIs

SetFilePointer.KERNEL32, ref: 0A0BFD46
ReadFile.KERNEL32, ref: 0A0BFD58
GlobalAlloc.KERNEL32, ref: 0A0BFD81
SetFilePointer.KERNEL32, ref: 0A0BFD97
ReadFile.KERNEL32, ref: 0A0BFDA7
CloseHandle.KERNEL32, ref: 0A0BFDB4
_lcreat.KERNEL32, ref: 0A0BFE39
_hwrite.KERNEL32, ref: 0A0BFE72
CloseHandle.KERNEL32, ref: 0A0BFE78
WinExec.KERNEL32, ref: 0A0BFE84
GlobalAlloc.KERNEL32, ref: 0A0BFEEC
_lcreat.KERNEL32, ref: 0A0BFF0F
_hwrite.KERNEL32, ref: 0A0BFF26
CloseHandle.KERNEL32, ref: 0A0BFF2A
WinExec.KERNEL32, ref: 0A0BFF74
TerminateProcess.KERNEL32, ref: 0A0BFF7D

Function 0A0BFF80, API count: 0, instr count: 41

Code Analysis

Analysis Process: AcroRd32.exe PID: 1944 Parent PID: 532

Executed Functions

Non-executed Functions

Analysis Process: svohost.exe PID: 860 Parent PID: 1944

Executed Functions

Non-executed Functions

Analysis Process: cmd.exe PID: 1784 Parent PID: 860

Executed Functions

Non-executed Functions

Analysis Process: attrib.exe PID: 236 Parent PID: 1784

Executed Functions

Non-executed Functions

Analysis Process: cmd.exe PID: 560 Parent PID: 860

Executed Functions

Non-executed Functions

Analysis Process: svohost.exe PID: 1456 Parent PID: 860

Executed Functions

Non-executed Functions

Analysis Process: cmd.exe PID: 2000 Parent PID: 860

Executed Functions

Non-executed Functions

Analysis Process: cmd.exe PID: 1988 Parent PID: 1944

Executed Functions

Non-executed Functions

Analysis Process: cmd.exe PID: 1996 Parent PID: 1456

Executed Functions

Non-executed Functions

Analysis Process: expand.exe PID: 612 Parent PID: 1996

Executed Functions

Non-executed Functions

Analysis Process: AcroRd32.exe PID: 868 Parent PID: 1988

Executed Functions

Non-executed Functions

Analysis Process: iexplore.exe PID: 1396 Parent PID: 1456

Executed Functions

Non-executed Functions

Analysis Process: cmd.exe PID: 1928 Parent PID: 1396

Executed Functions

Non-executed Functions

Analysis Process: ipconfig.exe PID: 1052 Parent PID: 1928

Executed Functions

Non-executed Functions

Loading ...

Warning!

Error!

General Information

Classification / Threat Score

Matching Signatures

Startup

Created / dropped Files

Contacted Domains

Contacted IPs

Static File Info

String Analysis

Network Behavior

Code Manipulation Behavior

System Behavior

Analysis Process: AcroRd32.exe PID: 1944 Parent PID: 532

Analysis Process: svohost.exe PID: 860 Parent PID: 1944

Analysis Process: cmd.exe PID: 1784 Parent PID: 860

Analysis Process: attrib.exe PID: 236 Parent PID: 1784

Analysis Process: cmd.exe PID: 560 Parent PID: 860

Analysis Process: svohost.exe PID: 1456 Parent PID: 860

Analysis Process: cmd.exe PID: 2000 Parent PID: 860

Analysis Process: cmd.exe PID: 1988 Parent PID: 1944

Analysis Process: cmd.exe PID: 1996 Parent PID: 1456

Analysis Process: expand.exe PID: 612 Parent PID: 1996

Analysis Process: AcroRd32.exe PID: 868 Parent PID: 1988

Analysis Process: iexplore.exe PID: 1396 Parent PID: 1456

Analysis Process: cmd.exe PID: 1928 Parent PID: 1396

Analysis Process: ipconfig.exe PID: 1052 Parent PID: 1928

Disassembly

Shellcode Analysis

Code Analysis

Analysis Process: AcroRd32.exe PID: 1944 Parent PID: 532

Analysis Process: svohost.exe PID: 860 Parent PID: 1944

Analysis Process: cmd.exe PID: 1784 Parent PID: 860

Analysis Process: attrib.exe PID: 236 Parent PID: 1784

Analysis Process: cmd.exe PID: 560 Parent PID: 860

Analysis Process: svohost.exe PID: 1456 Parent PID: 860

Analysis Process: cmd.exe PID: 2000 Parent PID: 860

Analysis Process: cmd.exe PID: 1988 Parent PID: 1944

Analysis Process: cmd.exe PID: 1996 Parent PID: 1456

Analysis Process: expand.exe PID: 612 Parent PID: 1996

Analysis Process: AcroRd32.exe PID: 868 Parent PID: 1988

Analysis Process: iexplore.exe PID: 1396 Parent PID: 1456

Analysis Process: cmd.exe PID: 1928 Parent PID: 1396

Analysis Process: ipconfig.exe PID: 1052 Parent PID: 1928