Loading ...

Play interactive tourEdit tour

Analysis Report 606d810b8ff92.pdf.dll

Overview

General Information

Sample Name:606d810b8ff92.pdf.dll
Analysis ID:383181
MD5:0deffc9d51035390ddb6e2934ed67186
SHA1:b449c2ffdd33a3c79e17c781b11be3daf4ae46c4
SHA256:6c99703002ea5284f603d0041f3a72b3a9e26f8f7af45a1f5e34e4297be0efb8
Tags:BRTITA
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Execute DLL with spoofed extension
Sigma detected: Register DLL with spoofed extension
Yara detected Ursnif
Initial sample is a PE file and has a suspicious name
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains an invalid checksum
Registers a DLL
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6092 cmdline: loaddll32.exe 'C:\Users\user\Desktop\606d810b8ff92.pdf.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 4812 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\606d810b8ff92.pdf.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5520 cmdline: rundll32.exe 'C:\Users\user\Desktop\606d810b8ff92.pdf.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 4792 cmdline: regsvr32.exe /s C:\Users\user\Desktop\606d810b8ff92.pdf.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
    • iexplore.exe (PID: 2436 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
      • iexplore.exe (PID: 4564 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2436 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • rundll32.exe (PID: 4804 cmdline: rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,Charthea1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6176 cmdline: rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,Claimdecide MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6268 cmdline: rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,DeathBroad MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6284 cmdline: rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6528 cmdline: rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,Meetfinish MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6564 cmdline: rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,Mouththese MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Sigma Overview

System Summary:

barindex
Sigma detected: Execute DLL with spoofed extensionShow sources
Source: Process startedAuthor: Joe Security: Data: Command: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\606d810b8ff92.pdf.dll',#1, CommandLine: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\606d810b8ff92.pdf.dll',#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: loaddll32.exe 'C:\Users\user\Desktop\606d810b8ff92.pdf.dll', ParentImage: C:\Windows\System32\loaddll32.exe, ParentProcessId: 6092, ProcessCommandLine: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\606d810b8ff92.pdf.dll',#1, ProcessId: 4812
Sigma detected: Register DLL with spoofed extensionShow sources
Source: Process startedAuthor: Joe Security: Data: Command: regsvr32.exe /s C:\Users\user\Desktop\606d810b8ff92.pdf.dll, CommandLine: regsvr32.exe /s C:\Users\user\Desktop\606d810b8ff92.pdf.dll, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: loaddll32.exe 'C:\Users\user\Desktop\606d810b8ff92.pdf.dll', ParentImage: C:\Windows\System32\loaddll32.exe, ParentProcessId: 6092, ProcessCommandLine: regsvr32.exe /s C:\Users\user\Desktop\606d810b8ff92.pdf.dll, ProcessId: 4792

Signature Overview

Click to jump to signature section

Show All Signature Results
Source: 606d810b8ff92.pdf.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
Source: unknownHTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.3:49730 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.3:49731 version: TLS 1.2
Source: unknownHTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49732 version: TLS 1.2
Source: unknownHTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49733 version: TLS 1.2
Source: unknownHTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49734 version: TLS 1.2
Source: unknownHTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49735 version: TLS 1.2
Source: unknownHTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49738 version: TLS 1.2
Source: unknownHTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49739 version: TLS 1.2
Source: 606d810b8ff92.pdf.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\Noon-blue\619\character\35\metal.pdb source: loaddll32.exe, 00000000.00000002.512878682.000000006E1EE000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.512693127.000000006E1EE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.489776733.000000006E1EE000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.521614035.000000006E1EE000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.512353242.000000006E1EE000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.513127334.000000006E1EE000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000002.513519821.000000006E1EE000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.487835127.000000006E1EE000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000002.506080198.000000006E1EE000.00000002.00020000.sdmp, 606d810b8ff92.pdf.dll
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1DB953 FindFirstFileExA,FindNextFileA,FindClose,0_2_6E1DB953
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1DB597 FindFirstFileExA,0_2_6E1DB597
Source: Joe Sandbox ViewIP Address: 104.20.185.68 104.20.185.68
Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: de-ch[1].htm.7.drString found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: msapplication.xml0.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xbd4fa96b,0x01d72bdf</date><accdate>0xbd4fa96b,0x01d72bdf</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xbd4fa96b,0x01d72bdf</date><accdate>0xbd4fa96b,0x01d72bdf</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbd52b6aa,0x01d72bdf</date><accdate>0xbd52b6aa,0x01d72bdf</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbd52b6aa,0x01d72bdf</date><accdate>0xbd5352ec,0x01d72bdf</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbd548b5d,0x01d72bdf</date><accdate>0xbd548b5d,0x01d72bdf</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbd548b5d,0x01d72bdf</date><accdate>0xbd5527a4,0x01d72bdf</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.7.drString found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen|https://twitter.com/i/notifications;Ich|#;Abmelden|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.7.drString found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"&nbsp;&nbsp;&nbsp;Ref 2: "+e.html(t.clientSettings.sid||"000000")+"&nbsp;&nbsp;&nbsp;Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen|https://outlook.live.com/mail/deeplink/compose;Kalender|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)
Source: unknownDNS traffic detected: queries for: www.msn.com
Source: de-ch[1].htm.7.drString found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.7.drString found in binary or memory: http://ogp.me/ns/fb#
Source: ~DF75532A51FCF86B61.TMP.5.drString found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: msapplication.xml.5.drString found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.5.drString found in binary or memory: http://www.google.com/
Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: msapplication.xml2.5.drString found in binary or memory: http://www.live.com/
Source: msapplication.xml3.5.drString found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.5.drString found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.5.drString found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.5.drString found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.5.drString found in binary or memory: http://www.youtube.com/
Source: de-ch[1].htm.7.drString found in binary or memory: https://amzn.to/2TTxhNg
Source: de-ch[1].htm.7.drString found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&amp;ct=prime_footer&amp;mt=8
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: de-ch[1].htm.7.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_office&amp;
Source: de-ch[1].htm.7.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_store&amp;m
Source: de-ch[1].htm.7.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_promotionalstripe_na
Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.7.drString found in binary or memory: https://clk.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=21863656
Source: de-ch[1].htm.7.drString found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=24545562
Source: de-ch[1].htm.7.drString found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=24903118&amp;epi=ch-de
Source: ~DF75532A51FCF86B61.TMP.5.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.7.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.7.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=722878611&amp;size=306x271&amp;http
Source: de-ch[1].htm.7.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=858412214&amp;size=306x271&amp;http
Source: ~DF75532A51FCF86B61.TMP.5.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ~DF75532A51FCF86B61.TMP.5.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: de-ch[1].htm.7.drString found in binary or memory: https://linkmaker.itunes.apple.com/assets/shared/badges/de-de/appstore-lrg.svg&quot;
Source: de-ch[1].htm.7.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;checkda=1&amp;ct=1617789361&amp;rver
Source: de-ch[1].htm.7.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1617789361&amp;rver=7.0.6730.0&am
Source: de-ch[1].htm.7.drString found in binary or memory: https://login.live.com/logout.srf?ct=1617789362&amp;rver=7.0.6730.0&amp;lc=1033&amp;id=1184&amp;lru=
Source: de-ch[1].htm.7.drString found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1617789361&amp;rver=7.0.6730.0&amp;w
Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: de-ch[1].htm.7.drString found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&amp;market=de-ch&quot;
Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.7.drString found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://onedrive.live.com;Fotos
Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.7.drString found in binary or memory: https://outlook.com/
Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://outlook.live.com/calendar
Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.7.drString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png&quot;
Source: de-ch[1].htm.7.drString found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&amp;hl=de-ch&amp;refer
Source: ~DF75532A51FCF86B61.TMP.5.drString found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.7.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-me
Source: de-ch[1].htm.7.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.7.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=travelnavlink
Source: de-ch[1].htm.7.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch&quot;
Source: imagestore.dat.7.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.7.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.7.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&amp;
Source: de-ch[1].htm.7.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&amp;
Source: de-ch[1].htm.7.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&amp;
Source: de-ch[1].htm.7.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1fnJON.img?h=368&amp
Source: de-ch[1].htm.7.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&amp;w
Source: de-ch[1].htm.7.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&amp;w
Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.7.drString found in binary or memory: https://twitter.com/
Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.7.drString found in binary or memory: https://web.vortex.data.msn.com/collect/v1
Source: de-ch[1].htm.7.drString found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&amp;ver=%272.1%27&amp;a
Source: de-ch[1].htm.7.drString found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&amp;awinaffid=696593&amp;clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.7.drString found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&amp;awinaffid=696593&amp;clickref=de-ch-edge-dhp-river
Source: de-ch[1].htm.7.drString found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&amp;awinaffid=696593&amp;clickref=de-ch-ss&amp;ued=htt
Source: iab2Data[1].json.7.drString found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: de-ch[1].htm.7.drString found in binary or memory: https://www.ebay.ch/?mkcid=1&amp;mkrid=5222-53480-19255-0&amp;siteid=193&amp;campid=5338626668&amp;t
Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/
Source: ~DF75532A51FCF86B61.TMP.5.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&amp;item=deferred_page%3a1&amp;ignorejs=webcore%2fmodules%2fjsb
Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/finanzen/top-stories/geld-ist-nicht-die-einzige-h%c3%bcrde-bei-der-suche-n
Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch&quot;
Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata&quot;
Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/news/other/dann-gibt-es-eine-runde-s%c3%bcsses/ar-BB1fm0kZ?ocid=hplocalnew
Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/news/other/die-jubil%c3%a4ums-millionen-fliessen-ins-corona-impfprogramm/a
Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/news/other/die-neue-z%c3%bcrcher-steuererkl%c3%a4rung-sorgt-f%c3%bcr-begei
Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/news/other/keine-nachtr%c3%a4gliche-therapie-f%c3%bcr-brutalen-vater/ar-BB
Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/news/other/kommentar-doch-publibike-ist-aus-dem-z%c3%bcrcher-stadtbild-weg
Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/news/other/landwirte-machen-platz-f%c3%bcr-moore/ar-BB1fmbtu?ocid=hplocaln
Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/news/other/mit-ihren-blauen-hinweistafeln-f%c3%bchrt-uns-anne-kustermann-v
Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/news/other/publibike-m%c3%b6chte-in-der-stadt-z%c3%bcrich-eine-erfolgsgesc
Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/news/other/weder-alltagstauglich-noch-kindgerecht-neben-firmen-bem%c3%a4ng
Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.7.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&amp;auth=1&amp;wdorigin=msn
Source: de-ch[1].htm.7.drString found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.7.drString found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_shop_de&amp;utm
Source: de-ch[1].htm.7.drString found in binary or memory: https://www.skype.com/
Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://www.skype.com/de
Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://www.skype.com/de/download-skype
Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.7.drString found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&amp;vertical=custom&amp;pageType=
Source: de-ch[1].htm.7.drString found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.7.drString found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[1].json.7.drString found in binary or memory: https://www.stroeer.de/konvergenz-konzepte/daten-technologien/stroeer-ssp/datenschutz-ssp.html
Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
Source: unknownHTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.3:49730 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.3:49731 version: TLS 1.2
Source: unknownHTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49732 version: TLS 1.2
Source: unknownHTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49733 version: TLS 1.2
Source: unknownHTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49734 version: TLS 1.2
Source: unknownHTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49735 version: TLS 1.2
Source: unknownHTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49738 version: TLS 1.2
Source: unknownHTTPS traffic detected: 2.22.155.145:443 -> 192.168.2.3:49739 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 6.2.rundll32.exe.6e160000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.regsvr32.exe.6e160000.1.unpack, type: UNPACKEDPE

E-Banking Fraud:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 6.2.rundll32.exe.6e160000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.regsvr32.exe.6e160000.1.unpack, type: UNPACKEDPE

System Summary:

barindex
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: 606d810b8ff92.pdf.dll
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6E162375 NtQueryVirtualMemory,3_2_6E162375
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E162375 NtQueryVirtualMemory,6_2_6E162375
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1D8C790_2_6E1D8C79
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1CCBC50_2_6E1CCBC5
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1E44A80_2_6E1E44A8
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1865200_2_6E186520
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1CA5700_2_6E1CA570
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E18856E0_2_6E18856E
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1E45C80_2_6E1E45C8
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1BE5FB0_2_6E1BE5FB
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1E02420_2_6E1E0242
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1BE3960_2_6E1BE396
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1BE1220_2_6E1BE122
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1CA1400_2_6E1CA140
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1BDEBD0_2_6E1BDEBD
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1AFEC70_2_6E1AFEC7
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1C9C100_2_6E1C9C10
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1BDC7C0_2_6E1BDC7C
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1BDA4A0_2_6E1BDA4A
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1C7B770_2_6E1C7B77
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1BD8090_2_6E1BD809
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1AD7800_2_6E1AD780
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1E153C0_2_6E1E153C
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1BD5D70_2_6E1BD5D7
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1C70C30_2_6E1C70C3
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1D31870_2_6E1D3187
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6E1621543_2_6E162154
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6E1AD7803_2_6E1AD780
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6E1C9C103_2_6E1C9C10
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6E1C7B773_2_6E1C7B77
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6E1CCBC53_2_6E1CCBC5
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6E1D31873_2_6E1D3187
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1621546_2_6E162154
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1AD7806_2_6E1AD780
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1C9C106_2_6E1C9C10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1C7B776_2_6E1C7B77
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1CCBC56_2_6E1CCBC5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1D31876_2_6E1D3187
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6E1C9C108_2_6E1C9C10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6E1D8C798_2_6E1D8C79
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6E1BDA4A8_2_6E1BDA4A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6E1C7B778_2_6E1C7B77
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6E1CCBC58_2_6E1CCBC5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6E1AD7808_2_6E1AD780
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6E1E44A88_2_6E1E44A8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6E1E153C8_2_6E1E153C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6E1865208_2_6E186520
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6E18856E8_2_6E18856E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6E1E45C88_2_6E1E45C8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6E1D31878_2_6E1D3187
Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E1A9DF3 appears 39 times
Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E1AA7D0 appears 64 times
Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E1D422D appears 32 times
Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E1A9DBF appears 248 times
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 6E1A9DBF appears 157 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E1A9DF3 appears 62 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E1C2A4D appears 37 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E1AA7D0 appears 74 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E1A9DBF appears 398 times
Source: 606d810b8ff92.pdf.dllBinary or memory string: OriginalFilenamemetal.dll4 vs 606d810b8ff92.pdf.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: 606d810b8ff92.pdf.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engineClassification label: mal68.troj.winDLL@23/82@6/3
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF9F36DE493844459A.TMPJump to behavior
Source: 606d810b8ff92.pdf.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\606d810b8ff92.pdf.dll',#1
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\606d810b8ff92.pdf.dll'
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\606d810b8ff92.pdf.dll',#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\606d810b8ff92.pdf.dll
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\606d810b8ff92.pdf.dll',#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,Charthea1
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2436 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,Claimdecide
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,DeathBroad
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,Meetfinish
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,Mouththese
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\606d810b8ff92.pdf.dll',#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\606d810b8ff92.pdf.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exeJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,Charthea1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,ClaimdecideJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,DeathBroadJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,DllRegisterServerJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,MeetfinishJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606d810b8ff92.pdf.dll,MouththeseJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\606d810b8ff92.pdf.dll',#1Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2436 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
Source: 606d810b8ff92.pdf.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 606d810b8ff92.pdf.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 606d810b8ff92.pdf.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 606d810b8ff92.pdf.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 606d810b8ff92.pdf.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 606d810b8ff92.pdf.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 606d810b8ff92.pdf.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: 606d810b8ff92.pdf.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\Noon-blue\619\character\35\metal.pdb source: loaddll32.exe, 00000000.00000002.512878682.000000006E1EE000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.512693127.000000006E1EE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.489776733.000000006E1EE000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.521614035.000000006E1EE000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.512353242.000000006E1EE000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.513127334.000000006E1EE000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000002.513519821.000000006E1EE000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.487835127.000000006E1EE000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000002.506080198.000000006E1EE000.00000002.00020000.sdmp, 606d810b8ff92.pdf.dll
Source: 606d810b8ff92.pdf.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 606d810b8ff92.pdf.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 606d810b8ff92.pdf.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 606d810b8ff92.pdf.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 606d810b8ff92.pdf.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6E161745 LoadLibraryA,GetProcAddress,3_2_6E161745
Source: 606d810b8ff92.pdf.dllStatic PE information: real checksum: 0xc7eb9 should be: 0xccf2d
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\606d810b8ff92.pdf.dll
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E164A1D push es; ret 0_2_6E164A2C
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E164839 pushad ; ret 0_2_6E164852
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E163D7A push ds; retf 0_2_6E163D7C
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1A9D88 push ecx; ret 0_2_6E1A9D9B
Source: C:\Windows\System32\loaddll32.exeCode functio