Windows Analysis Report
GULPPYUMBy

Overview

General Information

Sample Name:	GULPPYUMBy (renamed file extension from none to dll)
Analysis ID:	562433
MD5:	698e141f2659110386e428f6e1178dae
SHA1:	d802e890c313d4c8d898523e06574eb05bed7f06
SHA256:	8f3b19090289f2c0215353e2979abcd1c6ebf6217f144cebefba8a0572d5fdc4
Tags:	32dllexetrojan
Infos:

Detection

Emotet

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Machine Learning detection for sample

Sigma detected: Suspicious Call by Ordinal

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Connects to several IPs in different countries

Potential key logger detected (key state polling based)

Registers a DLL

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Found malware configuration

Source: 11.2.rundll32.exe.5490000.6.raw.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["74.207.230.120:8080", "139.196.72.155:8080", "37.44.244.177:8080", "37.59.209.141:8080", "116.124.128.206:8080", "217.182.143.207:443", "54.37.228.122:443", "203.153.216.46:443", "168.197.250.14:80", "207.148.81.119:8080", "195.154.146.35:443", "78.46.73.125:443", "191.252.103.16:80", "210.57.209.142:8080", "185.168.130.138:443", "142.4.219.173:8080", "118.98.72.86:443", "78.47.204.80:443", "159.69.237.188:443", "190.90.233.66:443", "104.131.62.48:8080", "62.171.178.147:8080", "185.148.168.15:8080", "54.38.242.185:443", "198.199.98.78:8080", "194.9.172.107:8080", "85.214.67.203:8080", "66.42.57.149:443", "185.148.168.220:8080", "103.41.204.169:8080", "128.199.192.135:8080", "195.77.239.39:8080", "59.148.253.194:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}

Machine Learning detection for sample

Source: GULPPYUMBy.dll

Joe Sandbox ML: detected

Compliance

Uses 32bit PE files

Source: GULPPYUMBy.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,	0_2_10021854
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,	3_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,	4_2_10021854

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 74.207.230.120 144			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 139.196.72.155 144			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 74.207.230.120:8080
Source: Malware configuration extractor	IPs: 139.196.72.155:8080
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 116.124.128.206:8080
Source: Malware configuration extractor	IPs: 217.182.143.207:443
Source: Malware configuration extractor	IPs: 54.37.228.122:443
Source: Malware configuration extractor	IPs: 203.153.216.46:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 195.154.146.35:443
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 210.57.209.142:8080
Source: Malware configuration extractor	IPs: 185.168.130.138:443
Source: Malware configuration extractor	IPs: 142.4.219.173:8080
Source: Malware configuration extractor	IPs: 118.98.72.86:443
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 159.69.237.188:443
Source: Malware configuration extractor	IPs: 190.90.233.66:443
Source: Malware configuration extractor	IPs: 104.131.62.48:8080
Source: Malware configuration extractor	IPs: 62.171.178.147:8080
Source: Malware configuration extractor	IPs: 185.148.168.15:8080
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 198.199.98.78:8080
Source: Malware configuration extractor	IPs: 194.9.172.107:8080
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 185.148.168.220:8080
Source: Malware configuration extractor	IPs: 103.41.204.169:8080
Source: Malware configuration extractor	IPs: 128.199.192.135:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 59.148.253.194:443

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View	IP Address: 104.131.62.48 104.131.62.48

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.4:49759 -> 74.207.230.120:8080
Source: global traffic	TCP traffic: 192.168.2.4:49762 -> 139.196.72.155:8080

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 15

Source: unknown	TCP traffic detected without corresponding DNS query: 74.207.230.120
Source: unknown	TCP traffic detected without corresponding DNS query: 74.207.230.120
Source: unknown	TCP traffic detected without corresponding DNS query: 74.207.230.120
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.72.155

Source: svchost.exe, 00000013.00000003.814962589.000001EE39585000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
Source: svchost.exe, 00000013.00000003.814962589.000001EE39585000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
Source: svchost.exe, 00000013.00000003.814971156.000001EE39596000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.814962589.000001EE39585000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-21T16:24:38.4044683Z\|\|.\|\|031efeb6-e916-442f-a665-3e8426d4bc5a\|\|1152921505694396307\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000013.00000003.814971156.000001EE39596000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.814962589.000001EE39585000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-21T16:24:38.4044683Z\|\|.\|\|031efeb6-e916-442f-a665-3e8426d4bc5a\|\|1152921505694396307\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab

Source: rundll32.exe, 0000000B.00000002.1195974527.000000000350B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.762148592.000000000350B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.832763122.000001EE39500000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: rundll32.exe, 0000000B.00000003.757062289.0000000005B1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdaZ
Source: rundll32.exe, 0000000B.00000002.1195974527.000000000350B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.757062289.0000000005B1F000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.762148592.000000000350B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: rundll32.exe, 0000000B.00000002.1195974527.000000000350B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.762148592.000000000350B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: rundll32.exe, 0000000B.00000002.1195974527.000000000350B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.762148592.000000000350B000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.11.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 0000000B.00000003.758200655.0000000005B22000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.757062289.0000000005B1F000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1196929530.0000000005B22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?bdbab6a7c1251
Source: svchost.exe, 00000013.00000003.810079253.000001EE39558000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000013.00000003.810079253.000001EE39558000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000013.00000003.810079253.000001EE39558000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000013.00000003.810079253.000001EE39558000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000013.00000003.809882706.000001EE3957D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report
Source: svchost.exe, 00000013.00000003.809882706.000001EE3957D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.809743590.000001EE395A5000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.809816898.000001EE395A5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_10012C30 _memset,connect,_strcat,send,recv,

3_2_10012C30

Key, Mouse, Clipboard, Microphone and Screen Capturing

Creates a DirectInput object (often for capturing keystrokes)

Source: loaddll32.exe, 00000000.00000002.686021062.00000000007AB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Potential key logger detected (key state polling based)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	0_2_1001B43F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	3_2_1001B43F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	4_2_1001B43F

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: GULPPYUMBy.dll, type: SAMPLE
Source: Yara match	File source: 11.2.rundll32.exe.5840000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4d30000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.32f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4a10000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4b70000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.51d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.5490000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4a40000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4ba0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.5780000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4b70000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.5960000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.5870000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4ba0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.5a50000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4f90000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.5650000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.5c40000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.e30000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4d00000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.5c40000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.5620000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.42d0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.3360000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.5cc0000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.5a80000.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.55f0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.4960000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.5a50000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.32f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.5490000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4d20000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.4790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.690000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.890000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.55f0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.d60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.ca0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.3100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.5650000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.35f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4800000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4bd0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.3670000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.5960000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.49a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.3100000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4830000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.3670000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.d60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4a40000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.5840000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.4790000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4cf0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.3620000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.5cf0000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.e20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.750000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4fc0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4800000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.5c70000.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.bc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4ba0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.35f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4cf0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4300000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.3130000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4f90000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.5990000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4cd0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.10000000.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4cd0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4e60000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.49e0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.49e0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.54c0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.e30000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.5cc0000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.890000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4b70000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.42d0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4d30000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.10000000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.698154111.0000000004BD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.695678222.0000000004E61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.697643809.0000000004800000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1197600614.0000000005CF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1196408950.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.697928489.0000000004A11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1197748289.0000000010001000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.679578387.0000000003131000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1196837395.0000000005A81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.679544015.0000000003100000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.686090984.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1196803049.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1196180754.0000000003670000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.698188921.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.685943850.0000000000690000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.694796283.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1197083617.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.695708473.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.698237406.0000000004D21000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1196131106.0000000003621000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1196688032.0000000005960000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1195767818.0000000003361000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.700428113.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.694598202.0000000000D61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.685979293.0000000000751000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.697381734.0000000000D61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1197436981.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.698024966.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.698097030.0000000004B71000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1196737137.0000000005991000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1196460440.0000000005650000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.695395247.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1195681917.00000000032F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.695172555.00000000049A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.700757747.0000000010001000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.697679889.0000000004831000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.681695490.0000000004961000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1197274382.0000000005C71000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1196435372.0000000005621000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.700559072.0000000000E21000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1196321416.0000000005490000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.695749630.0000000004FC1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.695641002.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1196503493.0000000005781000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.695603326.0000000004D01000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.697883792.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1196346409.00000000054C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.697578778.0000000004301000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.698123859.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.697251813.0000000000890000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.695422865.0000000004BA1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1196572936.0000000005840000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.681496584.0000000004790000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1196102968.00000000035F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.697538665.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.695541961.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.694543182.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1196608362.0000000005871000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1196239650.00000000051D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.679681622.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.698300661.0000000010001000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.695799200.0000000010001000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.681720206.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

System Summary

Uses 32bit PE files

Source: GULPPYUMBy.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Deletes files inside the Windows folder

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Cpfkhipfqaawt\mtkslow.ijp:Zone.Identifier

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10036007	0_2_10036007
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10041050	0_2_10041050
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1003130F	0_2_1003130F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10030460	0_2_10030460
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10041592	0_2_10041592
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1003E59F	0_2_1003E59F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10036007	3_2_10036007
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10041050	3_2_10041050
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1003130F	3_2_1003130F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100323E2	3_2_100323E2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10030460	3_2_10030460
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10041592	3_2_10041592
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1003E59F	3_2_1003E59F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100317E2	3_2_100317E2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10040B0E	3_2_10040B0E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10031BB6	3_2_10031BB6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10041C56	3_2_10041C56
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10036CB5	3_2_10036CB5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001CD16	3_2_1001CD16
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10042D21	3_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10036007	4_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10041050	4_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003130F	4_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100323E2	4_2_100323E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10030460	4_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10041592	4_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003E59F	4_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100317E2	4_2_100317E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10040B0E	4_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10031BB6	4_2_10031BB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10041C56	4_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10036CB5	4_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001CD16	4_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10042D21	4_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10031FC2	4_2_10031FC2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D668DE	5_2_00D668DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D774DD	5_2_00D774DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D75CF9	5_2_00D75CF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D670ED	5_2_00D670ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D7EE94	5_2_00D7EE94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D6EC9B	5_2_00D6EC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D7E498	5_2_00D7E498
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D7BE8C	5_2_00D7BE8C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D6E243	5_2_00D6E243
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D68D95	5_2_00D68D95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D7B391	5_2_00D7B391
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D81B54	5_2_00D81B54
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D73512	5_2_00D73512
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D69700	5_2_00D69700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D6F93D	5_2_00D6F93D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D66ED6	5_2_00D66ED6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D7D8D7	5_2_00D7D8D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D7ACD3	5_2_00D7ACD3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D804DE	5_2_00D804DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D688F4	5_2_00D688F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D764F1	5_2_00D764F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D644FA	5_2_00D644FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D7109E	5_2_00D7109E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D7129C	5_2_00D7129C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D6AE9A	5_2_00D6AE9A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D66083	5_2_00D66083
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D7CC89	5_2_00D7CC89
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D704B8	5_2_00D704B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D6C850	5_2_00D6C850
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D68650	5_2_00D68650
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D6CA43	5_2_00D6CA43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D75040	5_2_00D75040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D83672	5_2_00D83672
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D69A7D	5_2_00D69A7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D76864	5_2_00D76864
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D8146E	5_2_00D8146E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D6E86A	5_2_00D6E86A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D7026B	5_2_00D7026B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D80867	5_2_00D80867
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D7561F	5_2_00D7561F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D66A1F	5_2_00D66A1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D6B41A	5_2_00D6B41A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D71831	5_2_00D71831
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D62830	5_2_00D62830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D7363D	5_2_00D7363D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D6B821	5_2_00D6B821
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D7542E	5_2_00D7542E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D7A429	5_2_00D7A429
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D66C29	5_2_00D66C29
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D6CFCE	5_2_00D6CFCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D745CD	5_2_00D745CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D77BCA	5_2_00D77BCA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D7D3C8	5_2_00D7D3C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D72BF6	5_2_00D72BF6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D7EBFF	5_2_00D7EBFF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D81993	5_2_00D81993
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D61F9B	5_2_00D61F9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D79186	5_2_00D79186
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D67B82	5_2_00D67B82
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D7C38F	5_2_00D7C38F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D6F58F	5_2_00D6F58F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D6FD8C	5_2_00D6FD8C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D63FB8	5_2_00D63FB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D741A7	5_2_00D741A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D62FA1	5_2_00D62FA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D799AA	5_2_00D799AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D7C9A9	5_2_00D7C9A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D7A156	5_2_00D7A156
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D74B56	5_2_00D74B56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D6F154	5_2_00D6F154
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D80D5B	5_2_00D80D5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D72753	5_2_00D72753
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D61950	5_2_00D61950
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D70946	5_2_00D70946
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D73D41	5_2_00D73D41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D6194C	5_2_00D6194C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D6BB4B	5_2_00D6BB4B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D78D71	5_2_00D78D71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D6777B	5_2_00D6777B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D6AB66	5_2_00D6AB66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D6911A	5_2_00D6911A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D6BD0F	5_2_00D6BD0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D6C309	5_2_00D6C309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D70D33	5_2_00D70D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D7FF31	5_2_00D7FF31
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D6472E	5_2_00D6472E

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 10032B38 appears 33 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 10030D27 appears 91 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10032B38 appears 52 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10030D5A appears 40 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 100200FD appears 35 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10030D27 appears 135 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10032B38 appears 52 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030D5A appears 41 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 100200FD appears 36 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030D27 appears 139 times

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\GULPPYUMBy.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\GULPPYUMBy.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cpfkhipfqaawt\mtkslow.ijp",ARGENi
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Cpfkhipfqaawt\mtkslow.ijp",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\GULPPYUMBy.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\GULPPYUMBy.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cpfkhipfqaawt\mtkslow.ijp",ARGENi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Cpfkhipfqaawt\mtkslow.ijp",DllRegisterServer	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: GULPPYUMBy.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: GULPPYUMBy.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: GULPPYUMBy.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: GULPPYUMBy.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: GULPPYUMBy.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10032B7D push ecx; ret	3_2_10032B90
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10030DFF push ecx; ret	3_2_10030E12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10032B7D push ecx; ret	4_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10030DFF push ecx; ret	4_2_10030E12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D615F5 push cs; retf	5_2_00D615FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D6114C push ds; ret	5_2_00D6114D

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Cpfkhipfqaawt\mtkslow.ijp:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Vvvefzbln\jyoxabniti.cbi:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100134F0 IsIconic,	0_2_100134F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100134F0 IsIconic,	3_2_100134F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect,	3_2_10018C9A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100134F0 IsIconic,	4_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect,	4_2_10018C9A

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	API coverage: 4.6 %
Source: C:\Windows\SysWOW64\regsvr32.exe	API coverage: 3.4 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 3.6 %

Source: C:\Windows\SysWOW64\regsvr32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: svchost.exe, 00000013.00000003.831610745.000001EE38C58000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.832693690.000001EE38CEB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.832563554.000001EE38C59000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000013.00000002.832598198.000001EE38C81000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@g

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_10037657
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_1002F81E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_10037657
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_1002F81E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_1003ACCC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_10037657
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_1002F81E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_1003ACCC

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoA,	0_2_1003F570
Source: C:\Windows\System32\loaddll32.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	0_2_10043730
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,	3_2_1003F570
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	3_2_10043730
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,	3_2_10014B71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	4_2_1003F570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	4_2_10043730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,	4_2_10014B71

IP	Domain	Country	ASN	ASN Name	Malicious
207.148.81.119	unknown	United States	20473	AS-CHOOPAUS	true
104.131.62.48	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
198.199.98.78	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
194.9.172.107	unknown	unknown	207992	FEELBFR	true
59.148.253.194	unknown	Hong Kong	9269	HKBN-AS-APHongKongBroadbandNetworkLtdHK	true
74.207.230.120	unknown	United States	63949	LINODE-APLinodeLLCUS	true
103.41.204.169	unknown	Indonesia	58397	INFINYS-AS-IDPTInfinysSystemIndonesiaID	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
191.252.103.16	unknown	Brazil	27715	LocawebServicosdeInternetSABR	true
168.197.250.14	unknown	Argentina	264776	OmarAnselmoRipollTDCNETAR	true
185.148.168.15	unknown	Germany	44780	EVERSCALE-ASDE	true
66.42.57.149	unknown	United States	20473	AS-CHOOPAUS	true
139.196.72.155	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	true
217.182.143.207	unknown	France	16276	OVHFR	true
203.153.216.46	unknown	Indonesia	45291	SURF-IDPTSurfindoNetworkID	true
159.69.237.188	unknown	Germany	24940	HETZNER-ASDE	true
116.124.128.206	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
37.59.209.141	unknown	France	16276	OVHFR	true
78.46.73.125	unknown	Germany	24940	HETZNER-ASDE	true
210.57.209.142	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
185.148.168.220	unknown	Germany	44780	EVERSCALE-ASDE	true
54.37.228.122	unknown	France	16276	OVHFR	true
185.168.130.138	unknown	Ukraine	49720	GIGACLOUD-ASUA	true
190.90.233.66	unknown	Colombia	18678	INTERNEXASAESPCO	true
142.4.219.173	unknown	Canada	16276	OVHFR	true
54.38.242.185	unknown	France	16276	OVHFR	true
195.154.146.35	unknown	France	12876	OnlineSASFR	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
78.47.204.80	unknown	Germany	24940	HETZNER-ASDE	true
118.98.72.86	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	true
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
62.171.178.147	unknown	United Kingdom	51167	CONTABODE	true
128.199.192.135	unknown	United Kingdom	14061	DIGITALOCEAN-ASNUS	true

ID:	562433
Product:	CloudBasic
Start time:	21:36:06
Start date:	28.01.2022
Sample:	GULPPYUMBy
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	698e141f2659110386e428f6e1178dae
SHA1:	d802e890c313d4c8d898523e06574eb05bed7f06
SHA256:	8f3b19090289f2c0215353e2979abcd1c6ebf6217f144cebefba8a0572d5fdc4
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 61414 bytes, 1 file	ACAEDA60C79C6BCAC925EEB3653F45E0	2AAAE490BCDACCC6172240FF1697753B37AC5578	6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	D1FED154DF638910AC019AFA0CB83733	951BA120ACEBECC63FC248C40E87CF611A36C4E9	7F6F686D8D41DC15FFF7FE2C5A78123408AADB2C260AC09CA3F5486E9FF39983

Windows Analysis Report GULPPYUMBy

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report
GULPPYUMBy