Loading ...

Play interactive tourEdit tour

Analysis Report gg_2.gif.dll

Overview

General Information

Sample Name:gg_2.gif.dll
Analysis ID:382547
MD5:93b67d2be7ea4060f946c196af2b9f38
SHA1:ef7c7c2fbf1cd70b83811ce794509f4eb14bf370
SHA256:2817053b604f2d5f62400afd737d9124c87cc388f76aa10e5cc2db867a31c5dd
Tags:dllGGGoziISFBUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Yara detected Ursnif
Machine Learning detection for sample
Writes or reads registry keys via WMI
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 3544 cmdline: loaddll32.exe 'C:\Users\user\Desktop\gg_2.gif.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 5424 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg_2.gif.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5408 cmdline: rundll32.exe 'C:\Users\user\Desktop\gg_2.gif.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5420 cmdline: rundll32.exe C:\Users\user\Desktop\gg_2.gif.dll,StartService MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 6788 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6840 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6788 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 7144 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6000 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7144 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 5220 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7144 CREDAT:82952 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 900 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4280 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:900 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

[[{"RSA Public Key": "Om1HeBhXBR6NHvmWFG5B2kyl5mdcRMsb8ux2uo9VgGW0O2LzHZKk3w9bxw9stgphU0ayytcOYkK6GCNJlKSeMTZJ5WPgZiX+MaXiUccStEUTXkW1ubp0gdr16sb5U4M+rzWWPvc3s7bj9o1yqSJtP7PmMVp7E+3llLULQ9/DZbAD7SXaft6wcY8wFjSkI+8D"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]]

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.334082249.000000000317B000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.334133428.000000000317B000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000002.492240511.0000000000BD0000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
        00000002.00000002.260825998.0000000001060000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          00000003.00000003.321638626.0000000005A78000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 17 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.loaddll32.exe.10000000.4.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              3.2.rundll32.exe.10000000.5.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                3.2.rundll32.exe.1330000.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  0.2.loaddll32.exe.bd0000.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    2.2.rundll32.exe.1060000.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 2.2.rundll32.exe.1060000.1.raw.unpackMalware Configuration Extractor: Ursnif [[{"RSA Public Key": "Om1HeBhXBR6NHvmWFG5B2kyl5mdcRMsb8ux2uo9VgGW0O2LzHZKk3w9bxw9stgphU0ayytcOYkK6GCNJlKSeMTZJ5WPgZiX+MaXiUccStEUTXkW1ubp0gdr16sb5U4M+rzWWPvc3s7bj9o1yqSJtP7PmMVp7E+3llLULQ9/DZbAD7SXaft6wcY8wFjSkI+8D"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]]
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: gg_2.gif.dllReversingLabs: Detection: 52%
                      Machine Learning detection for sampleShow sources
                      Source: gg_2.gif.dllJoe Sandbox ML: detected
                      Source: 0.2.loaddll32.exe.10000000.4.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 3.2.rundll32.exe.10000000.5.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: gg_2.gif.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026712D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_026712D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_034412D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_034412D4
                      Source: Joe Sandbox ViewIP Address: 185.243.114.196 185.243.114.196
                      Source: Joe Sandbox ViewIP Address: 185.186.244.95 185.186.244.95
                      Source: Joe Sandbox ViewASN Name: ACCELERATED-ITDE ACCELERATED-ITDE
                      Source: Joe Sandbox ViewASN Name: WEBZILLANL WEBZILLANL
                      Source: global trafficTCP traffic: 192.168.2.7:49730 -> 185.243.114.196:80
                      Source: global trafficTCP traffic: 192.168.2.7:49756 -> 185.186.244.95:80
                      Source: unknownDNS traffic detected: queries for: login.microsoftonline.com
                      Source: GiGr-rA9TBhE2c3LJn7PvDweiOo.gz[1].js0.13.drString found in binary or memory: http://feross.org
                      Source: rundll32.exe, 00000003.00000003.443272606.000000000352B000.00000004.00000001.sdmpString found in binary or memory: http://under17.com
                      Source: {4554B9A3-96F7-11EB-90E6-ECF4BB82F7E0}.dat.25.drString found in binary or memory: http://under17.com/joomla/7oXts9AORFsG5/i189ZNd4/wxa5zyBcqStFNvDeNtF1KxB/E9musqCc5L/b_2FSJrdUWwLXBbJ
                      Source: {4D761D34-96F7-11EB-90E6-ECF4BB82F7E0}.dat.25.drString found in binary or memory: http://under17.com/joomla/YJmZr0WJXI7/eZbfNM7hm_2BBw/atfJcuVF_2B5yHpeRoV9f/p4iYAB3akKupopXr/3YLvELEn
                      Source: loaddll32.exe, 00000000.00000002.492271076.0000000000BFB000.00000004.00000020.sdmpString found in binary or memory: http://urs-world.com
                      Source: loaddll32.exe, 00000000.00000002.492271076.0000000000BFB000.00000004.00000020.sdmpString found in binary or memory: http://urs-world.com/joomla/ych84zDRIp_2FF7IaYN0/GQoKhDOBhANEIsf1GP9/YE&
                      Source: {5B8FC2C2-96F7-11EB-90E6-ECF4BB82F7E0}.dat.38.drString found in binary or memory: http://urs-world.com/joomla/ych84zDRIp_2FF7IaYN0/GQoKhDOBhANEIsf1GP9/YEQ6PJZPGUhJ_2BK96Ghup/vPTPDIHk
                      Source: {297C5619-96F7-11EB-90E6-ECF4BB82F7E0}.dat.12.drString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
                      Source: authorize[1].htm.13.drString found in binary or memory: https://login.microsoftonline.com/error?code=50058
                      Source: msnpopularnow[1].json.13.drString found in binary or memory: https://www.msn.com/de-ch/finanzen/top-stories/datenleck-bei-facebook-wachstum-z
                      Source: msnpopularnow[1].json.13.drString found in binary or memory: https://www.msn.com/de-ch/finanzen/top-stories/janet-yellen-us-finanzministerin-fordert-weltweite-mi
                      Source: msnpopularnow[1].json.13.drString found in binary or memory: https://www.msn.com/de-ch/finanzen/top-stories/staatliche-regulierung-allianz-gegen-big-tech-druck-a
                      Source: msnpopularnow[1].json.13.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/admirale-begehren-auf-gegen-das-verr
                      Source: msnpopularnow[1].json.13.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/alexej-nawalny-klagt-
                      Source: msnpopularnow[1].json.13.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/es-h
                      Source: msnpopularnow[1].json.13.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/so-tickt-kosovos-neue-staatspr
                      Source: msnpopularnow[1].json.13.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/ukrainekonflikt-maas-warnt-russland-und-ukraine-
                      Source: msnpopularnow[1].json.13.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/other/karl-lauterbach-der-blitzableiter-der-republik/ar-BB1fiI
                      Source: msnpopularnow[1].json.13.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/coronakrise-laschet-fordert-harten-br
                      Source: msnpopularnow[1].json.13.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/das-alles-h
                      Source: msnpopularnow[1].json.13.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/fdp-nur-keine-option-von-vornherein-ausschlie
                      Source: msnpopularnow[1].json.13.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/l
                      Source: msnpopularnow[1].json.13.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/manfred-weber-nennt-eu-beitritt-der-t
                      Source: msnpopularnow[1].json.13.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/vermischtes/die-altersheime-hat-man-vergessen/ar-BB1fkRPW?ocid
                      Source: msnpopularnow[1].json.13.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/vermischtes/nachtleben-in-israel-eine-nacht-wie-fr
                      Source: msnpopularnow[1].json.13.drString found in binary or memory: https://www.msn.com/de-ch/news/other/abdullah-sollte-von-erdogan-lernen/ar-BB1fktw7?ocid=BingHPC
                      Source: msnpopularnow[1].json.13.drString found in binary or memory: https://www.msn.com/de-ch/news/other/das-grosse-impfen-beginnt-geht-es-nun-endlich-vorw
                      Source: msnpopularnow[1].json.13.drString found in binary or memory: https://www.msn.com/de-ch/news/other/pentagon-usa-beobachten-russlands-aktivit
                      Source: msnpopularnow[1].json.13.drString found in binary or memory: https://www.msn.com/de-ch/news/other/polizei-sucht-mit-superpuma-nach-vermissten-minderj
                      Source: msnpopularnow[1].json.13.drString found in binary or memory: https://www.msn.com/de-ch/news/other/ressourcen-f

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000002.492240511.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.260825998.0000000001060000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.492614087.0000000001330000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1330000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.bd0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.1060000.1.raw.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.334082249.000000000317B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.334133428.000000000317B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.321638626.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.321709185.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.334122359.000000000317B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.321582588.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.321610032.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.321662691.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.494742479.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.321684389.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.480594234.0000000002F7F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.334100411.000000000317B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.321545910.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.334161617.000000000317B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.334180863.000000000317B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.415230609.000000000307D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.321698074.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5408, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3544, type: MEMORY
                      Source: loaddll32.exe, 00000000.00000002.492271076.0000000000BFB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000002.492240511.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.260825998.0000000001060000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.492614087.0000000001330000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1330000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.bd0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.1060000.1.raw.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.334082249.000000000317B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.334133428.000000000317B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.321638626.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.321709185.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.334122359.000000000317B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.321582588.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.321610032.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.321662691.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.494742479.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.321684389.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.480594234.0000000002F7F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.334100411.000000000317B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.321545910.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.334161617.000000000317B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.334180863.000000000317B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.415230609.000000000307D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.321698074.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5408, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3544, type: MEMORY

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001D9F NtMapViewOfSection,0_2_10001D9F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001EB5 GetProcAddress,NtCreateSection,memset,0_2_10001EB5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10002375 NtQueryVirtualMemory,0_2_10002375
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026783B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_026783B7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0267B341 NtQueryVirtualMemory,0_2_0267B341
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_034483B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_034483B7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0344B341 NtQueryVirtualMemory,3_2_0344B341
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0259348F0_2_0259348F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_025948590_2_02594859
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0259554B0_2_0259554B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0259237B0_2_0259237B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0259247B0_2_0259247B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_025913740_2_02591374
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02595C760_2_02595C76
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0259596E0_2_0259596E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_025919180_2_02591918
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_025933140_2_02593314
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_025910000_2_02591000
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_025964240_2_02596424
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02593BDB0_2_02593BDB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02595AF60_2_02595AF6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_025928EB0_2_025928EB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_025952EC0_2_025952EC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_025920EE0_2_025920EE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02591B950_2_02591B95
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02593A850_2_02593A85
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02593FA80_2_02593FA8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100021540_2_10002154
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026740940_2_02674094
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0267B11C0_2_0267B11C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026797F20_2_026797F2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_012D348F2_2_012D348F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_012D64242_2_012D6424
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_012D10002_2_012D1000
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_012D19182_2_012D1918
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_012D33142_2_012D3314
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_012D596E2_2_012D596E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_012D247B2_2_012D247B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_012D13742_2_012D1374
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_012D5C762_2_012D5C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_012D554B2_2_012D554B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_012D48592_2_012D4859
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_012D3FA82_2_012D3FA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_012D238F2_2_012D238F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_012D3A852_2_012D3A85
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_012D1B952_2_012D1B95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_012D52EC2_2_012D52EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_012D20EE2_2_012D20EE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_012D28EB2_2_012D28EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_012D5AF62_2_012D5AF6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_012D3BDB2_2_012D3BDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0339348F3_2_0339348F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_033964243_2_03396424
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_033919183_2_03391918
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_033933143_2_03393314
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_033910003_2_03391000
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0339237B3_2_0339237B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0339247B3_2_0339247B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_033913743_2_03391374
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03395C763_2_03395C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0339596E3_2_0339596E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_033948593_2_03394859
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0339554B3_2_0339554B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03393FA83_2_03393FA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03391B953_2_03391B95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03393A853_2_03393A85
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03395AF63_2_03395AF6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_033928EB3_2_033928EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_033952EC3_2_033952EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_033920EE3_2_033920EE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03393BDB3_2_03393BDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0344B11C3_2_0344B11C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_034497F23_2_034497F2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_034440943_2_03444094
                      Source: gg_2.gif.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: classification engineClassification label: mal84.troj.winDLL@18/119@10/2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0267757F CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_0267757F
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{297C5617-96F7-11EB-90E6-ECF4BB82F7E0}.datJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user~1\AppData\Local\Temp\~DF9F23A32DA34B18FB.TMPJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg_2.gif.dll,StartService
                      Source: gg_2.gif.dllReversingLabs: Detection: 52%
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\gg_2.gif.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg_2.gif.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg_2.gif.dll,StartService
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg_2.gif.dll',#1
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6788 CREDAT:17410 /prefetch:2
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7144 CREDAT:17410 /prefetch:2
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7144 CREDAT:82952 /prefetch:2
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:900 CREDAT:17410 /prefetch:2
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg_2.gif.dll',#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg_2.gif.dll,StartServiceJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg_2.gif.dll',#1Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6788 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7144 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7144 CREDAT:82952 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:900 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001745 LoadLibraryA,GetProcAddress,0_2_10001745
                      Source: gg_2.gif.dllStatic PE information: section name: .code
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02596194 push eax; mov dword ptr [esp], 00000004h0_2_025961AF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02596194 push esi; mov dword ptr [esp], 00001000h0_2_025961B7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02596194 push 00000000h; mov dword ptr [esp], ebp0_2_02596267
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0259348F push dword ptr [ebp-10h]; mov dword ptr [esp], ecx0_2_025934A1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0259348F push dword ptr [ebp-0Ch]; mov dword ptr [esp], ecx0_2_02593632
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0259348F push 00000000h; mov dword ptr [esp], edx0_2_025937FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0259348F push edx; mov dword ptr [esp], 00000002h0_2_0259384A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0259348F push 00000000h; mov dword ptr [esp], ecx0_2_025938D7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02594859 push dword ptr [ebp-08h]; mov dword ptr [esp], edi0_2_025948B7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02594859 push dword ptr [ebp-10h]; mov dword ptr [esp], edx0_2_0259490D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02594859 push 00000000h; mov dword ptr [esp], ecx0_2_02594918
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02594859 push dword ptr [ebp-10h]; mov dword ptr [esp], edi0_2_02594990
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02594859 push dword ptr [ebp-0Ch]; mov dword ptr [esp], ecx0_2_02594A23
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02594859 push 00000000h; mov dword ptr [esp], ebp0_2_02594A2E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02594859 push ebx; mov dword ptr [esp], 00000001h0_2_02594AD0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02594859 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax0_2_02594BE3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02594859 push 00000000h; mov dword ptr [esp], edx0_2_02594C36
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02594859 push dword ptr [ebp-08h]; mov dword ptr [esp], edi0_2_02594D62
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02594859 push 00000000h; mov dword ptr [esp], edx0_2_02594D67
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02594859 push 00000000h; mov dword ptr [esp], ecx0_2_02594D74
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0259237B push 00000000h; mov dword ptr [esp], edi0_2_02592502
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0259237B push 00000000h; mov dword ptr [esp], ecx0_2_02592524
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0259237B push dword ptr [ebp-10h]; mov dword ptr [esp], ecx0_2_0259269D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0259237B push dword ptr [ebp-10h]; mov dword ptr [esp], esi0_2_02592737
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0259237B push edi; mov dword ptr [esp], 00000004h0_2_02592759
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0259247B push 00000000h; mov dword ptr [esp], eax0_2_02592498
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0259247B push 00000000h; mov dword ptr [esp], edi0_2_02592502
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0259247B push 00000000h; mov dword ptr [esp], ecx0_2_02592524
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0259247B push dword ptr [ebp-10h]; mov dword ptr [esp], ecx0_2_0259269D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0259247B push dword ptr [ebp-10h]; mov dword ptr [esp], esi0_2_02592737
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0259247B push edi; mov dword ptr [esp], 00000004h0_2_02592759

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000002.492240511.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.260825998.0000000001060000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.492614087.0000000001330000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1330000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.bd0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.1060000.1.raw.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.334082249.000000000317B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.334133428.000000000317B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.321638626.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.321709185.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.334122359.000000000317B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.321582588.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.321610032.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.321662691.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.494742479.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.321684389.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.480594234.0000000002F7F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.334100411.000000000317B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.321545910.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.334161617.000000000317B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.334180863.000000000317B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.415230609.000000000307D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.321698074.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5408, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3544, type: MEMORY
                      Source: C:\Windows\System32\loaddll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026712D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_026712D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_034412D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_034412D4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001745 LoadLibraryA,GetProcAddress,0_2_10001745
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02592DF5 or edx, dword ptr fs:[00000030h]0_2_02592DF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_012D2DF5 or edx, dword ptr fs:[00000030h]2_2_012D2DF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03392DF5 or edx, dword ptr fs:[00000030h]3_2_03392DF5
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg_2.gif.dll',#1Jump to behavior
                      Source: loaddll32.exe, 00000000.00000002.492800855.0000000001180000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.494160905.0000000003970000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
                      Source: loaddll32.exe, 00000000.00000002.492800855.0000000001180000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.494160905.0000000003970000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000002.492800855.0000000001180000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.494160905.0000000003970000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000002.492800855.0000000001180000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.494160905.0000000003970000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0267269C cpuid 0_2_0267269C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000102F GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,0_2_1000102F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0267269C RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,0_2_0267269C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001850 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_10001850

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000002.492240511.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.260825998.0000000001060000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.492614087.0000000001330000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1330000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.bd0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.1060000.1.raw.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.334082249.000000000317B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.334133428.000000000317B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.321638626.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.321709185.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.334122359.000000000317B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.321582588.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.321610032.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.321662691.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.494742479.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.321684389.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.480594234.0000000002F7F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.334100411.000000000317B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.321545910.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.334161617.000000000317B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.334180863.000000000317B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.415230609.000000000307D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.321698074.0000000005A78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5408, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3544, type: MEMORY