Analysis Report 606d810b8ff92.pdf.dll

Overview

General Information

Sample Name:	606d810b8ff92.pdf.dll
Analysis ID:	383181
MD5:	0deffc9d51035390ddb6e2934ed67186
SHA1:	b449c2ffdd33a3c79e17c781b11be3daf4ae46c4
SHA256:	6c99703002ea5284f603d0041f3a72b3a9e26f8f7af45a1f5e34e4297be0efb8
Tags:	BRTITA
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: Execute DLL with spoofed extension

Sigma detected: Register DLL with spoofed extension

Yara detected Ursnif

Initial sample is a PE file and has a suspicious name

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE file contains an invalid checksum

Registers a DLL

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

Compliance:

Uses 32bit PE files

Source: 606d810b8ff92.pdf.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.3:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.3:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49739 version: TLS 1.2

Source: 606d810b8ff92.pdf.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: c:\Noon-blue\619\character\35\metal.pdb source: loaddll32.exe, 00000000.00000002.512878682.000000006E1EE000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.512693127.000000006E1EE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.489776733.000000006E1EE000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.521614035.000000006E1EE000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.512353242.000000006E1EE000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.513127334.000000006E1EE000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000002.513519821.000000006E1EE000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.487835127.000000006E1EE000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000002.506080198.000000006E1EE000.00000002.00020000.sdmp, 606d810b8ff92.pdf.dll

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1DB953 FindFirstFileExA,FindNextFileA,FindClose,		0_2_6E1DB953
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1DB597 FindFirstFileExA,		0_2_6E1DB597

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.20.185.68 104.20.185.68

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: de-ch[1].htm.7.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: msapplication.xml0.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xbd4fa96b,0x01d72bdf</date><accdate>0xbd4fa96b,0x01d72bdf</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xbd4fa96b,0x01d72bdf</date><accdate>0xbd4fa96b,0x01d72bdf</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbd52b6aa,0x01d72bdf</date><accdate>0xbd52b6aa,0x01d72bdf</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbd52b6aa,0x01d72bdf</date><accdate>0xbd5352ec,0x01d72bdf</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbd548b5d,0x01d72bdf</date><accdate>0xbd548b5d,0x01d72bdf</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbd548b5d,0x01d72bdf</date><accdate>0xbd5527a4,0x01d72bdf</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.7.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen\|https://twitter.com/i/notifications;Ich\|#;Abmelden\|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.7.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen\|https://outlook.live.com/mail/deeplink/compose;Kalender\|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online\|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online\|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway\|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online\|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: de-ch[1].htm.7.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.7.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: ~DF75532A51FCF86B61.TMP.5.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: msapplication.xml.5.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.5.dr	String found in binary or memory: http://www.google.com/
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: msapplication.xml2.5.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.5.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.5.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.5.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.5.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.5.dr	String found in binary or memory: http://www.youtube.com/
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_promotionalstripe_na
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24545562
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24903118&epi=ch-de
Source: ~DF75532A51FCF86B61.TMP.5.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: ~DF75532A51FCF86B61.TMP.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ~DF75532A51FCF86B61.TMP.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://linkmaker.itunes.apple.com/assets/shared/badges/de-de/appstore-lrg.svg"
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1617789361&rver
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1617789361&rver=7.0.6730.0&am
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1617789362&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1617789361&rver=7.0.6730.0&w
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://outlook.com/
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: ~DF75532A51FCF86B61.TMP.5.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch"
Source: imagestore.dat.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1fnJON.img?h=368&amp
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://twitter.com/
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-ss&ued=htt
Source: iab2Data[1].json.7.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.ebay.ch/?mkcid=1&mkrid=5222-53480-19255-0&siteid=193&campid=5338626668&t
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: ~DF75532A51FCF86B61.TMP.5.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/finanzen/top-stories/geld-ist-nicht-die-einzige-h%c3%bcrde-bei-der-suche-n
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch"
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/dann-gibt-es-eine-runde-s%c3%bcsses/ar-BB1fm0kZ?ocid=hplocalnew
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/die-jubil%c3%a4ums-millionen-fliessen-ins-corona-impfprogramm/a
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/die-neue-z%c3%bcrcher-steuererkl%c3%a4rung-sorgt-f%c3%bcr-begei
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/keine-nachtr%c3%a4gliche-therapie-f%c3%bcr-brutalen-vater/ar-BB
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/kommentar-doch-publibike-ist-aus-dem-z%c3%bcrcher-stadtbild-weg
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/landwirte-machen-platz-f%c3%bcr-moore/ar-BB1fmbtu?ocid=hplocaln
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/mit-ihren-blauen-hinweistafeln-f%c3%bchrt-uns-anne-kustermann-v
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/publibike-m%c3%b6chte-in-der-stadt-z%c3%bcrich-eine-erfolgsgesc
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/weder-alltagstauglich-noch-kindgerecht-neben-firmen-bem%c3%a4ng
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.skype.com/
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://www.skype.com/de
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.7.dr	String found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[1].json.7.dr	String found in binary or memory: https://www.stroeer.de/konvergenz-konzepte/daten-technologien/stroeer-ssp/datenschutz-ssp.html
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.3:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.3:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49739 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 6.2.rundll32.exe.6e160000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.6e160000.1.unpack, type: UNPACKEDPE

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 6.2.rundll32.exe.6e160000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.6e160000.1.unpack, type: UNPACKEDPE

System Summary:

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: 606d810b8ff92.pdf.dll

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E162375 NtQueryVirtualMemory,		3_2_6E162375
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E162375 NtQueryVirtualMemory,		6_2_6E162375

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1D8C79	0_2_6E1D8C79
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1CCBC5	0_2_6E1CCBC5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1E44A8	0_2_6E1E44A8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E186520	0_2_6E186520
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1CA570	0_2_6E1CA570
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E18856E	0_2_6E18856E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1E45C8	0_2_6E1E45C8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1BE5FB	0_2_6E1BE5FB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1E0242	0_2_6E1E0242
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1BE396	0_2_6E1BE396
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1BE122	0_2_6E1BE122
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1CA140	0_2_6E1CA140
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1BDEBD	0_2_6E1BDEBD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1AFEC7	0_2_6E1AFEC7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1C9C10	0_2_6E1C9C10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1BDC7C	0_2_6E1BDC7C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1BDA4A	0_2_6E1BDA4A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1C7B77	0_2_6E1C7B77
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1BD809	0_2_6E1BD809
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1AD780	0_2_6E1AD780
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1E153C	0_2_6E1E153C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1BD5D7	0_2_6E1BD5D7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1C70C3	0_2_6E1C70C3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1D3187	0_2_6E1D3187
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E162154	3_2_6E162154
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E1AD780	3_2_6E1AD780
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E1C9C10	3_2_6E1C9C10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E1C7B77	3_2_6E1C7B77
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E1CCBC5	3_2_6E1CCBC5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E1D3187	3_2_6E1D3187
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E162154	6_2_6E162154
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1AD780	6_2_6E1AD780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1C9C10	6_2_6E1C9C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1C7B77	6_2_6E1C7B77
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1CCBC5	6_2_6E1CCBC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1D3187	6_2_6E1D3187
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E1C9C10	8_2_6E1C9C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E1D8C79	8_2_6E1D8C79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E1BDA4A	8_2_6E1BDA4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E1C7B77	8_2_6E1C7B77
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E1CCBC5	8_2_6E1CCBC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E1AD780	8_2_6E1AD780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E1E44A8	8_2_6E1E44A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E1E153C	8_2_6E1E153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E186520	8_2_6E186520
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E18856E	8_2_6E18856E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E1E45C8	8_2_6E1E45C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E1D3187	8_2_6E1D3187

Found potential string decryption / allocating functions

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6E1A9DF3 appears 39 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6E1AA7D0 appears 64 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6E1D422D appears 32 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6E1A9DBF appears 248 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 6E1A9DBF appears 157 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E1A9DF3 appears 62 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E1C2A4D appears 37 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E1AA7D0 appears 74 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E1A9DBF appears 398 times

Sample file is different than original file name gathered from version info

Source: 606d810b8ff92.pdf.dll

Binary or memory string: OriginalFilenamemetal.dll4 vs 606d810b8ff92.pdf.dll

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Uses 32bit PE files

Source: 606d810b8ff92.pdf.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal68.troj.winDLL@23/82@6/3

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF9F36DE493844459A.TMP

Jump to behavior

Source: 606d810b8ff92.pdf.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\606d810b8ff92.pdf.dll',#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\606d810b8ff92.pdf.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\606d810b8ff92.pdf.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\606d810b8ff92.pdf.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\606d810b8ff92.pdf.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,Charthea1
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2436 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,Claimdecide
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,DeathBroad
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,Meetfinish
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,Mouththese
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\606d810b8ff92.pdf.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\606d810b8ff92.pdf.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,Charthea1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,Claimdecide	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,DeathBroad	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,Meetfinish	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,Mouththese	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\606d810b8ff92.pdf.dll',#1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2436 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: 606d810b8ff92.pdf.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 606d810b8ff92.pdf.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 606d810b8ff92.pdf.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 606d810b8ff92.pdf.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 606d810b8ff92.pdf.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 606d810b8ff92.pdf.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 606d810b8ff92.pdf.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 606d810b8ff92.pdf.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: 606d810b8ff92.pdf.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 606d810b8ff92.pdf.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 606d810b8ff92.pdf.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 606d810b8ff92.pdf.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 606d810b8ff92.pdf.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_6E161745 LoadLibraryA,GetProcAddress,

3_2_6E161745

PE file contains an invalid checksum

Source: 606d810b8ff92.pdf.dll

Static PE information: real checksum: 0xc7eb9 should be: 0xccf2d

Registers a DLL

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\606d810b8ff92.pdf.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E164A1D push es; ret	0_2_6E164A2C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E164839 pushad ; ret	0_2_6E164852
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E163D7A push ds; retf	0_2_6E163D7C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1A9D88 push ecx; ret	0_2_6E1A9D9B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1656CB push eax; ret	0_2_6E1656D3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E162143 push ecx; ret	3_2_6E162153
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E1620F0 push ecx; ret	3_2_6E1620F9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E1A9D88 push ecx; ret	3_2_6E1A9D9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E162143 push ecx; ret	6_2_6E162153
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1620F0 push ecx; ret	6_2_6E1620F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1A9D88 push ecx; ret	6_2_6E1A9D9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E1A9D88 push ecx; ret	8_2_6E1A9D9B

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 6.2.rundll32.exe.6e160000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.6e160000.1.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1DB953 FindFirstFileExA,FindNextFileA,FindClose,		0_2_6E1DB953
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1DB597 FindFirstFileExA,		0_2_6E1DB597

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E1E855D IsDebuggerPresent,OutputDebugStringW,

0_2_6E1E855D

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_6E161745 LoadLibraryA,GetProcAddress,

3_2_6E161745

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1DAE14 mov eax, dword ptr fs:[00000030h]	0_2_6E1DAE14
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1DAE57 mov eax, dword ptr fs:[00000030h]	0_2_6E1DAE57
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1DAEB2 mov eax, dword ptr fs:[00000030h]	0_2_6E1DAEB2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1DAF67 mov eax, dword ptr fs:[00000030h]	0_2_6E1DAF67
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1DAFAB mov eax, dword ptr fs:[00000030h]	0_2_6E1DAFAB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1DAFEF mov eax, dword ptr fs:[00000030h]	0_2_6E1DAFEF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1DADD1 mov eax, dword ptr fs:[00000030h]	0_2_6E1DADD1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1CD988 mov eax, dword ptr fs:[00000030h]	0_2_6E1CD988
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1DB020 mov eax, dword ptr fs:[00000030h]	0_2_6E1DB020
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E1DAFEF mov eax, dword ptr fs:[00000030h]	3_2_6E1DAFEF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E1CD988 mov eax, dword ptr fs:[00000030h]	3_2_6E1CD988
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1DAFEF mov eax, dword ptr fs:[00000030h]	6_2_6E1DAFEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1CD988 mov eax, dword ptr fs:[00000030h]	6_2_6E1CD988
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E1DAFEF mov eax, dword ptr fs:[00000030h]	8_2_6E1DAFEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E1CD988 mov eax, dword ptr fs:[00000030h]	8_2_6E1CD988

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1AA3EC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6E1AA3EC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1AA0D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6E1AA0D8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1C20F2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6E1C20F2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E1AA0D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6E1AA0D8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E1C20F2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6E1C20F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1AA0D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_6E1AA0D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1C20F2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_6E1C20F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E1AA3EC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_6E1AA3EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E1AA0D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_6E1AA0D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E1C20F2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_6E1C20F2

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\606d810b8ff92.pdf.dll',#1

Jump to behavior

Source: regsvr32.exe, 00000003.00000002.496316032.00000000032C0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.489684029.0000000003010000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.479406528.00000000031A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.492487945.0000000003490000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.512427329.0000000003470000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.513066418.00000000036E0000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.477745936.0000000003630000.00000002.00000001.sdmp, rundll32.exe, 0000000C.00000002.482282850.0000000003450000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: regsvr32.exe, 00000003.00000002.496316032.00000000032C0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.489684029.0000000003010000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.479406528.00000000031A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.492487945.0000000003490000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.512427329.0000000003470000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.513066418.00000000036E0000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.477745936.0000000003630000.00000002.00000001.sdmp, rundll32.exe, 0000000C.00000002.482282850.0000000003450000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000003.00000002.496316032.00000000032C0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.489684029.0000000003010000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.479406528.00000000031A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.492487945.0000000003490000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.512427329.0000000003470000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.513066418.00000000036E0000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.477745936.0000000003630000.00000002.00000001.sdmp, rundll32.exe, 0000000C.00000002.482282850.0000000003450000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: regsvr32.exe, 00000003.00000002.496316032.00000000032C0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.489684029.0000000003010000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.479406528.00000000031A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.492487945.0000000003490000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.512427329.0000000003470000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.513066418.00000000036E0000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.477745936.0000000003630000.00000002.00000001.sdmp, rundll32.exe, 0000000C.00000002.482282850.0000000003450000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E1AA5E9 cpuid

0_2_6E1AA5E9

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\loaddll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_6E1DEECF
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6E1D46E7
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6E1D3CC2
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6E1D3DC2
Source: C:\Windows\System32\loaddll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_6E1DF84E
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_6E1DF679
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6E1DF77F
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6E1DF553
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6E1DF275
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_6E1DF300
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoW,	0_2_6E197055
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6E1DF0CA
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6E1DF171
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6E1DF1DA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_6E1DF679
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	3_2_6E1DEECF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,	3_2_6E1D46E7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesW,	3_2_6E1D3CC2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesW,	3_2_6E1DF275
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,	3_2_6E197055
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_6E1DF84E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesW,	3_2_6E1DF171
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesW,	3_2_6E1DF1DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_6E1DF679
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	6_2_6E1DEECF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	6_2_6E1D46E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	6_2_6E1D3CC2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	6_2_6E1DF275
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	6_2_6E197055
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	6_2_6E1DF84E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	6_2_6E1DF171
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	6_2_6E1DF1DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	8_2_6E1DEECF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	8_2_6E1D3CC2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	8_2_6E1DF84E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_6E1DF679
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	8_2_6E1D46E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	8_2_6E1DF77F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	8_2_6E1DF553
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	8_2_6E1DF275
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	8_2_6E1DF300
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoW,	8_2_6E197055
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	8_2_6E1DF0CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	8_2_6E1DF171
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	8_2_6E1DF1DA

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E1AA828 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6E1AA828

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E1DAAA5 _free,GetTimeZoneInformation,_free,

0_2_6E1DAAA5

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_6E161850 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

3_2_6E161850

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 6.2.rundll32.exe.6e160000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.6e160000.1.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 6.2.rundll32.exe.6e160000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.6e160000.1.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.20.185.68	geolocation.onetrust.com	United States		13335	CLOUDFLARENETUS	false
2.22.155.145	contextual.media.net	European Union		16625	AKAMAI-ASUS	false

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
contextual.media.net	2.22.155.145	true
hblg.media.net	2.22.155.145	true
lg3.media.net	2.22.155.145	true
geolocation.onetrust.com	104.20.185.68	true
web.vortex.data.msn.com	unknown	unknown
www.msn.com	unknown	unknown

Compliance:

Uses 32bit PE files

Source: 606d810b8ff92.pdf.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.3:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.3:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49739 version: TLS 1.2

Source: 606d810b8ff92.pdf.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1DB953 FindFirstFileExA,FindNextFileA,FindClose,		0_2_6E1DB953
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1DB597 FindFirstFileExA,		0_2_6E1DB597

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.20.185.68 104.20.185.68

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: de-ch[1].htm.7.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: msapplication.xml0.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xbd4fa96b,0x01d72bdf</date><accdate>0xbd4fa96b,0x01d72bdf</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xbd4fa96b,0x01d72bdf</date><accdate>0xbd4fa96b,0x01d72bdf</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbd52b6aa,0x01d72bdf</date><accdate>0xbd52b6aa,0x01d72bdf</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbd52b6aa,0x01d72bdf</date><accdate>0xbd5352ec,0x01d72bdf</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbd548b5d,0x01d72bdf</date><accdate>0xbd548b5d,0x01d72bdf</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbd548b5d,0x01d72bdf</date><accdate>0xbd5527a4,0x01d72bdf</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.7.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen\|https://twitter.com/i/notifications;Ich\|#;Abmelden\|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.7.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen\|https://outlook.live.com/mail/deeplink/compose;Kalender\|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online\|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online\|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway\|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online\|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: de-ch[1].htm.7.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.7.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: ~DF75532A51FCF86B61.TMP.5.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: msapplication.xml.5.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.5.dr	String found in binary or memory: http://www.google.com/
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: msapplication.xml2.5.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.5.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.5.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.5.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.5.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.5.dr	String found in binary or memory: http://www.youtube.com/
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_promotionalstripe_na
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24545562
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24903118&epi=ch-de
Source: ~DF75532A51FCF86B61.TMP.5.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: ~DF75532A51FCF86B61.TMP.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ~DF75532A51FCF86B61.TMP.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://linkmaker.itunes.apple.com/assets/shared/badges/de-de/appstore-lrg.svg"
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1617789361&rver
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1617789361&rver=7.0.6730.0&am
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1617789362&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1617789361&rver=7.0.6730.0&w
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://outlook.com/
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: ~DF75532A51FCF86B61.TMP.5.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch"
Source: imagestore.dat.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1fnJON.img?h=368&amp
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://twitter.com/
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-ss&ued=htt
Source: iab2Data[1].json.7.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.ebay.ch/?mkcid=1&mkrid=5222-53480-19255-0&siteid=193&campid=5338626668&t
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: ~DF75532A51FCF86B61.TMP.5.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/finanzen/top-stories/geld-ist-nicht-die-einzige-h%c3%bcrde-bei-der-suche-n
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch"
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/dann-gibt-es-eine-runde-s%c3%bcsses/ar-BB1fm0kZ?ocid=hplocalnew
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/die-jubil%c3%a4ums-millionen-fliessen-ins-corona-impfprogramm/a
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/die-neue-z%c3%bcrcher-steuererkl%c3%a4rung-sorgt-f%c3%bcr-begei
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/keine-nachtr%c3%a4gliche-therapie-f%c3%bcr-brutalen-vater/ar-BB
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/kommentar-doch-publibike-ist-aus-dem-z%c3%bcrcher-stadtbild-weg
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/landwirte-machen-platz-f%c3%bcr-moore/ar-BB1fmbtu?ocid=hplocaln
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/mit-ihren-blauen-hinweistafeln-f%c3%bchrt-uns-anne-kustermann-v
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/publibike-m%c3%b6chte-in-der-stadt-z%c3%bcrich-eine-erfolgsgesc
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/weder-alltagstauglich-noch-kindgerecht-neben-firmen-bem%c3%a4ng
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.skype.com/
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://www.skype.com/de
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.7.dr	String found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[1].json.7.dr	String found in binary or memory: https://www.stroeer.de/konvergenz-konzepte/daten-technologien/stroeer-ssp/datenschutz-ssp.html
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.3:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.3:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49739 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 6.2.rundll32.exe.6e160000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.6e160000.1.unpack, type: UNPACKEDPE

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 6.2.rundll32.exe.6e160000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.6e160000.1.unpack, type: UNPACKEDPE

System Summary:

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: 606d810b8ff92.pdf.dll

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E162375 NtQueryVirtualMemory,		3_2_6E162375
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E162375 NtQueryVirtualMemory,		6_2_6E162375

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1D8C79	0_2_6E1D8C79
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1CCBC5	0_2_6E1CCBC5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1E44A8	0_2_6E1E44A8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E186520	0_2_6E186520
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1CA570	0_2_6E1CA570
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E18856E	0_2_6E18856E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1E45C8	0_2_6E1E45C8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1BE5FB	0_2_6E1BE5FB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1E0242	0_2_6E1E0242
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1BE396	0_2_6E1BE396
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1BE122	0_2_6E1BE122
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1CA140	0_2_6E1CA140
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1BDEBD	0_2_6E1BDEBD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1AFEC7	0_2_6E1AFEC7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1C9C10	0_2_6E1C9C10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1BDC7C	0_2_6E1BDC7C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1BDA4A	0_2_6E1BDA4A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1C7B77	0_2_6E1C7B77
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1BD809	0_2_6E1BD809
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1AD780	0_2_6E1AD780
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1E153C	0_2_6E1E153C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1BD5D7	0_2_6E1BD5D7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1C70C3	0_2_6E1C70C3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1D3187	0_2_6E1D3187
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E162154	3_2_6E162154
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E1AD780	3_2_6E1AD780
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E1C9C10	3_2_6E1C9C10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E1C7B77	3_2_6E1C7B77
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E1CCBC5	3_2_6E1CCBC5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E1D3187	3_2_6E1D3187
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E162154	6_2_6E162154
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1AD780	6_2_6E1AD780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1C9C10	6_2_6E1C9C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1C7B77	6_2_6E1C7B77
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1CCBC5	6_2_6E1CCBC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1D3187	6_2_6E1D3187
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E1C9C10	8_2_6E1C9C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E1D8C79	8_2_6E1D8C79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E1BDA4A	8_2_6E1BDA4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E1C7B77	8_2_6E1C7B77
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E1CCBC5	8_2_6E1CCBC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E1AD780	8_2_6E1AD780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E1E44A8	8_2_6E1E44A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E1E153C	8_2_6E1E153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E186520	8_2_6E186520
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E18856E	8_2_6E18856E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E1E45C8	8_2_6E1E45C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E1D3187	8_2_6E1D3187

Found potential string decryption / allocating functions

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6E1A9DF3 appears 39 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6E1AA7D0 appears 64 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6E1D422D appears 32 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6E1A9DBF appears 248 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 6E1A9DBF appears 157 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E1A9DF3 appears 62 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E1C2A4D appears 37 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E1AA7D0 appears 74 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E1A9DBF appears 398 times

Sample file is different than original file name gathered from version info

Source: 606d810b8ff92.pdf.dll

Binary or memory string: OriginalFilenamemetal.dll4 vs 606d810b8ff92.pdf.dll

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Uses 32bit PE files

Source: 606d810b8ff92.pdf.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal68.troj.winDLL@23/82@6/3

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF9F36DE493844459A.TMP

Jump to behavior

Source: 606d810b8ff92.pdf.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\606d810b8ff92.pdf.dll',#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\606d810b8ff92.pdf.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\606d810b8ff92.pdf.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\606d810b8ff92.pdf.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\606d810b8ff92.pdf.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,Charthea1
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2436 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,Claimdecide
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,DeathBroad
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,Meetfinish
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,Mouththese
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\606d810b8ff92.pdf.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\606d810b8ff92.pdf.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,Charthea1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,Claimdecide	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,DeathBroad	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,Meetfinish	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,Mouththese	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\606d810b8ff92.pdf.dll',#1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2436 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: 606d810b8ff92.pdf.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 606d810b8ff92.pdf.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 606d810b8ff92.pdf.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 606d810b8ff92.pdf.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 606d810b8ff92.pdf.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 606d810b8ff92.pdf.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 606d810b8ff92.pdf.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 606d810b8ff92.pdf.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: 606d810b8ff92.pdf.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 606d810b8ff92.pdf.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 606d810b8ff92.pdf.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 606d810b8ff92.pdf.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 606d810b8ff92.pdf.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_6E161745 LoadLibraryA,GetProcAddress,

3_2_6E161745

PE file contains an invalid checksum

Source: 606d810b8ff92.pdf.dll

Static PE information: real checksum: 0xc7eb9 should be: 0xccf2d

Registers a DLL

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\606d810b8ff92.pdf.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E164A1D push es; ret	0_2_6E164A2C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E164839 pushad ; ret	0_2_6E164852
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E163D7A push ds; retf	0_2_6E163D7C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1A9D88 push ecx; ret	0_2_6E1A9D9B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1656CB push eax; ret	0_2_6E1656D3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E162143 push ecx; ret	3_2_6E162153
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E1620F0 push ecx; ret	3_2_6E1620F9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E1A9D88 push ecx; ret	3_2_6E1A9D9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E162143 push ecx; ret	6_2_6E162153
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1620F0 push ecx; ret	6_2_6E1620F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1A9D88 push ecx; ret	6_2_6E1A9D9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E1A9D88 push ecx; ret	8_2_6E1A9D9B

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 6.2.rundll32.exe.6e160000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.6e160000.1.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1DB953 FindFirstFileExA,FindNextFileA,FindClose,		0_2_6E1DB953
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1DB597 FindFirstFileExA,		0_2_6E1DB597

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E1E855D IsDebuggerPresent,OutputDebugStringW,

0_2_6E1E855D

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_6E161745 LoadLibraryA,GetProcAddress,

3_2_6E161745

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1DAE14 mov eax, dword ptr fs:[00000030h]	0_2_6E1DAE14
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1DAE57 mov eax, dword ptr fs:[00000030h]	0_2_6E1DAE57
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1DAEB2 mov eax, dword ptr fs:[00000030h]	0_2_6E1DAEB2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1DAF67 mov eax, dword ptr fs:[00000030h]	0_2_6E1DAF67
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1DAFAB mov eax, dword ptr fs:[00000030h]	0_2_6E1DAFAB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1DAFEF mov eax, dword ptr fs:[00000030h]	0_2_6E1DAFEF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1DADD1 mov eax, dword ptr fs:[00000030h]	0_2_6E1DADD1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1CD988 mov eax, dword ptr fs:[00000030h]	0_2_6E1CD988
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1DB020 mov eax, dword ptr fs:[00000030h]	0_2_6E1DB020
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E1DAFEF mov eax, dword ptr fs:[00000030h]	3_2_6E1DAFEF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E1CD988 mov eax, dword ptr fs:[00000030h]	3_2_6E1CD988
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1DAFEF mov eax, dword ptr fs:[00000030h]	6_2_6E1DAFEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1CD988 mov eax, dword ptr fs:[00000030h]	6_2_6E1CD988
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E1DAFEF mov eax, dword ptr fs:[00000030h]	8_2_6E1DAFEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E1CD988 mov eax, dword ptr fs:[00000030h]	8_2_6E1CD988

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1AA3EC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6E1AA3EC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1AA0D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6E1AA0D8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1C20F2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6E1C20F2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E1AA0D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6E1AA0D8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E1C20F2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6E1C20F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1AA0D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_6E1AA0D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1C20F2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_6E1C20F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E1AA3EC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_6E1AA3EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E1AA0D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_6E1AA0D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6E1C20F2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_6E1C20F2

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\606d810b8ff92.pdf.dll',#1

Jump to behavior

Source: regsvr32.exe, 00000003.00000002.496316032.00000000032C0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.489684029.0000000003010000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.479406528.00000000031A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.492487945.0000000003490000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.512427329.0000000003470000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.513066418.00000000036E0000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.477745936.0000000003630000.00000002.00000001.sdmp, rundll32.exe, 0000000C.00000002.482282850.0000000003450000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: regsvr32.exe, 00000003.00000002.496316032.00000000032C0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.489684029.0000000003010000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.479406528.00000000031A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.492487945.0000000003490000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.512427329.0000000003470000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.513066418.00000000036E0000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.477745936.0000000003630000.00000002.00000001.sdmp, rundll32.exe, 0000000C.00000002.482282850.0000000003450000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000003.00000002.496316032.00000000032C0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.489684029.0000000003010000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.479406528.00000000031A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.492487945.0000000003490000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.512427329.0000000003470000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.513066418.00000000036E0000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.477745936.0000000003630000.00000002.00000001.sdmp, rundll32.exe, 0000000C.00000002.482282850.0000000003450000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: regsvr32.exe, 00000003.00000002.496316032.00000000032C0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.489684029.0000000003010000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.479406528.00000000031A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.492487945.0000000003490000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.512427329.0000000003470000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.513066418.00000000036E0000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.477745936.0000000003630000.00000002.00000001.sdmp, rundll32.exe, 0000000C.00000002.482282850.0000000003450000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E1AA5E9 cpuid

0_2_6E1AA5E9

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\loaddll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_6E1DEECF
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6E1D46E7
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6E1D3CC2
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6E1D3DC2
Source: C:\Windows\System32\loaddll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_6E1DF84E
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_6E1DF679
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6E1DF77F
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6E1DF553
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6E1DF275
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_6E1DF300
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoW,	0_2_6E197055
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6E1DF0CA
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6E1DF171
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6E1DF1DA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_6E1DF679
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	3_2_6E1DEECF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,	3_2_6E1D46E7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesW,	3_2_6E1D3CC2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesW,	3_2_6E1DF275
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,	3_2_6E197055
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_6E1DF84E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesW,	3_2_6E1DF171
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesW,	3_2_6E1DF1DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_6E1DF679
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	6_2_6E1DEECF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	6_2_6E1D46E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	6_2_6E1D3CC2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	6_2_6E1DF275
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	6_2_6E197055
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	6_2_6E1DF84E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	6_2_6E1DF171
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	6_2_6E1DF1DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	8_2_6E1DEECF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	8_2_6E1D3CC2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	8_2_6E1DF84E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_6E1DF679
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	8_2_6E1D46E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	8_2_6E1DF77F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	8_2_6E1DF553
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	8_2_6E1DF275
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	8_2_6E1DF300
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoW,	8_2_6E197055
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	8_2_6E1DF0CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	8_2_6E1DF171
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	8_2_6E1DF1DA

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E1AA828 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6E1AA828

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E1DAAA5 _free,GetTimeZoneInformation,_free,

0_2_6E1DAAA5

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_6E161850 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

3_2_6E161850

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 6.2.rundll32.exe.6e160000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.6e160000.1.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 6.2.rundll32.exe.6e160000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.6e160000.1.unpack, type: UNPACKEDPE

ID:	383181
Product:	CloudBasic
Start time:	11:55:11
Start date:	07.04.2021
Sample:	606d810b8ff92.pdf.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	0deffc9d51035390ddb6e2934ed67186
SHA1:	b449c2ffdd33a3c79e17c781b11be3daf4ae46c4
SHA256:	6c99703002ea5284f603d0041f3a72b3a9e26f8f7af45a1f5e34e4297be0efb8
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.40%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\0CK7KZIC\contextual.media[1].xml	ASCII text, with very long lines, with no line terminators	76EDC453CB455B4131CC89D1E9A3AED6	5173531B39F6ED89A9AA80665B224281C99A2915	CFD884E8EE6743581FA95EFC8E44840AB936873FDA893EF5C7F4C0E483BC8D05
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\Z1I82TJ5\www.msn[1].xml	ASCII text, with no line terminators	C1DDEA3EF6BBEF3E7060A1A9AD89E4C5	35E3224FCBD3E1AF306F2B6A2C6BBEA9B0867966	B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E1EE1BD5-97D2-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	3FAFC93BBCA3DE5C9069B134869F3AA2	DB36B7BC33E193CE8BC5BF5F3E09DA80BF2C5FEA	AE5EF00878D0CA29BE99B79C8C1132FD4B4307F1D1B4908C3BC1B5E91D07FF15
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E1EE1BD7-97D2-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	DDC594DB0BCAE0C4AA93238F6DE05866	B8C89E6D294AABAE004EA7A55645404EC1D7D173	349F260B1CE364E3216E3F413A8FCEE587CCA7DF59B586490A74EFB9D13A9FD7
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	B745E835ED6990F05CA9AD2D02A834B9	EF705869458863E26440CDF6ED1493BBE7D5E0C2	85839744BD6D154EA36474A5ABAE7BA89B78E604FC31A1E8DC9ED67143DACC32
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	FB69A1B85B0FD61FCEEF76D7EB38FFDC	C2A5EB333107DA984D93D8A3EBD009D66D4A6A04	810E626C71F69058C478D281499DE00D4445FA32944442628D6412F74A05E2A3
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	34031819622209B7BAB8CEC9D7A4AFE6	A08AA423B7F1D5F086B1739A4772BAE51DB6CE16	34A6CABA195D7A6F365402884BBBD64CEA2A6BDA7921CB775D331FE6F9A08C9E
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	8C2EDA855FB30CFA9C55A490F17F6D88	9F06E6289A3CB68A660025D5F0A2131B564C7D69	EFEDC969DABF1A6368192A4DD8DC3C592706E02E3C447088D7A7CDC85DD69492
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	D58C1F46969728FBDF7DB10A26EDAEE6	733A9AC0582F19072E9CE36C0E22050C0DC251F6	B645C26A2C81D44C3EF52F3B1B8CF3ADDC362DADA5AB0B7DA38B0875ACA74095
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	C1C7A0B98B281B8C875781CBB9AB4442	32FC7EA8843BAF835ABF43F22EAC8DA33B67203D	E2BE23A243C5F0E78818C3D6A2AFB4BEBB2DDA1E46204E009D65B1323B409A96
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	D502094DF1F239BC8716663704A66611	5C2F9F5D663EB4B8EB5DAF7B011E405B1248D445	FCB19DF56F85A7B3C4FAFE7FE967441503FA5326844F18C7E0E75E591DC65FDF
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	CEA044C04B17A7624DF2312169B6C295	469F509BE32A4B8E7809C1B6E99CCF4DCD2C66D6	9D215EABD59907B4E10E41907A594E9CEF4F015C9A15786812358A006CA31EF4
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	C8C9464C51CB3E7DC8D63189F8CEC0E7	3EE8D530A44497FA9B1C10C9B5814484166D1808	E2E8260807867B6EB3B6BBB08D73440778D59D24A144FC5C5BFF6A2B7494CC66
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\ynfz0jx\imagestore.dat	data	727258B652CD34893D493C42609F3556	FAB56A8931EA06BA8CE127B0A9BB9CA424B85109	B8759A5B380A4E14E3B38E5A180A9424710DF01EE09167252DFA2B42FA874A6E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB14EN7h[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3	31885A23E5049BE8D1A9E812EE780FCB	39869E6B24D0C64C191B693C5465A6FD8767098B	4CC99B9D6C487AB0F85719892B81B54BC5BE7632C3F1A86B84BBB3B584D85BBF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1fmX3H[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3	E696DD8078A78C81E3C4ABC78A4AB664	9D4FBF02E9E306F6FC690D5BDC8282BC84B93C04	55483796E4743AC7F7A08E310D613472F2F48CE4FF4F7BB820A4DC2335FE1D3D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1fn9kQ[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3	977C2626EF65A413BB8BC2708A8E2564	458492660D4802DDEAADDC7385F815265699D5B6	3098183D64EC37833736D20C6713BAC48EB461588EF7F9C9DF4F756146630CBC
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1fnBOz[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3	01A2BE6AF3841DC9E516CE378E4B29D5	D36EB904CE114435C223ABAE5673E7C0F5606EBE	C1EF579CB774832C707FDD781FEF5060F006C8D488CFA88F8555E2907614192E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1fnHHU[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 300x250, frames 3	E55661CE2EECDF0028F73AD03FBDE66E	0268F6AB07FAF4FDFC2B7CE4E34BCD2ACCD7DC2D	D6BEB01BD57DDB111B0B6411CB7A3996A7E53C7AE7E0AEDCD14EA369AF7D1A2D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1fnJON[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3	5EB493EE75E0F4CF1DDB64ED71E64D7E	6838673A034C12B456CA706A8704CCDD9D2340F4	9F5C9571425D539326100A29EE562B854DB0FEEC458D3C307BC8D6983EDBB3F8
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1fnP0A[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 300x250, frames 3	51542413D067B99009669D457F22A302	45CEA35E80E286E809C1FE3101ECA09892C53C4A	DE4173BCB08D29D7C00C45955564D6B4AEC9F976305492B9D587BC10172FBA49
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1fnhpM[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3	864F2954450E4201D10634156E745273	B44B955A08F353CBC7B11FA3B37BBCC222834607	1350BEEDAEB74CA83E92BB7A576908E11CFFEACDEF0DD1D83091B4369B885FB6
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB7hg4[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	2EB2549363B1EAFD3002771BD64EE5BF	A90A5B0C4F4F7BA139C800E354853AB011AE1B22	0D83CDF2BCF15B0DB682E61C5CE95F2FB5565A0F08AFA569E27B639C30DBC7CA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BBVuddh[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	245557014352A5F957F8BFDA87A3E966	9CD29E2AB07DC1FEF64B6946E1F03BCC0A73FC5C	0A33B02F27EE6CD05147D81EDAD86A3184CCAF1979CB73AD67B2434C2A4A6379
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\a8a064[1].gif	GIF image data, version 89a, 28 x 28	3CC1C4952C8DC47B76BE62DC076CE3EB	65F5CE29BBC6E0C07C6FEC9B96884E38A14A5979	10E48837F429E208A5714D7290A44CD704DD08BF4690F1ABA93C318A30C802D9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\cfdbd9[1].png	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced	FE5E6684967766FF6A8AC57500502910	3F660AA0433C4DBB33C2C13872AA5A95BC6D377B	3B6770482AF6DA488BD797AD2682C8D204ED536D0D173EE7BB6CE80D479A2EA7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\checksync[1].htm	HTML document, ASCII text, with very long lines	83FC8D2EAB1DF069A59E8AEF3C72E1F0	C5D0A7734E7D628C7BFF1EFE1496D9BEE55BCDDA	49E0F86EDD44B74224BE0E75BB24262FFC7EE0FB6701955CE5FE087FB386167F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\checksync[2].htm	HTML document, ASCII text, with very long lines	83FC8D2EAB1DF069A59E8AEF3C72E1F0	C5D0A7734E7D628C7BFF1EFE1496D9BEE55BCDDA	49E0F86EDD44B74224BE0E75BB24262FFC7EE0FB6701955CE5FE087FB386167F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\e151e5[1].gif	GIF image data, version 89a, 1 x 1	F8614595FBA50D96389708A4135776E4	D456164972B508172CEE9D1CC06D1EA35CA15C21	7122DE322879A654121EA250AEAC94BD9993F914909F786C98988ADBD0A25D5D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\location[1].js	ASCII text, with no line terminators	A6B42B0E34A354029688094D2B66EB8A	400B86D37BB8C1F8EC364F98A780D981F1357E92	6AC51762DD026703234ED9446F010135439C46DC525113BAF9D202F2CE199DBF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\17-361657-68ddb2ab[1].js	ASCII text, with very long lines, with no line terminators	7ADA9104CCDE3FDFB92233C8D389C582	4E5BA29703A7329EC3B63192DE30451272348E0D	F2945E416DDD2A188D0E64D44332F349B56C49AC13036B0B4FC946A2EBF87D99
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\AAyXtPP[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	21DAEBDC009FDB9D1101F7E31251D647	CEE8363244EC691AB7C79F1C8D3D2320F5805D66	4926EF7D16299D14D677A6A78FC169BDCC0EB8501E9A7A11C3E140AC3D1676A9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB14hq0P[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3	F538E837D1D0AA3C0B57F8808A48EDD8	1974CE2A65C3AAD9B2CF4AF955CA2419D44000F3	CA93774DA1D74DD0F183A83C7071B0FB47A52030F1F686014BCF4938F6573F88
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1cEP3G[1].png	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced	71D136D931054F3CE43130B65E7A1823	71F6B8607D5042227537A9A16B3BE080CAADA863	BEAB18C58700CB06E6654AA5B8F29C6EB4B1F8B6B526DB30192DC56A375C058E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1fnAAP[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3	C3D64B3E0B225D53C14FBCABEAF1B637	B931F7F651C49BE3D8FD260A4F8995183F514EF2	323752A1B123FBDB2DE2AC02B40F2FFE5956CFE0898EC0362776DF654C239A5D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1fnB2f[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3	99AFDDD4D5F2AC8D0EAC0C72645D9CEE	787E9DF56F49B65C7BEEBEB9BE58532A07BA39F3	7287C4504D26385F8CF2F0540CABB8F2CE3CD7160C26AA08EB7C91B68119AD8C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1fnEo6[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3	D5A1E71F797728932D972FC0B4F4C412	F0B976B19FA21B9B443C4A38C107CFB737DE064D	5B287028DC9A79C0F1AC662E2563809299DC687C4D93E14CEE169D0FBB0336B1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1fnGwh[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3	537C49589E7A2D2C4B4B2B696579EDCA	734D50CCAE414A31808EF00921FE1BAFBA589800	622C891D427CE8D9A6CE61D08A89F345C2E4F0069BC9A18DDC3BF4EE44D7EFFF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1fnMU5[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3	C95E798F0B09AB699D86C414496119D6	89A31611616F7F21B9814C5228EF1E7AB0FB9A17	09A547D3AAA2CA6426C03D4B193DA0ACF8F4598CC240A2233DC232AC652CDF7B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1fnO1z[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3	B8C0D359A081E4208C0A86C171F06378	F327E9B53D1E8CBBEC3FC5A638EA9B65E871D7C7	B7E18928C35C1858DD31B81168EC9C560410D4A8FEF961F20D57039267B6CF0C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1kvzy[1].png	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	BA3A25334018E73A4C28A77CEA72B3E4	D9382F0C4F09066CB3F20BA8A8A45A9498860827	C888CDF8F39D3788450F2739094C5A50910E12FA302B2F9910E0CBACFC91B277
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BBPfCZL[1].png	GIF image data, version 89a, 50 x 50	59DAB7927838DE6A39856EED1495701B	A80734C857BFF8FF159C1879A041C6EA2329A1FA	544BA9B5585B12B62B01C095633EFC953A7732A29CB1E941FDE5AD62AD462D57
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\de-ch[1].htm	HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators	14F679EE080801C3C3BB63EE1446B98C	A91E6C9897F3C3A42489987CEDE3F04F57E4B49B	79C94301F8977DDEF233A4DF776E85EBAAAB5A760446E628B41D07D9310CEA7F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\fcmain[1].js	HTML document, ASCII text, with very long lines, with no line terminators	B5F60FA48BA31662591836C8A68ED365	3FBC5065F7F86AAEC8AED86CBFBF7F78919A957D	62CF8ADE215A4ADE524B40A215DAFD23704BC509DC7907A919BA7D31A4EE33A3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\log[1].gif	GIF image data, version 89a, 1 x 1	349909CE1E0BC971D452284590236B09	ADFC01F8A9DE68B9B27E6F98A68737C162167066	796C46EC10BC9105545F6F90D51593921B69956BD9087EB72BEE83F40AD86F90
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\medianet[1].htm	HTML document, ASCII text, with very long lines	5F339E75F3E4437A2F66369C9CEF92C5	30BC2C30A8BC9F3C6DD2D7DE9ED124180D758D25	C9ABD460438468033FC548206E683845E04E80D723619CC90F6F29ABC3D94937
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\medianet[2].htm	HTML document, ASCII text, with very long lines	AE9B0E3EA8355A0F81A5F7758218FAF2	CC83AB70AE873458985D6AEACEE1D9C6EF554552	4E5A292D8AE3A9FC2F3845E6F018D3443476C44DBA70848258197DEF7871926E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\nrrV10261[1].js	ASCII text, with very long lines, with no line terminators	15E7F3F0F83DEEE4DB85EC72420A5729	2076114605D5637F11B0A0BA289B49A87CFADA6F	E2499770463D929D331B748D5F2426E5D9BE164F80838CD896D7D8247F3A78D8
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\otSDKStub[1].js	ASCII text, with very long lines, with CRLF line terminators	82566994A83436F3BDD00843109068A7	6D28B53651DA278FAE9CFBCEE1B93506A4BCD4A4	450CFBC8F3F760485FBF12B16C2E4E1E9617F5A22354337968DD661D11FFAD1D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\52-478955-68ddb2ab[1].js	UTF-8 Unicode text, with very long lines, with no line terminators	4F4959940032DFECE81186717B15CBD4	B2B8F6B16A175CEADE978F4AC6628B38CF6948BD	BB6834AB584CEC33879265A594729197A2B7E56355D9AA6D1DA10D5DEA82165E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\55a804ab-e5c6-4b97-9319-86263d365d28[1].json	ASCII text, with very long lines, with no line terminators	B2B036D0AFB84E48CDB782A34C34B9D5	DFC7C8BA62D71767F2A60AED568D915D1C9F82D6	DC51F0A9F93038659B0DB1B69B69FCFB00FB5911805F8B1E40591F9867FD566F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB17milU[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	1D2394E3D34BC31438B36882497DB5FC	ABBFF0F33A3C0C759F44ACCB785AB308924C43FE	E0CC66F2DB0E2D3C3229A3A0C19CCEAACF1419040D46EEA82CDA886F1FA8F7D0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB1cG73h[1].png	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced	18976C505912B55AE865C00C28CB69A5	558350769FA43B41EE9D117A64ECA391BD645822	191E4E61BF17043B248AA9A652E702AC0AA7F71910453DD3641D8D4FF122F9C3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB1dCSOZ[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	47B4420889513D80866D75057C62804D	AB33FC124B9ED724F19BE8305F94910514F1E507	F9A40CB0448D001DD492BC2FF10976417C4098E59CE64B85312E26E3803A88D2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB1flQkf[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3	2B16A72B8AFC201763474E8C031663EF	464476E045680F1A6815016726082C70EAF4D009	4B0DFFE1B117B37E3C3FCF6F1C27C38A26E8BC85A5F3F28998FD6EC3D8AF2353
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB1fnCd9[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3	4DDBF7BCBBFB79E99897ADA18DE1DA53	C7E3C831B77E1B9FE68F1982B64C2CFECEFC906A	F1291A79D41AE14896F657CD27FB8F783C98E5CCFC9D623C681DDD5BE272BC8B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB7hjL[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	4C2C5014819070162B1598DA1434DBCD	AD4ED6C8B949F669C6C1CDDA3211D51331B52C49	5F9866D2490D5138F499139209C9EDD574A725BA395B4312247DDA1FA77FCA9F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BBX2afX[1].png	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced	0F87210AE1B65D03830D1A9D3EB01A3F	DD9AD96DF20B2D692C622D78BD2CB9C17F0CF62F	D313B80FEA438FE282BA0F938DA04E50C33CCEE8365349C4692244998E33C5BF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BBnYSFZ[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	D344E9FF0920DDCF0F3C20EE4496DBA4	1BBCA57DEC41A383BADC72E44AA848D292589250	3DC6BB15C2247AE312061A2CF267A1516976AC3AEF61D8D9AC4EE052E711E24F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\checksync[1].htm	HTML document, ASCII text, with very long lines	83FC8D2EAB1DF069A59E8AEF3C72E1F0	C5D0A7734E7D628C7BFF1EFE1496D9BEE55BCDDA	49E0F86EDD44B74224BE0E75BB24262FFC7EE0FB6701955CE5FE087FB386167F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\checksync[2].htm	HTML document, ASCII text, with very long lines	83FC8D2EAB1DF069A59E8AEF3C72E1F0	C5D0A7734E7D628C7BFF1EFE1496D9BEE55BCDDA	49E0F86EDD44B74224BE0E75BB24262FFC7EE0FB6701955CE5FE087FB386167F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\fcmain[1].js	HTML document, ASCII text, with very long lines, with no line terminators	468EFBAA286FD311C8EA4D50C571737E	63A5F05197E66609CF90D13DBA64CF4CEB9600F1	DA9FC8B9F9DE8B5CA893DF1FE16191A823B40B06B1CCB28598C6FC2B0D4AD0CC
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\nrrV10261[1].js	ASCII text, with very long lines, with no line terminators	15E7F3F0F83DEEE4DB85EC72420A5729	2076114605D5637F11B0A0BA289B49A87CFADA6F	E2499770463D929D331B748D5F2426E5D9BE164F80838CD896D7D8247F3A78D8
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\otFlat[1].json	ASCII text, with very long lines, with CRLF line terminators	A7049025D23AEC458F406F190D31D68C	450BC57E9C44FB45AD7DC826EB523E85B9E05944	101077328E77440ADEE7E27FC9A0A78DEB3EA880426DFFFDA70237CE413388A5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\otPcCenter[1].json	ASCII text, with very long lines, with CRLF line terminators	8EC5B25A65A667DB4AC3872793B7ACD2	6B67117F21B0EF4B08FE81EF482B888396BBB805	F6744A2452B9B3C019786704163C9E6B3C04F3677A7251751AEFD4E6A556B988
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\2d-0e97d4-185735b[1].css	UTF-8 Unicode text, with very long lines	C681243EB2C9170418595CFEDBBE6F11	B99101523D5053C6C553CC1F0DAAF3058DA7A3FA	29959B7D51EDD077227AA652278C232ACDEC1F0F65A7986A37369DB487803632
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\4996b9[1].woff	Web Open Font Format, TrueType, length 45633, version 1.0	A92232F513DC07C229DDFA3DE4979FBA	EB6E465AE947709D5215269076F99766B53AE3D1	F477B53BF5E6E10FA78C41DEAF32FA4D78A657D7B2EFE85B35C06886C7191BB9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\AAyuliQ[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	C4D8FE253F3B7CE748B11281A9E48D46	2A08A9B462D7C419BF32D198F701A14DB1BA26D5	97F7FB357416F5CB4262C334879DDD72F69B5606EA2F8025FEE0C6DCF1728419
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB1dVSqo[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3	9EFAD6528B99B65F01383AEA86BA2A39	31DC3A1130BCB20E356586391349386B9B5CB9AA	588CBDF64718A75ACFA8E9A3AE212FBBE54B3FA7C062CD1536DF07FBE6C7AF2D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB1fm9S0[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3	3365E8EC2D8A238DA947C026DB53CCA3	021B6C5316FF54D71561FA5514D8A80269BB4F75	3314CCAC46AC3492E9D41D24CF80E919D9BDE183977EA1CB7C6BAEE669BC41C0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB1fnAgo[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3	1BD09BFE9DCD8EFD3C6CBF79C5073036	D34B78468A3A0AED682C11819F3AF722FF7D3C20	D9B4D79067AA6A3AF6AAD4F8BFB91B3F984C26A6B6CC179EFB4FB65BA72616FD
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB1fnRpK[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3	85E2EB217797C62AC3344DCD05247A47	4F28EDB9C48839BD0C47A61752CD1AF5B36E17CE	0D6A9E47EF217EDC948D8F226C55051B3710547A3EB4BC67CA839255F65F4693
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB1fniEi[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3	B5E6B0B7F7438C45D83F28C9EAA04DBE	6B8F95B937B41D566780D9473B312D367C8240F1	90DC85FF63C0658BBA936E920B2F09022A231BE347B71DA22DC00E96023D028D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB7gRE[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	90B4BB8F361DBC7E47302A89D88784CD	5358F75EE3DF0F741A97AC4F98C15E1545420DDD	BFE14013476602A6F988D1ACAD265CCA5343E2062FB948B01354BA76C1C526B8
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\a5ea21[1].ico	PNG image data, 32 x 32, 8-bit/color RGB, non-interlaced	84CC977D0EB148166481B01D8418E375	00E2461BCD67D7BA511DB230415000AEFBD30D2D	BBF8DA37D92138CC08FFEEC8E3379C334988D5AE99F4415579999BFBBB57A66C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\de-ch[1].json	UTF-8 Unicode text, with very long lines, with no line terminators	15BCB7BBE03E5ABCE3162F71DADD8D63	2EF0AB2CC332049F5C79A7E088BD877759E93993	5004E4E24FE7DCD410FE6274C514A5E49984353512A1FB0F962812065C6A381B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\iab2Data[1].json	UTF-8 Unicode text, with very long lines, with no line terminators	D76FFE379391B1C7EE0773A842843B7E	772ED93B31A368AE8548D22E72DDE24BB6E3855C	D0EB78606C49FCD41E2032EC6CC6A985041587AAEE3AE15B6D3B693A924F08F2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\jquery-2.1.1.min[1].js	ASCII text, with very long lines, with CRLF line terminators	9A094379D98C6458D480AD5A51C4AA27	3FE9D8ACAAEC99FC8A3F0E90ED66D5057DA2DE4E	B2CE8462D173FC92B60F98701F45443710E423AF1B11525A762008FF2C1A0204
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\otBannerSdk[1].js	ASCII text, with very long lines, with CRLF line terminators	2E5F92E8C8983AA13AA99F443965BB7D	D80209C734F458ABA811737C49E0A1EAF75F9BCA	11D9CC951D602A168BD260809B0FA200D645409B6250BD8E8996882EBE3F5A9D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\otTCF-ie[1].js	UTF-8 Unicode text, with very long lines, with CRLF line terminators	52F29FAC6C1D2B0BAC8FE5D0AA2F7A15	D66C777DA4B6D1FEE86180B2B45A3954AE7E0AED	E497A9E7A9620236A9A67F77D2CDA1CC9615F508A392ECCA53F63D2C8283DC0E
C:\Users\user\AppData\Local\Temp\~DF75532A51FCF86B61.TMP	data	DB50B486F16DC6AE891AC9719320CBCF	1D083F5ABFEACF50BF8F5FC686E05F1B8C904D55	9DB1BFC5A6780CC15892919F30C04C511F81CDD711F5BE6174989FC06CEE2531
C:\Users\user\AppData\Local\Temp\~DF9F36DE493844459A.TMP	data	930871A5A15390C3B34A31255CD69D16	8C91711648A29D17E02F70738B8BF85BAD7EAEFD	C112E28ED132CF46341EE2063CDE1502CAD2E7E5372B8C08C72D8CE4343D55F0

Analysis Report 606d810b8ff92.pdf.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains