Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
GULPPYUMBy

Overview

General Information

Sample Name:GULPPYUMBy (renamed file extension from none to dll)
Analysis ID:562433
MD5:698e141f2659110386e428f6e1178dae
SHA1:d802e890c313d4c8d898523e06574eb05bed7f06
SHA256:8f3b19090289f2c0215353e2979abcd1c6ebf6217f144cebefba8a0572d5fdc4
Tags:32dllexetrojan
Infos:

Detection

Emotet
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Machine Learning detection for sample
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6512 cmdline: loaddll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 1260 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5036 cmdline: rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6764 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 4200 cmdline: regsvr32.exe /s C:\Users\user\Desktop\GULPPYUMBy.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • rundll32.exe (PID: 6748 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6648 cmdline: rundll32.exe C:\Users\user\Desktop\GULPPYUMBy.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6272 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cpfkhipfqaawt\mtkslow.ijp",ARGENi MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 3840 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Cpfkhipfqaawt\mtkslow.ijp",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4128 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 1088 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7108 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1260 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4176 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 588 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["74.207.230.120:8080", "139.196.72.155:8080", "37.44.244.177:8080", "37.59.209.141:8080", "116.124.128.206:8080", "217.182.143.207:443", "54.37.228.122:443", "203.153.216.46:443", "168.197.250.14:80", "207.148.81.119:8080", "195.154.146.35:443", "78.46.73.125:443", "191.252.103.16:80", "210.57.209.142:8080", "185.168.130.138:443", "142.4.219.173:8080", "118.98.72.86:443", "78.47.204.80:443", "159.69.237.188:443", "190.90.233.66:443", "104.131.62.48:8080", "62.171.178.147:8080", "185.148.168.15:8080", "54.38.242.185:443", "198.199.98.78:8080", "194.9.172.107:8080", "85.214.67.203:8080", "66.42.57.149:443", "185.148.168.220:8080", "103.41.204.169:8080", "128.199.192.135:8080", "195.77.239.39:8080", "59.148.253.194:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
GULPPYUMBy.dllJoeSecurity_Emotet_1Yara detected EmotetJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000006.00000002.698154111.0000000004BD1000.00000020.00000800.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000005.00000002.695678222.0000000004E61000.00000020.00000800.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000006.00000002.697643809.0000000004800000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          0000000B.00000002.1197600614.0000000005CF1000.00000020.00000800.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            0000000B.00000002.1196408950.00000000055F0000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              Click to see the 58 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              11.2.rundll32.exe.5840000.12.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                5.2.rundll32.exe.4d30000.8.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  11.2.rundll32.exe.32f0000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    6.2.rundll32.exe.4a10000.7.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      6.2.rundll32.exe.4b70000.9.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                        Click to see the 86 entries

                        Sigma Overview

                        System Summary

                        barindex
                        Sigma detected: Suspicious Call by Ordinal
                        Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1260, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",#1, ProcessId: 5036

                        Jbx Signature Overview

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Found malware configuration
                        Source: 11.2.rundll32.exe.5490000.6.raw.unpackMalware Configuration Extractor: Emotet {"C2 list": ["74.207.230.120:8080", "139.196.72.155:8080", "37.44.244.177:8080", "37.59.209.141:8080", "116.124.128.206:8080", "217.182.143.207:443", "54.37.228.122:443", "203.153.216.46:443", "168.197.250.14:80", "207.148.81.119:8080", "195.154.146.35:443", "78.46.73.125:443", "191.252.103.16:80", "210.57.209.142:8080", "185.168.130.138:443", "142.4.219.173:8080", "118.98.72.86:443", "78.47.204.80:443", "159.69.237.188:443", "190.90.233.66:443", "104.131.62.48:8080", "62.171.178.147:8080", "185.148.168.15:8080", "54.38.242.185:443", "198.199.98.78:8080", "194.9.172.107:8080", "85.214.67.203:8080", "66.42.57.149:443", "185.148.168.220:8080", "103.41.204.169:8080", "128.199.192.135:8080", "195.77.239.39:8080", "59.148.253.194:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}
                        Machine Learning detection for sample
                        Source: GULPPYUMBy.dllJoe Sandbox ML: detected
                        Source: GULPPYUMBy.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,

                        Networking

                        barindex
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 74.207.230.120 144
                        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 139.196.72.155 144
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorIPs: 74.207.230.120:8080
                        Source: Malware configuration extractorIPs: 139.196.72.155:8080
                        Source: Malware configuration extractorIPs: 37.44.244.177:8080
                        Source: Malware configuration extractorIPs: 37.59.209.141:8080
                        Source: Malware configuration extractorIPs: 116.124.128.206:8080
                        Source: Malware configuration extractorIPs: 217.182.143.207:443
                        Source: Malware configuration extractorIPs: 54.37.228.122:443
                        Source: Malware configuration extractorIPs: 203.153.216.46:443
                        Source: Malware configuration extractorIPs: 168.197.250.14:80
                        Source: Malware configuration extractorIPs: 207.148.81.119:8080
                        Source: Malware configuration extractorIPs: 195.154.146.35:443
                        Source: Malware configuration extractorIPs: 78.46.73.125:443
                        Source: Malware configuration extractorIPs: 191.252.103.16:80
                        Source: Malware configuration extractorIPs: 210.57.209.142:8080
                        Source: Malware configuration extractorIPs: 185.168.130.138:443
                        Source: Malware configuration extractorIPs: 142.4.219.173:8080
                        Source: Malware configuration extractorIPs: 118.98.72.86:443
                        Source: Malware configuration extractorIPs: 78.47.204.80:443
                        Source: Malware configuration extractorIPs: 159.69.237.188:443
                        Source: Malware configuration extractorIPs: 190.90.233.66:443
                        Source: Malware configuration extractorIPs: 104.131.62.48:8080
                        Source: Malware configuration extractorIPs: 62.171.178.147:8080
                        Source: Malware configuration extractorIPs: 185.148.168.15:8080
                        Source: Malware configuration extractorIPs: 54.38.242.185:443
                        Source: Malware configuration extractorIPs: 198.199.98.78:8080
                        Source: Malware configuration extractorIPs: 194.9.172.107:8080
                        Source: Malware configuration extractorIPs: 85.214.67.203:8080
                        Source: Malware configuration extractorIPs: 66.42.57.149:443
                        Source: Malware configuration extractorIPs: 185.148.168.220:8080
                        Source: Malware configuration extractorIPs: 103.41.204.169:8080
                        Source: Malware configuration extractorIPs: 128.199.192.135:8080
                        Source: Malware configuration extractorIPs: 195.77.239.39:8080
                        Source: Malware configuration extractorIPs: 59.148.253.194:443
                        Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                        Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                        Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                        Source: Joe Sandbox ViewIP Address: 104.131.62.48 104.131.62.48
                        Source: global trafficTCP traffic: 192.168.2.4:49759 -> 74.207.230.120:8080
                        Source: global trafficTCP traffic: 192.168.2.4:49762 -> 139.196.72.155:8080
                        Source: unknownNetwork traffic detected: IP country count 15
                        Source: unknownTCP traffic detected without corresponding DNS query: 74.207.230.120
                        Source: unknownTCP traffic detected without corresponding DNS query: 74.207.230.120
                        Source: unknownTCP traffic detected without corresponding DNS query: 74.207.230.120
                        Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                        Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                        Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                        Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                        Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                        Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                        Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                        Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                        Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                        Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                        Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                        Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                        Source: svchost.exe, 00000013.00000003.814962589.000001EE39585000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
                        Source: svchost.exe, 00000013.00000003.814962589.000001EE39585000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
                        Source: svchost.exe, 00000013.00000003.814971156.000001EE39596000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.814962589.000001EE39585000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-21T16:24:38.4044683Z||.||031efeb6-e916-442f-a665-3e8426d4bc5a||1152921505694396307||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                        Source: svchost.exe, 00000013.00000003.814971156.000001EE39596000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.814962589.000001EE39585000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-21T16:24:38.4044683Z||.||031efeb6-e916-442f-a665-3e8426d4bc5a||1152921505694396307||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                        Source: rundll32.exe, 0000000B.00000002.1195974527.000000000350B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.762148592.000000000350B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.832763122.000001EE39500000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                        Source: rundll32.exe, 0000000B.00000003.757062289.0000000005B1F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdaZ
                        Source: rundll32.exe, 0000000B.00000002.1195974527.000000000350B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.757062289.0000000005B1F000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.762148592.000000000350B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
                        Source: rundll32.exe, 0000000B.00000002.1195974527.000000000350B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.762148592.000000000350B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                        Source: rundll32.exe, 0000000B.00000002.1195974527.000000000350B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.762148592.000000000350B000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.11.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                        Source: rundll32.exe, 0000000B.00000003.758200655.0000000005B22000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.757062289.0000000005B1F000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1196929530.0000000005B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?bdbab6a7c1251
                        Source: svchost.exe, 00000013.00000003.810079253.000001EE39558000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://help.disneyplus.com.
                        Source: svchost.exe, 00000013.00000003.810079253.000001EE39558000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://disneyplus.com/legal.
                        Source: svchost.exe, 00000013.00000003.810079253.000001EE39558000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                        Source: svchost.exe, 00000013.00000003.810079253.000001EE39558000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                        Source: svchost.exe, 00000013.00000003.809882706.000001EE3957D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.tiktok.com/legal/report
                        Source: svchost.exe, 00000013.00000003.809882706.000001EE3957D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.809743590.000001EE395A5000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.809816898.000001EE395A5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10012C30 _memset,connect,_strcat,send,recv,
                        Source: loaddll32.exe, 00000000.00000002.686021062.00000000007AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

                        E-Banking Fraud

                        barindex
                        Yara detected Emotet
                        Source: Yara matchFile source: GULPPYUMBy.dll, type: SAMPLE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5840000.12.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.4d30000.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.32f0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.4a10000.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.4b70000.9.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.51d0000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5490000.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.4a40000.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.rundll32.exe.bc0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.4ba0000.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5780000.11.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.4b70000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5960000.14.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5870000.13.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.4ba0000.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5a50000.16.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.4f90000.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5650000.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5c40000.18.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.ca0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.e30000.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.4d00000.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5c40000.18.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5620000.9.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.42d0000.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.3360000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5cc0000.20.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5a80000.17.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.55f0000.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.regsvr32.exe.4960000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5a50000.16.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.32f0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5490000.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.4d20000.13.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.regsvr32.exe.4790000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.690000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.890000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.55f0000.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.d60000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.ca0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.3100000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5650000.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.35f0000.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.4800000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.4bd0000.11.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.3670000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5960000.14.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.49a0000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.3100000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.4830000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.3670000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.d60000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.4a40000.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5840000.12.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.regsvr32.exe.4790000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.4cf0000.12.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.3620000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5cf0000.21.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.rundll32.exe.e20000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.750000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.4fc0000.11.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.4800000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5c70000.19.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.rundll32.exe.bc0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.4ba0000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.35f0000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.4cf0000.12.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.690000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.4300000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.3130000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.4f90000.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5990000.15.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.4cd0000.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.10000000.22.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.4cd0000.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.4e60000.9.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.49e0000.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.49e0000.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.54c0000.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.e30000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5cc0000.20.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.890000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.4b70000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.42d0000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.4d30000.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.10000000.12.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.regsvr32.exe.10000000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000006.00000002.698154111.0000000004BD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.695678222.0000000004E61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.697643809.0000000004800000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1197600614.0000000005CF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1196408950.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.697928489.0000000004A11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1197748289.0000000010001000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.679578387.0000000003131000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1196837395.0000000005A81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.679544015.0000000003100000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.686090984.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1196803049.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1196180754.0000000003670000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.698188921.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.685943850.0000000000690000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.694796283.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1197083617.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.695708473.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.698237406.0000000004D21000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1196131106.0000000003621000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1196688032.0000000005960000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1195767818.0000000003361000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.700428113.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.694598202.0000000000D61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.685979293.0000000000751000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.697381734.0000000000D61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1197436981.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.698024966.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.698097030.0000000004B71000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1196737137.0000000005991000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1196460440.0000000005650000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.695395247.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1195681917.00000000032F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.695172555.00000000049A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.700757747.0000000010001000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.697679889.0000000004831000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.681695490.0000000004961000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1197274382.0000000005C71000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1196435372.0000000005621000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.700559072.0000000000E21000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1196321416.0000000005490000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.695749630.0000000004FC1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.695641002.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1196503493.0000000005781000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.695603326.0000000004D01000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.697883792.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1196346409.00000000054C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.697578778.0000000004301000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.698123859.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.697251813.0000000000890000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.695422865.0000000004BA1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1196572936.0000000005840000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.681496584.0000000004790000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1196102968.00000000035F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.697538665.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.695541961.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.694543182.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1196608362.0000000005871000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1196239650.00000000051D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.679681622.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.698300661.0000000010001000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.695799200.0000000010001000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.681720206.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

                        System Summary

                        barindex
                        Source: GULPPYUMBy.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                        Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Cpfkhipfqaawt\mtkslow.ijp:Zone.IdentifierJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Cpfkhipfqaawt\Jump to behavior
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10036007
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10041050
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1003130F
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10030460
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10041592
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1003E59F
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10036007
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10041050
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1003130F
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100323E2
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10030460
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10041592
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1003E59F
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100317E2
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10040B0E
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10031BB6
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10041C56
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10036CB5
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1001CD16
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10042D21
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10036007
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10041050
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1003130F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100323E2
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10030460
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10041592
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1003E59F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100317E2
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10040B0E
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10031BB6
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10041C56
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10036CB5
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001CD16
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10042D21
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10031FC2
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D668DE
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D774DD
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D75CF9
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D670ED
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D7EE94
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D6EC9B
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D7E498
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D7BE8C
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D6E243
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D68D95
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D7B391
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D81B54
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D73512
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D69700
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D6F93D
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D66ED6
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D7D8D7
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D7ACD3
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D804DE
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D688F4
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D764F1
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D644FA
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D7109E
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D7129C
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D6AE9A
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D66083
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D7CC89
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D704B8
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D6C850
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D68650
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D6CA43
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D75040
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D83672
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D69A7D
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D76864
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D8146E
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D6E86A
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D7026B
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D80867
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D7561F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D66A1F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D6B41A
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D71831
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D62830
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D7363D
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D6B821
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D7542E
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D7A429
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D66C29
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D6CFCE
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D745CD
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D77BCA
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D7D3C8
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D72BF6
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D7EBFF
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D81993
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D61F9B
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D79186
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D67B82
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D7C38F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D6F58F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D6FD8C
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D63FB8
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D741A7
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D62FA1
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D799AA
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D7C9A9
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D7A156
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D74B56
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D6F154
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D80D5B
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D72753
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D61950
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D70946
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D73D41
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D6194C
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D6BB4B
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D78D71
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D6777B
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D6AB66
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D6911A
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D6BD0F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D6C309
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D70D33
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D7FF31
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D6472E
                        Source: C:\Windows\System32\loaddll32.exeCode function: String function: 10032B38 appears 33 times
                        Source: C:\Windows\System32\loaddll32.exeCode function: String function: 10030D27 appears 91 times
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 10032B38 appears 52 times
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 10030D5A appears 40 times
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 100200FD appears 35 times
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 10030D27 appears 135 times
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10032B38 appears 52 times
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030D5A appears 41 times
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 100200FD appears 36 times
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030D27 appears 139 times
                        Source: GULPPYUMBy.dllBinary or memory string: OriginalFilenameFinalChatSocketCli.exe> vs GULPPYUMBy.dll
                        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
                        Source: GULPPYUMBy.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                        Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll"
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",#1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\GULPPYUMBy.dll
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",#1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\GULPPYUMBy.dll,DllRegisterServer
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",DllRegisterServer
                        Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",DllRegisterServer
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",DllRegisterServer
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cpfkhipfqaawt\mtkslow.ijp",ARGENi
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Cpfkhipfqaawt\mtkslow.ijp",DllRegisterServer
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",#1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\GULPPYUMBy.dll
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\GULPPYUMBy.dll,DllRegisterServer
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",DllRegisterServer
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",#1
                        Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",DllRegisterServer
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",DllRegisterServer
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cpfkhipfqaawt\mtkslow.ijp",ARGENi
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Cpfkhipfqaawt\mtkslow.ijp",DllRegisterServer
                        Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                        Source: classification engineClassification label: mal80.troj.evad.winDLL@24/2@0/33
                        Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Users\desktop.iniJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",#1
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100125C0 _printf,FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,_malloc,
                        Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: GULPPYUMBy.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: GULPPYUMBy.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: GULPPYUMBy.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: GULPPYUMBy.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: GULPPYUMBy.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10032B7D push ecx; ret
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10030DFF push ecx; ret
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10032B7D push ecx; ret
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10030DFF push ecx; ret
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D615F5 push cs; retf
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D6114C push ds; ret
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,
                        Source: GULPPYUMBy.dllStatic PE information: real checksum: 0x8f55d should be: 0x8edd1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\GULPPYUMBy.dll
                        Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Cpfkhipfqaawt\mtkslow.ijpJump to behavior

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Hides that the sample has been downloaded from the Internet (zone.identifier)
                        Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Cpfkhipfqaawt\mtkslow.ijp:Zone.Identifier read attributes | delete
                        Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Vvvefzbln\jyoxabniti.cbi:Zone.Identifier read attributes | delete
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100134F0 IsIconic,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100134F0 IsIconic,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect,
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100134F0 IsIconic,
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect,
                        Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exe TID: 6288Thread sleep time: -180000s >= -30000s
                        Source: C:\Windows\System32\loaddll32.exeAPI coverage: 4.6 %
                        Source: C:\Windows\SysWOW64\regsvr32.exeAPI coverage: 3.4 %
                        Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 3.6 %
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10030334 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect,
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
                        Source: C:\Windows\SysWOW64\regsvr32.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                        Source: svchost.exe, 00000013.00000003.831610745.000001EE38C58000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.832693690.000001EE38CEB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.832563554.000001EE38C59000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: svchost.exe, 00000013.00000002.832598198.000001EE38C81000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@g
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10002280 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00D7D374 mov eax, dword ptr fs:[00000030h]
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 74.207.230.120 144
                        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 139.196.72.155 144
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",#1
                        Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoA,
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1003DAA7 cpuid
                        Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1003906D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1003CE1A __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10030A37 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,GetCurrentThreadId,__freeptd,

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Emotet
                        Source: Yara matchFile source: GULPPYUMBy.dll, type: SAMPLE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5840000.12.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.4d30000.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.32f0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.4a10000.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.4b70000.9.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.51d0000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5490000.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.4a40000.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.rundll32.exe.bc0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.4ba0000.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5780000.11.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.4b70000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5960000.14.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5870000.13.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.4ba0000.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5a50000.16.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.4f90000.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5650000.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5c40000.18.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.ca0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.e30000.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.4d00000.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5c40000.18.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5620000.9.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.42d0000.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.3360000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5cc0000.20.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5a80000.17.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.55f0000.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.regsvr32.exe.4960000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5a50000.16.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.32f0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5490000.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.4d20000.13.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.regsvr32.exe.4790000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.690000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.890000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.55f0000.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.d60000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.ca0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.3100000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5650000.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.35f0000.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.4800000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.4bd0000.11.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.3670000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5960000.14.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.49a0000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.3100000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.4830000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.3670000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.d60000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.4a40000.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5840000.12.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.regsvr32.exe.4790000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.4cf0000.12.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.3620000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5cf0000.21.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.rundll32.exe.e20000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.750000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.4fc0000.11.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.4800000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5c70000.19.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.rundll32.exe.bc0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.4ba0000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.35f0000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.4cf0000.12.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.690000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.4300000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.3130000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.4f90000.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5990000.15.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.4cd0000.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.10000000.22.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.4cd0000.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.4e60000.9.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.49e0000.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.49e0000.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.54c0000.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.e30000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5cc0000.20.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.890000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.4b70000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.42d0000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.4d30000.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.10000000.12.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.regsvr32.exe.10000000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000006.00000002.698154111.0000000004BD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.695678222.0000000004E61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.697643809.0000000004800000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1197600614.0000000005CF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1196408950.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.697928489.0000000004A11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1197748289.0000000010001000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.679578387.0000000003131000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1196837395.0000000005A81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.679544015.0000000003100000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.686090984.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1196803049.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1196180754.0000000003670000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.698188921.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.685943850.0000000000690000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.694796283.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1197083617.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.695708473.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.698237406.0000000004D21000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1196131106.0000000003621000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1196688032.0000000005960000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1195767818.0000000003361000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.700428113.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.694598202.0000000000D61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.685979293.0000000000751000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.697381734.0000000000D61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1197436981.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.698024966.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.698097030.0000000004B71000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1196737137.0000000005991000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1196460440.0000000005650000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.695395247.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1195681917.00000000032F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.695172555.00000000049A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.700757747.0000000010001000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.697679889.0000000004831000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.681695490.0000000004961000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1197274382.0000000005C71000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1196435372.0000000005621000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.700559072.0000000000E21000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1196321416.0000000005490000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.695749630.0000000004FC1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.695641002.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1196503493.0000000005781000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.695603326.0000000004D01000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.697883792.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1196346409.00000000054C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.697578778.0000000004301000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.698123859.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.697251813.0000000000890000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.695422865.0000000004BA1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1196572936.0000000005840000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.681496584.0000000004790000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1196102968.00000000035F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.697538665.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.695541961.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.694543182.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1196608362.0000000005871000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1196239650.00000000051D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.679681622.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.698300661.0000000010001000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.695799200.0000000010001000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.681720206.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

                        Mitre Att&ck Matrix

                        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                        Valid Accounts1
                        Native API                        		1
                        DLL Side-Loading                        		111
                        Process Injection                        		2
                        Masquerading                        		2
                        Input Capture                        		2
                        System Time Discovery                        		Remote Services2
                        Input Capture                        		Exfiltration Over Other Network Medium1
                        Encrypted Channel                        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                        Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                        DLL Side-Loading                        		1
                        Virtualization/Sandbox Evasion                        		LSASS Memory1
                        Query Registry                        		Remote Desktop Protocol1
                        Archive Collected Data                        		Exfiltration Over Bluetooth1
                        Non-Standard Port                        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)111
                        Process Injection                        		Security Account Manager21
                        Security Software Discovery                        		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                        Ingress Tool Transfer                        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                        Deobfuscate/Decode Files or Information                        		NTDS1
                        Virtualization/Sandbox Evasion                        		Distributed Component Object ModelInput CaptureScheduled Transfer1
                        Application Layer Protocol                        		SIM Card SwapCarrier Billing Fraud
                        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                        Hidden Files and Directories                        		LSA Secrets1
                        Application Window Discovery                        		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                        Replication Through Removable MediaLaunchdRc.commonRc.common2
                        Obfuscated Files or Information                        		Cached Domain Credentials1
                        Remote System Discovery                        		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                        External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                        Regsvr32                        		DCSync2
                        File and Directory Discovery                        		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                        Rundll32                        		Proc Filesystem36
                        System Information Discovery                        		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                        DLL Side-Loading                        		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
                        File Deletion                        		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562433 Sample: GULPPYUMBy Startdate: 28/01/2022 Architecture: WINDOWS Score: 80 42 210.57.209.142 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->42 44 118.98.72.86 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID Indonesia 2->44 46 29 other IPs or domains 2->46 54 Found malware configuration 2->54 56 Yara detected Emotet 2->56 58 C2 URLs / IPs found in malware configuration 2->58 60 2 other signatures 2->60 9 loaddll32.exe 1 2->9         started        11 svchost.exe 1 2->11         started        13 svchost.exe 1 2->13         started        15 3 other processes 2->15 signatures3 process4 process5 17 rundll32.exe 2 9->17         started        20 cmd.exe 1 9->20         started        22 regsvr32.exe 9->22         started        24 rundll32.exe 9->24         started        signatures6 48 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->48 26 rundll32.exe 17->26         started        28 rundll32.exe 20->28         started        30 rundll32.exe 22->30         started        process7 process8 32 rundll32.exe 26->32         started        36 rundll32.exe 2 28->36         started        dnsIp9 38 74.207.230.120, 49759, 8080 LINODE-APLinodeLLCUS United States 32->38 40 139.196.72.155, 49762, 8080 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 32->40 50 System process connects to network (likely due to code injection or exploit) 32->50 52 Hides that the sample has been downloaded from the Internet (zone.identifier) 36->52 signatures10

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        GULPPYUMBy.dll100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        SourceDetectionScannerLabelLinkDownload
                        6.2.rundll32.exe.4ba0000.10.unpack100%AviraHEUR/AGEN.1145233Download File
                        11.2.rundll32.exe.5840000.12.unpack100%AviraHEUR/AGEN.1145233Download File
                        5.2.rundll32.exe.4d30000.8.unpack100%AviraHEUR/AGEN.1145233Download File
                        5.2.rundll32.exe.4f90000.10.unpack100%AviraHEUR/AGEN.1145233Download File
                        11.2.rundll32.exe.5870000.13.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        6.2.rundll32.exe.4b70000.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        11.2.rundll32.exe.5620000.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        11.2.rundll32.exe.5780000.11.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        11.2.rundll32.exe.51d0000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        5.2.rundll32.exe.ca0000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                        11.2.rundll32.exe.32f0000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                        11.2.rundll32.exe.5650000.10.unpack100%AviraHEUR/AGEN.1145233Download File
                        6.2.rundll32.exe.4a10000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        10.2.rundll32.exe.bc0000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                        5.2.rundll32.exe.4d00000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        11.2.rundll32.exe.5c40000.18.unpack100%AviraHEUR/AGEN.1145233Download File
                        11.2.rundll32.exe.3360000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        3.2.regsvr32.exe.4960000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        11.2.rundll32.exe.5a50000.16.unpack100%AviraHEUR/AGEN.1145233Download File
                        11.2.rundll32.exe.55f0000.8.unpack100%AviraHEUR/AGEN.1145233Download File
                        11.2.rundll32.exe.5a80000.17.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        3.2.regsvr32.exe.4790000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                        11.2.rundll32.exe.5490000.6.unpack100%AviraHEUR/AGEN.1145233Download File
                        6.2.rundll32.exe.4d20000.13.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        6.2.rundll32.exe.d60000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        11.2.rundll32.exe.5960000.14.unpack100%AviraHEUR/AGEN.1145233Download File
                        4.2.rundll32.exe.3100000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                        6.2.rundll32.exe.4bd0000.11.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        11.2.rundll32.exe.3670000.4.unpack100%AviraHEUR/AGEN.1145233Download File
                        6.2.rundll32.exe.4800000.4.unpack100%AviraHEUR/AGEN.1145233Download File
                        5.2.rundll32.exe.49a0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        6.2.rundll32.exe.4830000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        6.2.rundll32.exe.4a40000.8.unpack100%AviraHEUR/AGEN.1145233Download File
                        5.2.rundll32.exe.d60000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        11.2.rundll32.exe.3620000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        11.2.rundll32.exe.5cf0000.21.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        10.2.rundll32.exe.e20000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        0.2.loaddll32.exe.750000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        5.2.rundll32.exe.4fc0000.11.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        11.2.rundll32.exe.5c70000.19.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        5.2.rundll32.exe.4ba0000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        11.2.rundll32.exe.35f0000.2.unpack100%AviraHEUR/AGEN.1145233Download File
                        6.2.rundll32.exe.4cf0000.12.unpack100%AviraHEUR/AGEN.1145233Download File
                        0.2.loaddll32.exe.690000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                        4.2.rundll32.exe.3130000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        6.2.rundll32.exe.4300000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        11.2.rundll32.exe.5990000.15.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        5.2.rundll32.exe.4cd0000.6.unpack100%AviraHEUR/AGEN.1145233Download File
                        5.2.rundll32.exe.4e60000.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        6.2.rundll32.exe.49e0000.6.unpack100%AviraHEUR/AGEN.1145233Download File
                        11.2.rundll32.exe.54c0000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        5.2.rundll32.exe.e30000.2.unpack100%AviraHEUR/AGEN.1145233Download File
                        6.2.rundll32.exe.890000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                        11.2.rundll32.exe.5cc0000.20.unpack100%AviraHEUR/AGEN.1145233Download File
                        5.2.rundll32.exe.4b70000.4.unpack100%AviraHEUR/AGEN.1145233Download File
                        6.2.rundll32.exe.42d0000.2.unpack100%AviraHEUR/AGEN.1145233Download File

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                        https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                        https://www.tiktok.com/legal/report0%URL Reputationsafe
                        https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                        http://ctldl.windowsupdaZ0%Avira URL Cloudsafe
                        http://help.disneyplus.com.0%URL Reputationsafe
                        https://disneyplus.com/legal.0%URL Reputationsafe

                        Domains and IPs

                        Contacted Domains

                        No contacted domains info

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 00000013.00000003.810079253.000001EE39558000.00000004.00000001.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.disneyplus.com/legal/privacy-policysvchost.exe, 00000013.00000003.810079253.000001EE39558000.00000004.00000001.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.tiktok.com/legal/reportsvchost.exe, 00000013.00000003.809882706.000001EE3957D000.00000004.00000001.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.tiktok.com/legal/report/feedbacksvchost.exe, 00000013.00000003.809882706.000001EE3957D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.809743590.000001EE395A5000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.809816898.000001EE395A5000.00000004.00000001.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://ctldl.windowsupdaZrundll32.exe, 0000000B.00000003.757062289.0000000005B1F000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://help.disneyplus.com.svchost.exe, 00000013.00000003.810079253.000001EE39558000.00000004.00000001.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://disneyplus.com/legal.svchost.exe, 00000013.00000003.810079253.000001EE39558000.00000004.00000001.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        207.148.81.119
                        		unknownUnited States
                        		20473AS-CHOOPAUStrue
                        104.131.62.48
                        		unknownUnited States
                        		14061DIGITALOCEAN-ASNUStrue
                        198.199.98.78
                        		unknownUnited States
                        		14061DIGITALOCEAN-ASNUStrue
                        194.9.172.107
                        		unknownunknown
                        		207992FEELBFRtrue
                        59.148.253.194
                        		unknownHong Kong
                        		9269HKBN-AS-APHongKongBroadbandNetworkLtdHKtrue
                        74.207.230.120
                        		unknownUnited States
                        		63949LINODE-APLinodeLLCUStrue
                        103.41.204.169
                        		unknownIndonesia
                        		58397INFINYS-AS-IDPTInfinysSystemIndonesiaIDtrue
                        85.214.67.203
                        		unknownGermany
                        		6724STRATOSTRATOAGDEtrue
                        191.252.103.16
                        		unknownBrazil
                        		27715LocawebServicosdeInternetSABRtrue
                        168.197.250.14
                        		unknownArgentina
                        		264776OmarAnselmoRipollTDCNETARtrue
                        185.148.168.15
                        		unknownGermany
                        		44780EVERSCALE-ASDEtrue
                        66.42.57.149
                        		unknownUnited States
                        		20473AS-CHOOPAUStrue
                        139.196.72.155
                        		unknownChina
                        		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdtrue
                        217.182.143.207
                        		unknownFrance
                        		16276OVHFRtrue
                        203.153.216.46
                        		unknownIndonesia
                        		45291SURF-IDPTSurfindoNetworkIDtrue
                        159.69.237.188
                        		unknownGermany
                        		24940HETZNER-ASDEtrue
                        116.124.128.206
                        		unknownKorea Republic of
                        		9318SKB-ASSKBroadbandCoLtdKRtrue
                        37.59.209.141
                        		unknownFrance
                        		16276OVHFRtrue
                        78.46.73.125
                        		unknownGermany
                        		24940HETZNER-ASDEtrue
                        210.57.209.142
                        		unknownIndonesia
                        		38142UNAIR-AS-IDUniversitasAirlanggaIDtrue
                        185.148.168.220
                        		unknownGermany
                        		44780EVERSCALE-ASDEtrue
                        54.37.228.122
                        		unknownFrance
                        		16276OVHFRtrue
                        185.168.130.138
                        		unknownUkraine
                        		49720GIGACLOUD-ASUAtrue
                        190.90.233.66
                        		unknownColombia
                        		18678INTERNEXASAESPCOtrue
                        142.4.219.173
                        		unknownCanada
                        		16276OVHFRtrue
                        54.38.242.185
                        		unknownFrance
                        		16276OVHFRtrue
                        195.154.146.35
                        		unknownFrance
                        		12876OnlineSASFRtrue
                        195.77.239.39
                        		unknownSpain
                        		60493FICOSA-ASEStrue
                        78.47.204.80
                        		unknownGermany
                        		24940HETZNER-ASDEtrue
                        118.98.72.86
                        		unknownIndonesia
                        		7713TELKOMNET-AS-APPTTelekomunikasiIndonesiaIDtrue
                        37.44.244.177
                        		unknownGermany
                        		47583AS-HOSTINGERLTtrue
                        62.171.178.147
                        		unknownUnited Kingdom
                        		51167CONTABODEtrue
                        128.199.192.135
                        		unknownUnited Kingdom
                        		14061DIGITALOCEAN-ASNUStrue

                        General Information

                        Joe Sandbox Version:34.0.0 Boulder Opal
                        Analysis ID:562433
                        Start date:28.01.2022
                        Start time:21:36:06
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 14m 7s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:GULPPYUMBy (renamed file extension from none to dll)
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:26
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal80.troj.evad.winDLL@24/2@0/33
                        EGA Information:
                        • Successful, ratio: 100%
                        HDC Information:
                        • Successful, ratio: 100% (good quality ratio 93.4%)
                        • Quality average: 71.5%
                        • Quality standard deviation: 26.4%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Override analysis time to 240s for rundll32

                        Warnings

                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, wuapihost.exe
                        • Excluded IPs from analysis (whitelisted): 2.20.157.220, 93.184.221.240, 8.238.85.126, 8.248.137.254, 8.248.131.254, 8.248.133.254, 8.248.119.254, 40.91.112.76, 20.54.104.15
                        • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, wu-shim.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, wu.azureedge.net, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
                        • Not all processes where analyzed, report is missing behavior information
                        • Report creation exceeded maximum time and may have missing disassembly code information.
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size exceeded maximum capacity and may have missing disassembly code.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: GULPPYUMBy.dll

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        21:38:09API Interceptor7x Sleep call for process: svchost.exe modified

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                        Download File
                        Process:C:\Windows\SysWOW64\rundll32.exe
                        File Type:Microsoft Cabinet archive data, 61414 bytes, 1 file
                        Category:dropped
                        Size (bytes):61414
                        Entropy (8bit):7.995245868798237
                        Encrypted:true
                        SSDEEP:1536:EysgU6qmzixT64jYMZ8HbVPGfVDwm/xLZ9rP:wF6qmeo4eH1m9wmLvrP
                        MD5:ACAEDA60C79C6BCAC925EEB3653F45E0
                        SHA1:2AAAE490BCDACCC6172240FF1697753B37AC5578
                        SHA-256:6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
                        SHA-512:FEAA6E7ED7DDA1583739B3E531AB5C562A222EE6ECD042690AE7DCFF966717C6E968469A7797265A11F6E899479AE0F3031E8CF5BEBE1492D5205E9C59690900
                        Malicious:false
                        Preview:MSCF............,...................I.......;w........RSNj .authroot.stl..>.(.5..CK..8T....c_.d...A.K...+.d.H..*i.RJJ.IQIR..$t)Kd.-[..T\{..ne......<.w......A..B........c...wi......D....c.0D,L........fy....Rg...=........i,3.3..Z....~^ve<...TF.*...f.zy.,...m.@.0.0...m.3..I(..+..v#...(.2....e...L..*y..V.......~U...."<ke.....l.X:Dt..R<7.5\A7L0=..T.V...IDr..8<....r&...I-.^..b.b.".Af....E.._..r.>.`;,.Hob..S.....7'..\.R$.".g..+..64..@nP.....k3...B.`.G..@D.....L.....`^...#OpW.....!....`.....rf:.}.R.@....gR.#7....l..H.#...d.Qh..3..fCX....==#..M.l..~&....[.J9.\..Ww.....Tx.%....]..a4E...q.+...#.*a..x..O..V.t..Y1!.T..`U...-...< _@...|(.....0..3.`.LU...E0.Gu.4KN....5...?.....I.p..'..........N<.d.O..dH@c1t...[w/...T....cYK.X>.0..Z.....O>..9.3.#9X.%.b...5.YK.E.V.....`./.3.._..nN]..=..M.o.F.._..z....._...gY..!Z..?l....vp.l.:.d.Z..W.....~...N.._.k...&.....$......i.F.d.....D!e.....Y..,.E..m.;.1... $.F..O.F.o_}.uG....,.%.>,.Zx.......o....c../.;....g&.....

                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                        Download File
                        Process:C:\Windows\SysWOW64\rundll32.exe
                        File Type:data
                        Category:modified
                        Size (bytes):328
                        Entropy (8bit):3.116057753988458
                        Encrypted:false
                        SSDEEP:6:kKWk8SN+SkQlPlEGYRMY9z+4KlDA3RUeYlUmlUR/t:+9kPlE99SNxAhUeYlUSA/t
                        MD5:D1FED154DF638910AC019AFA0CB83733
                        SHA1:951BA120ACEBECC63FC248C40E87CF611A36C4E9
                        SHA-256:7F6F686D8D41DC15FFF7FE2C5A78123408AADB2C260AC09CA3F5486E9FF39983
                        SHA-512:930FD952EBA759F211B7F1AFF4A2B8A52526EE59B6952ECE36EBEDC191EB01E1FCD6B70E8C166954E9D1CD57E3FAFE98ED76E34EFF91C0776883FB47B22DDAC1
                        Malicious:false
                        Preview:p...... .......... ....(....................................................... ........q.\].......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.7.1.e.1.5.c.5.d.c.4.d.7.1.:.0."...

                        Static File Info

                        General

                        File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.004116662498383
                        TrID:
                        • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                        • Generic Win/DOS Executable (2004/3) 0.20%
                        • DOS Executable Generic (2002/1) 0.20%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:GULPPYUMBy.dll
                        File size:557056
                        MD5:698e141f2659110386e428f6e1178dae
                        SHA1:d802e890c313d4c8d898523e06574eb05bed7f06
                        SHA256:8f3b19090289f2c0215353e2979abcd1c6ebf6217f144cebefba8a0572d5fdc4
                        SHA512:9d99de6bcbae3bf2a283764a999d306d736646fee66283853b57ae50ac2234339e19042d4583ca7a150f97ceb4da96ffdee473fb9b0c3c9d18963ab6f44fadcd
                        SSDEEP:6144:HUNF4UQXTkkAiBuGKDU5PSczbmOTT0DaTMGbUylbdTN1itwRClN6RfcjJxX4R0Zq:AeAa4DU5PSczbmmTzTnwyDx6BrWt
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......hs.a,..2,..2,..2...2&..2...27..2,..2...2...26..2...2...2...2...2...2-..2...2-..2...2-..2Rich,..2................PE..L......a...

                        File Icon

                        Icon Hash:74f0e4ecccdce0e4

                        Static PE Info

                        General

                        Entrypoint:0x10030d06
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x10000000
                        Subsystem:windows gui
                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                        DLL Characteristics:
                        Time Stamp:0x61F3FA91 [Fri Jan 28 14:15:45 2022 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f4d2f65566a93075f8824e97bf321580

                        Entrypoint Preview

                        Instruction
                        cmp dword ptr [esp+08h], 01h
                        jne 00007F363CB2B347h
                        call 00007F363CB336A0h
                        push dword ptr [esp+04h]
                        mov ecx, dword ptr [esp+10h]
                        mov edx, dword ptr [esp+0Ch]
                        call 00007F363CB2B232h
                        pop ecx
                        retn 000Ch
                        push eax
                        push dword ptr fs:[00000000h]
                        lea eax, dword ptr [esp+0Ch]
                        sub esp, dword ptr [esp+0Ch]
                        push ebx
                        push esi
                        push edi
                        mov dword ptr [eax], ebp
                        mov ebp, eax
                        mov eax, dword ptr [100545D4h]
                        xor eax, ebp
                        push eax
                        push dword ptr [ebp-04h]
                        mov dword ptr [ebp-04h], FFFFFFFFh
                        lea eax, dword ptr [ebp-0Ch]
                        mov dword ptr fs:[00000000h], eax
                        ret
                        push eax
                        push dword ptr fs:[00000000h]
                        lea eax, dword ptr [esp+0Ch]
                        sub esp, dword ptr [esp+0Ch]
                        push ebx
                        push esi
                        push edi
                        mov dword ptr [eax], ebp
                        mov ebp, eax
                        mov eax, dword ptr [100545D4h]
                        xor eax, ebp
                        push eax
                        mov dword ptr [ebp-10h], esp
                        push dword ptr [ebp-04h]
                        mov dword ptr [ebp-04h], FFFFFFFFh
                        lea eax, dword ptr [ebp-0Ch]
                        mov dword ptr fs:[00000000h], eax
                        ret
                        push eax
                        push dword ptr fs:[00000000h]
                        lea eax, dword ptr [esp+0Ch]
                        sub esp, dword ptr [esp+0Ch]
                        push ebx
                        push esi
                        push edi
                        mov dword ptr [eax], ebp
                        mov ebp, eax
                        mov eax, dword ptr [100545D4h]
                        xor eax, ebp
                        push eax
                        mov dword ptr [ebp-10h], eax
                        push dword ptr [ebp-04h]
                        mov dword ptr [ebp-04h], FFFFFFFFh
                        lea eax, dword ptr [ebp-0Ch]
                        mov dword ptr fs:[00000000h], eax
                        ret
                        push eax
                        push dword ptr fs:[00000000h]

                        Rich Headers

                        Programming Language:
                        • [RES] VS2005 build 50727
                        • [ C ] VS2005 build 50727
                        • [EXP] VS2005 build 50727
                        • [C++] VS2005 build 50727
                        • [ASM] VS2005 build 50727
                        • [LNK] VS2005 build 50727

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x52d400x52.rdata
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x510340x104.rdata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x5a0000x27650.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x820000x4e30.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x4bd900x40.rdata
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x460000x594.rdata
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x50fac0x40.rdata
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x445390x45000False0.469910552536data6.61687356024IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        .rdata0x460000xcd920xd000False0.33779672476data5.22622411384IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .data0x530000x65800x3000False0.2626953125PGP symmetric key encrypted data -4.05367526692IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                        .rsrc0x5a0000x276500x28000False0.916259765625data7.8318744089IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x820000x93760xa000False0.346923828125data4.18220950375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        DASHBOARD0x5ab040x23600dataChineseTaiwan
                        RT_CURSOR0x7e1040x134dataChineseTaiwan
                        RT_CURSOR0x7e2380xb4dataChineseTaiwan
                        RT_CURSOR0x7e2ec0x134AmigaOS bitmap fontChineseTaiwan
                        RT_CURSOR0x7e4200x134dataChineseTaiwan
                        RT_CURSOR0x7e5540x134dataChineseTaiwan
                        RT_CURSOR0x7e6880x134dataChineseTaiwan
                        RT_CURSOR0x7e7bc0x134dataChineseTaiwan
                        RT_CURSOR0x7e8f00x134dataChineseTaiwan
                        RT_CURSOR0x7ea240x134dataChineseTaiwan
                        RT_CURSOR0x7eb580x134dataChineseTaiwan
                        RT_CURSOR0x7ec8c0x134dataChineseTaiwan
                        RT_CURSOR0x7edc00x134dataChineseTaiwan
                        RT_CURSOR0x7eef40x134AmigaOS bitmap fontChineseTaiwan
                        RT_CURSOR0x7f0280x134dataChineseTaiwan
                        RT_CURSOR0x7f15c0x134dataChineseTaiwan
                        RT_CURSOR0x7f2900x134dataChineseTaiwan
                        RT_BITMAP0x7f3c40xb8dataChineseTaiwan
                        RT_BITMAP0x7f47c0x144dataChineseTaiwan
                        RT_DIALOG0x7f5c00x148dataChineseTaiwan
                        RT_DIALOG0x7f7080x26adataChineseTaiwan
                        RT_DIALOG0x7f9740xe8dataChineseTaiwan
                        RT_DIALOG0x7fa5c0x34dataChineseTaiwan
                        RT_STRING0x7fa900x58dataChineseTaiwan
                        RT_STRING0x7fae80x82dataChineseTaiwan
                        RT_STRING0x7fb6c0x2adataChineseTaiwan
                        RT_STRING0x7fb980x192dataChineseTaiwan
                        RT_STRING0x7fd2c0x4e2dataChineseTaiwan
                        RT_STRING0x802100x31adataChineseTaiwan
                        RT_STRING0x8052c0x2dcdataChineseTaiwan
                        RT_STRING0x808080x8adataChineseTaiwan
                        RT_STRING0x808940xacdataChineseTaiwan
                        RT_STRING0x809400xdedataChineseTaiwan
                        RT_STRING0x80a200x4c4dataChineseTaiwan
                        RT_STRING0x80ee40x264dataChineseTaiwan
                        RT_STRING0x811480x2cdataChineseTaiwan
                        RT_STRING0x811740x42dataChineseTaiwan
                        RT_GROUP_CURSOR0x811b80x22Lotus unknown worksheet or configuration, revision 0x2ChineseTaiwan
                        RT_GROUP_CURSOR0x811dc0x14Lotus unknown worksheet or configuration, revision 0x1ChineseTaiwan
                        RT_GROUP_CURSOR0x811f00x14Lotus unknown worksheet or configuration, revision 0x1ChineseTaiwan
                        RT_GROUP_CURSOR0x812040x14Lotus unknown worksheet or configuration, revision 0x1ChineseTaiwan
                        RT_GROUP_CURSOR0x812180x14Lotus unknown worksheet or configuration, revision 0x1ChineseTaiwan
                        RT_GROUP_CURSOR0x8122c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseTaiwan
                        RT_GROUP_CURSOR0x812400x14Lotus unknown worksheet or configuration, revision 0x1ChineseTaiwan
                        RT_GROUP_CURSOR0x812540x14Lotus unknown worksheet or configuration, revision 0x1ChineseTaiwan
                        RT_GROUP_CURSOR0x812680x14Lotus unknown worksheet or configuration, revision 0x1ChineseTaiwan
                        RT_GROUP_CURSOR0x8127c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseTaiwan
                        RT_GROUP_CURSOR0x812900x14Lotus unknown worksheet or configuration, revision 0x1ChineseTaiwan
                        RT_GROUP_CURSOR0x812a40x14Lotus unknown worksheet or configuration, revision 0x1ChineseTaiwan
                        RT_GROUP_CURSOR0x812b80x14Lotus unknown worksheet or configuration, revision 0x1ChineseTaiwan
                        RT_GROUP_CURSOR0x812cc0x14Lotus unknown worksheet or configuration, revision 0x1ChineseTaiwan
                        RT_GROUP_CURSOR0x812e00x14Lotus unknown worksheet or configuration, revision 0x1ChineseTaiwan
                        RT_VERSION0x812f40x304dataChineseTaiwan
                        RT_MANIFEST0x815f80x56ASCII text, with CRLF line terminatorsEnglishUnited States

                        Imports

                        DLLImport
                        KERNEL32.dllFileTimeToSystemTime, FileTimeToLocalFileTime, GetFileAttributesA, GetFileTime, GetTickCount, RtlUnwind, GetSystemInfo, HeapReAlloc, GetCommandLineA, ExitProcess, ExitThread, CreateThread, RaiseException, HeapSize, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, Sleep, HeapDestroy, HeapCreate, GetStdHandle, GetOEMCP, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetACP, GetStringTypeA, GetStringTypeW, GetTimeZoneInformation, GetConsoleCP, GetConsoleMode, LCMapStringA, LCMapStringW, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetEnvironmentVariableA, GetCPInfo, CreateFileA, GetFullPathNameA, GetVolumeInformationA, FindFirstFileA, FindClose, GetCurrentProcess, DuplicateHandle, GetThreadLocale, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, InterlockedIncrement, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalHandle, GlobalReAlloc, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalAlloc, GlobalFlags, FormatMessageA, LocalFree, InterlockedDecrement, MulDiv, GlobalGetAtomNameA, GlobalFindAtomA, lstrcmpW, GetVersionExA, WritePrivateProfileStringA, GlobalUnlock, GlobalFree, FreeResource, GetCurrentProcessId, GlobalAddAtomA, CreateEventA, SuspendThread, SetEvent, WaitForSingleObject, ResumeThread, SetThreadPriority, CloseHandle, GetCurrentThread, GetCurrentThreadId, ConvertDefaultLocale, GetModuleFileNameA, EnumResourceLanguagesA, GetLocaleInfoA, GlobalLock, lstrcmpA, GlobalAlloc, GlobalDeleteAtom, GetModuleHandleA, GetLastError, lstrlenA, CompareStringA, CompareStringW, MultiByteToWideChar, InterlockedExchange, GetVersion, WideCharToMultiByte, LockResource, FindResourceA, FindResourceW, LoadResource, SizeofResource, HeapFree, GetNativeSystemInfo, GetProcessHeap, HeapAlloc, FreeLibrary, GetProcAddress, LoadLibraryA, IsBadReadPtr, VirtualProtect, SetLastError, VirtualAlloc, VirtualFree, SetHandleCount, VirtualQuery
                        USER32.dllGetNextDlgGroupItem, MessageBeep, UnregisterClassA, RegisterClipboardFormatA, PostThreadMessageA, LoadCursorA, SetCapture, DestroyMenu, EndPaint, BeginPaint, GetWindowDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, ShowWindow, MoveWindow, SetWindowTextA, IsDialogMessageA, RegisterWindowMessageA, SendDlgItemMessageA, WinHelpA, GetCapture, GetClassLongA, GetClassNameA, SetPropA, GetPropA, RemovePropA, SetFocus, GetWindowTextLengthA, GetWindowTextA, GetForegroundWindow, InvalidateRgn, GetTopWindow, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, MapWindowPoints, SetForegroundWindow, UpdateWindow, GetMenu, GetSubMenu, GetMenuItemID, GetMenuItemCount, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, GetSysColor, AdjustWindowRectEx, EqualRect, PtInRect, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, OffsetRect, IntersectRect, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, ReleaseDC, GetDC, CopyRect, SetWindowLongA, GetWindowLongA, GetSystemMetrics, DrawIcon, AppendMenuA, SendMessageA, GetWindow, SetWindowContextHelpId, MapDialogRect, SetWindowPos, GetDesktopWindow, SetActiveWindow, CreateDialogIndirectParamA, DestroyWindow, IsWindow, GetDlgItem, GetNextDlgTabItem, EndDialog, GetWindowThreadProcessId, InvalidateRect, SetRect, IsRectEmpty, CopyAcceleratorTableA, CharNextA, GetLastActivePopup, IsWindowEnabled, GetSysColorBrush, ReleaseCapture, GetSystemMenu, IsIconic, GetClientRect, EnableWindow, LoadIconA, CharUpperA, PostQuitMessage, PostMessageA, CheckMenuItem, EnableMenuItem, GetMenuState, ModifyMenuA, GetParent, GetFocus, LoadBitmapA, GetMenuCheckMarkDimensions, SetMenuItemBitmaps, ValidateRect, GetCursorPos, PeekMessageA, GetKeyState, IsWindowVisible, GetActiveWindow, DispatchMessageA, TranslateMessage, GetMessageA, CallNextHookEx, SetWindowsHookExA, SetCursor, MessageBoxA, IsChild
                        GDI32.dllExtSelectClipRgn, DeleteDC, GetStockObject, GetDeviceCaps, GetBkColor, GetTextColor, GetRgnBox, GetMapMode, ScaleWindowExtEx, SetWindowExtEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, Escape, ExtTextOutA, CreateBitmap, RectVisible, PtVisible, GetWindowExtEx, GetViewportExtEx, DeleteObject, SetMapMode, RestoreDC, SaveDC, GetObjectA, SetBkColor, SetTextColor, GetClipBox, CreateRectRgnIndirect, TextOutA
                        comdlg32.dllGetFileTitleA
                        WINSPOOL.DRVDocumentPropertiesA, OpenPrinterA, ClosePrinter
                        ADVAPI32.dllRegQueryValueA, RegSetValueExA, RegCreateKeyExA, RegCloseKey, RegOpenKeyA, RegEnumKeyA, RegDeleteKeyA, RegOpenKeyExA, RegQueryValueExA
                        COMCTL32.dllInitCommonControlsEx
                        SHLWAPI.dllPathFindFileNameA, PathStripToRootA, PathFindExtensionA, PathIsUNCA
                        WS2_32.dllrecv, connect, WSACleanup, socket, WSAStartup, htons, inet_addr, closesocket, send
                        oledlg.dll
                        ole32.dllStgOpenStorageOnILockBytes, CoGetClassObject, CoTaskMemAlloc, StgCreateDocfileOnILockBytes, CoTaskMemFree, CLSIDFromString, CLSIDFromProgID, CreateILockBytesOnHGlobal, CoRegisterMessageFilter, OleFlushClipboard, OleIsCurrentClipboard, CoRevokeClassObject, OleInitialize, CoFreeUnusedLibraries, OleUninitialize
                        OLEAUT32.dllSysAllocStringLen, VariantClear, VariantChangeType, VariantInit, SysStringLen, SysAllocStringByteLen, OleCreateFontIndirect, VariantTimeToSystemTime, SystemTimeToVariantTime, SafeArrayDestroy, SysAllocString, VariantCopy, SysFreeString

                        Exports

                        NameOrdinalAddress
                        DllRegisterServer10x10012860

                        Version Infos

                        DescriptionData
                        LegalCopyrightInnoversal. All rights reserved.
                        InternalNameFinalChatSocketCli.exe
                        FileVersion1.0.2.4
                        CompanyNameInnoversal
                        ProductNameChar room only
                        ProductVersion1.0.2.4
                        FileDescriptionChat room
                        OriginalFilenameFinalChatSocketCli.exe
                        Translation0x0404 0x03b6

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        ChineseTaiwan
                        EnglishUnited States

                        Network Behavior

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jan 28, 2022 21:37:38.453679085 CET497598080192.168.2.474.207.230.120
                        Jan 28, 2022 21:37:38.602190018 CET80804975974.207.230.120192.168.2.4
                        Jan 28, 2022 21:37:39.268378019 CET497598080192.168.2.474.207.230.120
                        Jan 28, 2022 21:37:39.417572975 CET80804975974.207.230.120192.168.2.4
                        Jan 28, 2022 21:37:39.957154989 CET497598080192.168.2.474.207.230.120
                        Jan 28, 2022 21:37:40.106230021 CET80804975974.207.230.120192.168.2.4
                        Jan 28, 2022 21:37:40.137888908 CET497628080192.168.2.4139.196.72.155
                        Jan 28, 2022 21:37:40.375052929 CET808049762139.196.72.155192.168.2.4
                        Jan 28, 2022 21:37:40.375256062 CET497628080192.168.2.4139.196.72.155
                        Jan 28, 2022 21:37:41.012032986 CET497628080192.168.2.4139.196.72.155
                        Jan 28, 2022 21:37:41.248980045 CET808049762139.196.72.155192.168.2.4
                        Jan 28, 2022 21:37:41.262382984 CET808049762139.196.72.155192.168.2.4
                        Jan 28, 2022 21:37:41.262408018 CET808049762139.196.72.155192.168.2.4
                        Jan 28, 2022 21:37:41.262525082 CET497628080192.168.2.4139.196.72.155
                        Jan 28, 2022 21:37:46.474993944 CET497628080192.168.2.4139.196.72.155
                        Jan 28, 2022 21:37:46.712712049 CET808049762139.196.72.155192.168.2.4
                        Jan 28, 2022 21:37:46.714340925 CET497628080192.168.2.4139.196.72.155
                        Jan 28, 2022 21:37:46.718425035 CET497628080192.168.2.4139.196.72.155
                        Jan 28, 2022 21:37:46.994680882 CET808049762139.196.72.155192.168.2.4
                        Jan 28, 2022 21:37:47.825988054 CET808049762139.196.72.155192.168.2.4
                        Jan 28, 2022 21:37:47.826212883 CET497628080192.168.2.4139.196.72.155
                        Jan 28, 2022 21:37:50.824872971 CET808049762139.196.72.155192.168.2.4
                        Jan 28, 2022 21:37:50.824945927 CET808049762139.196.72.155192.168.2.4
                        Jan 28, 2022 21:37:50.825123072 CET497628080192.168.2.4139.196.72.155
                        Jan 28, 2022 21:37:50.825158119 CET497628080192.168.2.4139.196.72.155
                        Jan 28, 2022 21:39:29.431499958 CET497628080192.168.2.4139.196.72.155
                        Jan 28, 2022 21:39:29.431545973 CET497628080192.168.2.4139.196.72.155

                        Statistics

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:21:37:06
                        Start date:28/01/2022
                        Path:C:\Windows\System32\loaddll32.exe
                        Wow64 process (32bit):true
                        Commandline:loaddll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll"
                        Imagebase:0x1270000
                        File size:116736 bytes
                        MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.686090984.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.685943850.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.685979293.0000000000751000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:high

                        General

                        Target ID:1
                        Start time:21:37:06
                        Start date:28/01/2022
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",#1
                        Imagebase:0x11d0000
                        File size:232960 bytes
                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Target ID:3
                        Start time:21:37:06
                        Start date:28/01/2022
                        Path:C:\Windows\SysWOW64\regsvr32.exe
                        Wow64 process (32bit):true
                        Commandline:regsvr32.exe /s C:\Users\user\Desktop\GULPPYUMBy.dll
                        Imagebase:0x8a0000
                        File size:20992 bytes
                        MD5 hash:426E7499F6A7346F0410DEAD0805586B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.681695490.0000000004961000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.681496584.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.681720206.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Reputation:high

                        General

                        Target ID:4
                        Start time:21:37:07
                        Start date:28/01/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",#1
                        Imagebase:0xe60000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.679578387.0000000003131000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.679544015.0000000003100000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.679681622.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Reputation:high

                        General

                        Target ID:5
                        Start time:21:37:07
                        Start date:28/01/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:rundll32.exe C:\Users\user\Desktop\GULPPYUMBy.dll,DllRegisterServer
                        Imagebase:0xe60000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.695678222.0000000004E61000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.694796283.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.695708473.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.694598202.0000000000D61000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.695395247.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.695172555.00000000049A1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.695749630.0000000004FC1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.695641002.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.695603326.0000000004D01000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.695422865.0000000004BA1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.695541961.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.694543182.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.695799200.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Author: Joe Security
                        Reputation:high

                        General

                        Target ID:6
                        Start time:21:37:08
                        Start date:28/01/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",DllRegisterServer
                        Imagebase:0xe60000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.698154111.0000000004BD1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.697643809.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.697928489.0000000004A11000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.698188921.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.698237406.0000000004D21000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.697381734.0000000000D61000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.698024966.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.698097030.0000000004B71000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.697679889.0000000004831000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.697883792.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.697578778.0000000004301000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.698123859.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.697251813.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.697538665.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.698300661.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Author: Joe Security
                        Reputation:high

                        General

                        Target ID:7
                        Start time:21:37:08
                        Start date:28/01/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",DllRegisterServer
                        Imagebase:0xe60000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Target ID:9
                        Start time:21:37:11
                        Start date:28/01/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GULPPYUMBy.dll",DllRegisterServer
                        Imagebase:0xe60000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Target ID:10
                        Start time:21:37:14
                        Start date:28/01/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cpfkhipfqaawt\mtkslow.ijp",ARGENi
                        Imagebase:0xe60000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.700428113.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.700757747.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.700559072.0000000000E21000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:high

                        General

                        Target ID:11
                        Start time:21:37:18
                        Start date:28/01/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Cpfkhipfqaawt\mtkslow.ijp",DllRegisterServer
                        Imagebase:0xe60000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.1197600614.0000000005CF1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.1196408950.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.1197748289.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.1196837395.0000000005A81000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.1196803049.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.1196180754.0000000003670000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.1197083617.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.1196131106.0000000003621000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.1196688032.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.1195767818.0000000003361000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.1197436981.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.1196737137.0000000005991000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.1196460440.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.1195681917.00000000032F0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.1197274382.0000000005C71000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.1196435372.0000000005621000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.1196321416.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.1196503493.0000000005781000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.1196346409.00000000054C1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.1196572936.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.1196102968.00000000035F0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.1196608362.0000000005871000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.1196239650.00000000051D1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security

                        General

                        Target ID:13
                        Start time:21:37:29
                        Start date:28/01/2022
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                        Imagebase:0x7ff6eb840000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:15
                        Start time:21:37:37
                        Start date:28/01/2022
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                        Imagebase:0x7ff6eb840000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:16
                        Start time:21:37:44
                        Start date:28/01/2022
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                        Imagebase:0x7ff6eb840000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:17
                        Start time:21:37:55
                        Start date:28/01/2022
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                        Imagebase:0x7ff6eb840000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:19
                        Start time:21:38:07
                        Start date:28/01/2022
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                        Imagebase:0x7ff6eb840000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Disassembly

                        No disassembly