Loading ...

Play interactive tourEdit tour

Analysis Report dynwrapx.dll

Overview

General Information

Sample Name:dynwrapx.dll
Analysis ID:326415
MD5:e0b8dfd17b8e7de760b273d18e58b142
SHA1:801509fb6783c9e57edc67a72dde3c62080ffbaf
SHA256:4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379

Most interesting Screenshot:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains sections with non-standard names
Registers a DLL
Tries to load missing DLLs

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6760 cmdline: loaddll32.exe 'C:\Users\user\Desktop\dynwrapx.dll' MD5: 2D39D4DFDE8F7151723794029AB8A034)
    • regsvr32.exe (PID: 6768 cmdline: regsvr32.exe /i /s C:\Users\user\Desktop\dynwrapx.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
    • cmd.exe (PID: 6776 cmdline: C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • iexplore.exe (PID: 6788 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
        • iexplore.exe (PID: 6836 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6788 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: dynwrapx.dllVirustotal: Detection: 15%Perma Link
Source: dynwrapx.dllReversingLabs: Detection: 12%
Source: Joe Sandbox ViewIP Address: 87.248.118.23 87.248.118.23
Source: Joe Sandbox ViewIP Address: 151.101.1.44 151.101.1.44
Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: de-ch[1].htm.4.drString found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: msapplication.xml0.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xf2d7a8e8,0x01d6c977</date><accdate>0xf2d7a8e8,0x01d6c977</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xf2d7a8e8,0x01d6c977</date><accdate>0xf2d7a8e8,0x01d6c977</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xf2dc6da8,0x01d6c977</date><accdate>0xf2dc6da8,0x01d6c977</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xf2dc6da8,0x01d6c977</date><accdate>0xf2dc6da8,0x01d6c977</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xf2decfff,0x01d6c977</date><accdate>0xf2decfff,0x01d6c977</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xf2decfff,0x01d6c977</date><accdate>0xf2decfff,0x01d6c977</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.4.drString found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen|https://twitter.com/i/notifications;Ich|#;Abmelden|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.4.drString found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"&nbsp;&nbsp;&nbsp;Ref 2: "+e.html(t.clientSettings.sid||"000000")+"&nbsp;&nbsp;&nbsp;Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen|https://outlook.live.com/mail/deeplink/compose;Kalender|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)
Source: unknownDNS traffic detected: queries for: www.msn.com
Source: de-ch[1].htm.4.drString found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.4.drString found in binary or memory: http://ogp.me/ns/fb#
Source: auction[1].htm.4.drString found in binary or memory: http://popup.taboola.com/german
Source: {1C835E73-356B-11EB-90EB-ECF4BBEA1588}.dat.3.drString found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: msapplication.xml.3.drString found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.3.drString found in binary or memory: http://www.google.com/
Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: msapplication.xml2.3.drString found in binary or memory: http://www.live.com/
Source: msapplication.xml3.3.drString found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.3.drString found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.3.drString found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.3.drString found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.3.drString found in binary or memory: http://www.youtube.com/
Source: de-ch[1].htm.4.drString found in binary or memory: https://amzn.to/2TTxhNg
Source: auction[1].htm.4.drString found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&amp;ap
Source: iab2Data[1].json.4.drString found in binary or memory: https://bealion.com/politica-de-cookies
Source: auction[1].htm.4.drString found in binary or memory: https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&amp;es=1fM2_FkGIS.9BSWBn_wKGqPOCcHNt4OGxdcB6nxMnbPIt8v8
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: auction[1].htm.4.drString found in binary or memory: https://cdn.flurry.com/adTemplates/templates/htmls/clips.html&quot;
Source: iab2Data[1].json.4.drString found in binary or memory: https://channelpilot.co.uk/privacy-policy
Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.4.drString found in binary or memory: https://clk.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=21863656
Source: de-ch[1].htm.4.drString found in binary or memory: https://clkde.tradedoubler.com/click?p=220135&amp;a=3064090&amp;g=24798862&amp;epi=dech-edge
Source: {1C835E73-356B-11EB-90EB-ECF4BBEA1588}.dat.3.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.4.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.4.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=722878611&amp;size=306x271&amp;http
Source: de-ch[1].htm.4.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=858412214&amp;size=306x271&amp;http
Source: {1C835E73-356B-11EB-90EB-ECF4BBEA1588}.dat.3.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: {1C835E73-356B-11EB-90EB-ECF4BBEA1588}.dat.3.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: iab2Data[1].json.4.drString found in binary or memory: https://docs.prebid.org/privacy.html
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: auction[1].htm.4.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
Source: auction[1].htm.4.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: auction[1].htm.4.drString found in binary or memory: https://ir2.beap.gemini.yahoo.com/mbcsc?bv=1.0.0&amp;es=J1LLe3oGIS8Lzallq0XpDXtRunus3_OnRfvmNETHQrWe
Source: de-ch[1].htm.4.drString found in binary or memory: https://itunes.apple.com/ch/app/microsoft-news/id945416273?pt=80423&amp;ct=prime_footer&amp;mt=8
Source: de-ch[1].htm.4.drString found in binary or memory: https://linkmaker.itunes.apple.com/assets/shared/badges/de-de/appstore-lrg.svg&quot;
Source: iab2Data[1].json.4.drString found in binary or memory: https://listonic.com/privacy/
Source: de-ch[1].htm.4.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;checkda=1&amp;ct=1607001974&amp;rver
Source: de-ch[1].htm.4.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1607001974&amp;rver=7.0.6730.0&am
Source: de-ch[1].htm.4.drString found in binary or memory: https://login.live.com/logout.srf?ct=1607001975&amp;rver=7.0.6730.0&amp;lc=1033&amp;id=1184&amp;lru=
Source: de-ch[1].htm.4.drString found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1607001974&amp;rver=7.0.6730.0&amp;w
Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: de-ch[1].htm.4.drString found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&amp;market=de-ch&quot;
Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.4.drString found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://onedrive.live.com;Fotos
Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.4.drString found in binary or memory: https://outlook.com/
Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://outlook.live.com/calendar
Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.4.drString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png&quot;
Source: de-ch[1].htm.4.drString found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&amp;hl=de-ch&amp;refer
Source: auction[1].htm.4.drString found in binary or memory: https://policies.oath.com/us/en/oath/privacy/index.html
Source: iab2Data[1].json.4.drString found in binary or memory: https://portal.eu.numbereight.me/policies-license#software-privacy-notice
Source: iab2Data[1].json.4.drString found in binary or memory: https://quantyoo.de/datenschutz
Source: iab2Data[1].json.4.drString found in binary or memory: https://related.hu/adatkezeles/
Source: {1C835E73-356B-11EB-90EB-ECF4BBEA1588}.dat.3.drString found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.4.drString found in binary or memory: https://rover.ebay.com/rover/1/5222-53480-19255-0/1?mpre=https%3A%2F%2Fwww.ebay.ch&amp;campid=533862
Source: auction[1].htm.4.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/gLxc_2UMgGRfaBG4AM3OPQ--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: de-ch[1].htm.4.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-me
Source: de-ch[1].htm.4.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-verticals-shoppinghub
Source: de-ch[1].htm.4.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=travelnavlink
Source: auction[1].htm.4.drString found in binary or memory: https://srtb.msn.com:443/notify/viewedg?rid=b4844d09d7554ab0b92cc72202a19cb0&amp;r=infopane&amp;i=1&
Source: de-ch[1].htm.4.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch&quot;
Source: imagestore.dat.4.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.4.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.4.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&amp;
Source: de-ch[1].htm.4.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b6vzA.img?h=27&amp;
Source: de-ch[1].htm.4.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bAOe2.img?h=166&amp
Source: de-ch[1].htm.4.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bAR8G.img?h=333&amp
Source: de-ch[1].htm.4.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bzRRS.img?h=166&amp
Source: de-ch[1].htm.4.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&amp;w
Source: de-ch[1].htm.4.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&amp;w
Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.4.drString found in binary or memory: https://twitter.com/
Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.4.drString found in binary or memory: https://web.vortex.data.msn.com/collect/v1
Source: de-ch[1].htm.4.drString found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&amp;ver=%272.1%27&amp;a
Source: iab2Data[1].json.4.drString found in binary or memory: https://www.admo.tv/en/privacy-policy
Source: de-ch[1].htm.4.drString found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&amp;awinaffid=696593&amp;clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.4.drString found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&amp;awinaffid=696593&amp;clickref=de-ch-edge-dhp-river
Source: iab2Data[1].json.4.drString found in binary or memory: https://www.bet365affiliates.com/UI/Pages/Affiliates/Affiliates.aspx?ContentPath
Source: iab2Data[1].json.4.drString found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: de-ch[1].htm.4.drString found in binary or memory: https://www.blackfridaydeals.ch/?utm_source=ms&amp;utm_campaign=mestripe
Source: de-ch[1].htm.4.drString found in binary or memory: https://www.blackfridaydeals.ch/neuste-angebote?utm_source=ms&amp;utm_campaign=shop-gross
Source: de-ch[1].htm.4.drString found in binary or memory: https://www.blackfridaydeals.ch/neuste-angebote?utm_source=ms&amp;utm_campaign=shop-trends
Source: iab2Data[1].json.4.drString found in binary or memory: https://www.brightcom.com/privacy-policy/
Source: iab2Data[1].json.4.drString found in binary or memory: https://www.gadsme.com/privacy-policy/
Source: de-ch[1].htm.4.drString found in binary or memory: https://www.jumbo.ch/de/saisonal/fruehling?utm_source=microspot_msn_shopping&amp;utm_medium=display&
Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch/
Source: {1C835E73-356B-11EB-90EB-ECF4BBEA1588}.dat.3.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&amp;item=deferred_page%3a1&amp;ignorejs=webcore%2fmodules%2fjsb
Source: {1C835E73-356B-11EB-90EB-ECF4BBEA1588}.dat.3.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpw
Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch&quot;
Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata&quot;
Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch/news/other/100-millionen-franken-defizit-der-z%c3%bcrcher-stadtrat-ist-in-
Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch/news/other/corona-die-covid-19-fallzahlen-sinken-in-den-z%c3%bcrcher-spit%
Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch/news/other/corona-pr%c3%a4mie-f%c3%bcr-belastetes-stadtz%c3%bcrcher-person
Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch/news/other/die-freigelassenen-sittiche-werden-verhungern/ar-BB1bAer2?ocid=
Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch/news/other/er-hofft-auf-nachhaltige-solidarit%c3%a4t/ar-BB1bAs5q?ocid=hplo
Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch/news/other/fdp-geht-in-totalopposition/ar-BB1bAUHl?ocid=hplocalnews
Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch/news/other/polizei-r%c3%a4tselt-%c3%bcber-verschwundene-velo-lichtsignale/
Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch/news/other/polizei-verhaftet-200-personen-und-stellt-850-000-franken-siche
Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch/news/other/wie-viele-geschlechter-gibt-es-denn-der-z%c3%bcrcher-gemeindera
Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch/news/other/z%c3%bcrcher-polizei-hilft-bei-schlag-gegen-drogenring/ar-BB1bA
Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: de-ch[1].htm.4.drString found in binary or memory: https://www.office.com/?omkt=de-ch%26WT.mc_id=MSN_site
Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.4.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&amp;auth=1&amp;wdorigin=msn
Source: iab2Data[1].json.4.drString found in binary or memory: https://www.remixd.com/privacy_policy.html
Source: de-ch[1].htm.4.drString found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.4.drString found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_shop_de&amp;utm
Source: de-ch[1].htm.4.drString found in binary or memory: https://www.skype.com/
Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://www.skype.com/de
Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://www.skype.com/de/download-skype
Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.4.drString found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&amp;vertical=custom&amp;pageType=
Source: de-ch[1].htm.4.drString found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.4.drString found in binary or memory: https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl
Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: iab2Data[1].json.4.drString found in binary or memory: https://www.vidstart.com/wp-content/uploads/2018/09/PrivacyPolicyPDF-Vidstart.pdf
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
Source: loaddll32.exe, 00000000.00000002.907416513.00000000012FB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: classification engineClassification label: mal48.winDLL@9/136@9/2
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1C835E71-356B-11EB-90EB-ECF4BBEA1588}.datJump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF24D7CD7920FAB120.TMPJump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: dynwrapx.dllVirustotal: Detection: 15%
Source: dynwrapx.dllReversingLabs: Detection: 12%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\dynwrapx.dll'
Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\dynwrapx.dll
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6788 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\dynwrapx.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exeJump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6788 CREDAT:17410 /prefetch:2Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
Source: dynwrapx.dllStatic PE information: section name: const
Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\dynwrapx.dll
Source: auction[1].htm.4.drBinary or memory string: <li class="single serversidenativead hasimage " data-json="{&quot;tvb&quot;:[],&quot;trb&quot;:[],&quot;tjb&quot;:[],&quot;p&quot;:&quot;gemini&quot;,&quot;e&quot;:true}" data-provider="gemini" data-ad-region="infopane" data-ad-index="3" data-viewability="{&quot;sectionads&quot;:[{&quot;ads&quot;:[{&quot;beacon&quot;:&quot;https://ir2.beap.gemini.yahoo.com/mbcsc?bv=1.0.0&amp;es=J1LLe3oGIS8Lzallq0XpDXtRunus3_OnRfvmNETHQrWea_n.TV8Pzsc4G.vuw8itkg8gmAn.zSvT01zCM6Dr6zXYEtAPP5DyIrFnQ138JANfOpSUPqIxw3HPP4PxB8cWG7LCxKytnUYeSbhii.CmfUzzRzBL63SIn6TNEITI_n0y5utNTLREbLtPO3RK6fU3dfiumEk9q7tywg5dP70QruVNE5m93BGIbLThVvzBGE7ZJKScQ22M.X50hkQeN3GRKrcoWPXbvht1gBmtaLF.gqhJeH7Vb2EYVmiGR.cHHCHIfXwvguUpLYNHdgtjiKhoW1iMLNEjS7pWAgo6zrEEXw.X2cGQ6NxI4zWrj4pmSX2o_GhuUAg_okoP5py3bZETKxb3sLjyBsoa4qyj4He3qUe0ChfBjCayP8RDAVMxxAJZVoCxKb9KrdnGbdrphiM-&amp;ap=$(AD_POSN)&quot;,&quot;creativeId&quot;:36029144890,&quot;index&quot;:1,&quot;rules&quot;:{&quot;viewabilityDefStatic&quot;:{&quot;c&quot;:1,&quot;d&quot;:1,&quot;p&quot;:50}},&quot;tag&quot;:&quot;{\&quot;imprTrackingUrls\&quot;:[\&quot;https://srtb.msn.com:443/notify/viewedg?rid=b4844d09d7554ab0b92cc72202a19cb0&amp;r=infopane&amp;i=1&amp;p=hp&amp;l=de-ch&amp;d=gemini&amp;b=unknown&amp;a=6b0f1aa9-9ac8-45ce-aef1-cd1b2597c3ef&amp;ii=1&amp;c=\&quot;]}&quot;}],&quot;section&quot;:{&quot;id&quot;:5593683,&quot;template&quot;:&quot;https://cdn.flurry.com/adTemplates/templates/htmls/clips.html&quot;,&quot;code&quot;:&quot;Allocated-dech-HomePage-Infopane1&quot;}}]}">
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exeJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection11Regsvr321Input Capture1Security Software Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Masquerading1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerSystem Information Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)DLL Side-Loading1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 326415 Sample: dynwrapx.dll Startdate: 03/12/2020 Architecture: WINDOWS Score: 48 25 Multi AV Scanner detection for submitted file 2->25 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 regsvr32.exe 2 8->12         started        process5 14 iexplore.exe 1 73 10->14         started        process6 16 iexplore.exe 167 14->16         started        dnsIp7 19 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49768, 49769 YAHOO-DEBDE United Kingdom 16->19 21 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49762, 49763 FASTLYUS United States 16->21 23 9 other IPs or domains 16->23

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.