Loading ...

Play interactive tourEdit tour

Analysis Report gg.gif.dll

Overview

General Information

Sample Name:gg.gif.dll
Analysis ID:382555
MD5:75ffb2cb4faff68f2649a4f6f16840d9
SHA1:543803cbfad26ff1e538e0843161ef6729ff3a85
SHA256:db9ede8dfbecb23b804cd592eeb7500e397ade3bc1fa01551a912ae572cda8b3
Tags:dllGGGoziISFBUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Yara detected Ursnif
Machine Learning detection for sample
Writes or reads registry keys via WMI
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6768 cmdline: loaddll32.exe 'C:\Users\user\Desktop\gg.gif.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 6776 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg.gif.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6796 cmdline: rundll32.exe 'C:\Users\user\Desktop\gg.gif.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6784 cmdline: rundll32.exe C:\Users\user\Desktop\gg.gif.dll,StartService MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 7104 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 64 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7104 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 4732 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7104 CREDAT:82948 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 4864 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6196 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4864 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 7112 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4864 CREDAT:17414 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 1364 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6152 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1364 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

[[{"RSA Public Key": "Om1HeBhXBR6NHvmWFG5B2kyl5mdcRMsb8ux2uo9VgGW0O2LzHZKk3w9bxw9stgphU0ayytcOYkK6GCNJlKSeMTZJ5WPgZiX+MaXiUccStEUTXkW1ubp0gdr16sb5U4M+rzWWPvc3s7bj9o1yqSJtP7PmMVp7E+3llLULQ9/DZbAD7SXaft6wcY8wFjSkI+8D"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]]

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.796910446.000000000507B000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.796966176.000000000507B000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000002.924347640.0000000004E7F000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000002.922918490.0000000001020000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          00000000.00000003.797626012.00000000037EB000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.rundll32.exe.2fb0000.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              3.2.rundll32.exe.10000000.5.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                0.2.loaddll32.exe.1020000.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  3.2.rundll32.exe.2c70000.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    0.2.loaddll32.exe.10000000.4.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 2.2.rundll32.exe.2fb0000.1.raw.unpackMalware Configuration Extractor: Ursnif [[{"RSA Public Key": "Om1HeBhXBR6NHvmWFG5B2kyl5mdcRMsb8ux2uo9VgGW0O2LzHZKk3w9bxw9stgphU0ayytcOYkK6GCNJlKSeMTZJ5WPgZiX+MaXiUccStEUTXkW1ubp0gdr16sb5U4M+rzWWPvc3s7bj9o1yqSJtP7PmMVp7E+3llLULQ9/DZbAD7SXaft6wcY8wFjSkI+8D"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]]
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: gg.gif.dllReversingLabs: Detection: 52%
                      Machine Learning detection for sampleShow sources
                      Source: gg.gif.dllJoe Sandbox ML: detected
                      Source: 0.2.loaddll32.exe.10000000.4.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 3.2.rundll32.exe.10000000.5.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: gg.gif.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02CE12D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_02CE12D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_047C12D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_047C12D4
                      Source: Joe Sandbox ViewIP Address: 185.243.114.196 185.243.114.196
                      Source: Joe Sandbox ViewASN Name: ACCELERATED-ITDE ACCELERATED-ITDE
                      Source: global trafficTCP traffic: 192.168.2.4:49783 -> 185.243.114.196:80
                      Source: unknownDNS traffic detected: queries for: login.microsoftonline.com
                      Source: GiGr-rA9TBhE2c3LJn7PvDweiOo.gz[1].js.21.drString found in binary or memory: http://feross.org
                      Source: loaddll32.exe, 00000000.00000002.923372495.0000000001272000.00000004.00000020.sdmpString found in binary or memory: http://under17.com
                      Source: {05FE9155-96AD-11EB-90EB-ECF4BBEA1588}.dat.25.drString found in binary or memory: http://under17.com/joomla/b5_2FTUcdYX/sVnNArBfX_2BDo/zZv_2Fbn6M53QxtrfT64W/tg0Mz_2FW77FnY1h/4P95tKyS
                      Source: {05FE9153-96AD-11EB-90EB-ECF4BBEA1588}.dat.25.drString found in binary or memory: http://under17.com/joomla/qpONlUc_2Fx9bGWS/jLOColZsxiS4Q8t/VbkMaKiMRHZwpzblKX/6AI6KdKhU/1fj0ddZRJ_2F
                      Source: ~DFF25467FE1B136D69.TMP.17.dr, {EA9F6200-96AC-11EB-90EB-ECF4BBEA1588}.dat.17.drString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
                      Source: msnpopularnow[1].json.19.drString found in binary or memory: https://www.msn.com/de-ch/finanzen/top-stories/datenleck-bei-facebook-wachstum-z
                      Source: msnpopularnow[1].json.19.drString found in binary or memory: https://www.msn.com/de-ch/finanzen/top-stories/janet-yellen-us-finanzministerin-fordert-weltweite-mi
                      Source: msnpopularnow[1].json.19.drString found in binary or memory: https://www.msn.com/de-ch/finanzen/top-stories/staatliche-regulierung-allianz-gegen-big-tech-druck-a
                      Source: msnpopularnow[1].json.19.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/admirale-begehren-auf-gegen-das-verr
                      Source: msnpopularnow[1].json.19.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/alexej-nawalny-klagt-
                      Source: msnpopularnow[1].json.19.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/es-h
                      Source: msnpopularnow[1].json.19.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/so-tickt-kosovos-neue-staatspr
                      Source: msnpopularnow[1].json.19.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/ukrainekonflikt-maas-warnt-russland-und-ukraine-
                      Source: msnpopularnow[1].json.19.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/other/karl-lauterbach-der-blitzableiter-der-republik/ar-BB1fiI
                      Source: msnpopularnow[1].json.19.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/coronakrise-laschet-fordert-harten-br
                      Source: msnpopularnow[1].json.19.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/das-alles-h
                      Source: msnpopularnow[1].json.19.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/fdp-nur-keine-option-von-vornherein-ausschlie
                      Source: msnpopularnow[1].json.19.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/l
                      Source: msnpopularnow[1].json.19.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/manfred-weber-nennt-eu-beitritt-der-t
                      Source: msnpopularnow[1].json.19.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/vermischtes/die-altersheime-hat-man-vergessen/ar-BB1fkRPW?ocid
                      Source: msnpopularnow[1].json.19.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/vermischtes/nachtleben-in-israel-eine-nacht-wie-fr
                      Source: msnpopularnow[1].json.19.drString found in binary or memory: https://www.msn.com/de-ch/news/other/abdullah-sollte-von-erdogan-lernen/ar-BB1fktw7?ocid=BingHPC
                      Source: msnpopularnow[1].json.19.drString found in binary or memory: https://www.msn.com/de-ch/news/other/das-grosse-impfen-beginnt-geht-es-nun-endlich-vorw
                      Source: msnpopularnow[1].json.19.drString found in binary or memory: https://www.msn.com/de-ch/news/other/pentagon-usa-beobachten-russlands-aktivit
                      Source: msnpopularnow[1].json.19.drString found in binary or memory: https://www.msn.com/de-ch/news/other/polizei-sucht-mit-superpuma-nach-vermissten-minderj
                      Source: msnpopularnow[1].json.19.drString found in binary or memory: https://www.msn.com/de-ch/news/other/ressourcen-f

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000002.922918490.0000000001020000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.923540871.0000000002C70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.684429763.0000000002FB0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 2.2.rundll32.exe.2fb0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1020000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2c70000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.796910446.000000000507B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.796966176.000000000507B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.924347640.0000000004E7F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.797626012.00000000037EB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.797603385.00000000037EB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.796946194.000000000507B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.797550182.00000000037EB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.796993950.000000000507B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.797787648.00000000037EB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.797669563.00000000037EB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.797658293.00000000037EB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.878138434.00000000036ED000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876439503.0000000004F7D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.796929617.000000000507B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.796879072.000000000507B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.923843062.00000000035EF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6768, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6796, type: MEMORY

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000002.922918490.0000000001020000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.923540871.0000000002C70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.684429763.0000000002FB0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 2.2.rundll32.exe.2fb0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1020000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2c70000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.796910446.000000000507B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.796966176.000000000507B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.924347640.0000000004E7F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.797626012.00000000037EB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.797603385.00000000037EB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.796946194.000000000507B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.797550182.00000000037EB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.796993950.000000000507B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.797787648.00000000037EB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.797669563.00000000037EB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.797658293.00000000037EB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.878138434.00000000036ED000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876439503.0000000004F7D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.796929617.000000000507B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.796879072.000000000507B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.923843062.00000000035EF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6768, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6796, type: MEMORY

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001D9F NtMapViewOfSection,0_2_10001D9F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001EB5 GetProcAddress,NtCreateSection,memset,0_2_10001EB5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10002375 NtQueryVirtualMemory,0_2_10002375
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02CE83B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_02CE83B7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02CEB341 NtQueryVirtualMemory,0_2_02CEB341
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_047C83B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_047C83B7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_047CB341 NtQueryVirtualMemory,3_2_047CB341
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100021540_2_10002154
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02CE40940_2_02CE4094
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02CE97F20_2_02CE97F2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02CEB11C0_2_02CEB11C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E348F2_2_048E348F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E3A852_2_048E3A85
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E1B952_2_048E1B95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E3FA82_2_048E3FA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E3BDB2_2_048E3BDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E20EE2_2_048E20EE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E52EC2_2_048E52EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E28EB2_2_048E28EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E5AF62_2_048E5AF6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E10002_2_048E1000
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E19182_2_048E1918
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E33142_2_048E3314
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E64242_2_048E6424
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E554B2_2_048E554B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E48592_2_048E4859
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E596E2_2_048E596E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E237B2_2_048E237B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E247B2_2_048E247B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E5C762_2_048E5C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E13742_2_048E1374
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0454348F3_2_0454348F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_045448593_2_04544859
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0454554B3_2_0454554B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_045413743_2_04541374
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04545C763_2_04545C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0454237B3_2_0454237B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0454247B3_2_0454247B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0454596E3_2_0454596E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_045433143_2_04543314
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_045419183_2_04541918
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_045410003_2_04541000
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_045464243_2_04546424
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04543BDB3_2_04543BDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04545AF63_2_04545AF6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_045452EC3_2_045452EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_045420EE3_2_045420EE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_045428EB3_2_045428EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04541B953_2_04541B95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04543A853_2_04543A85
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04543FA83_2_04543FA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_047C40943_2_047C4094
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_047CB11C3_2_047CB11C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_047C97F23_2_047C97F2
                      Source: gg.gif.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: classification engineClassification label: mal84.troj.winDLL@20/112@8/2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02CE757F CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_02CE757F
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EA9F61FE-96AC-11EB-90EB-ECF4BBEA1588}.datJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF0DE5436ABEB52E9E.TMPJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg.gif.dll,StartService
                      Source: gg.gif.dllReversingLabs: Detection: 52%
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\gg.gif.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg.gif.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg.gif.dll,StartService
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg.gif.dll',#1
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7104 CREDAT:17410 /prefetch:2
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7104 CREDAT:82948 /prefetch:2
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4864 CREDAT:17410 /prefetch:2
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4864 CREDAT:17414 /prefetch:2
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1364 CREDAT:17410 /prefetch:2
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg.gif.dll',#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg.gif.dll,StartServiceJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg.gif.dll',#1Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7104 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7104 CREDAT:82948 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4864 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4864 CREDAT:17414 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1364 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001745 LoadLibraryA,GetProcAddress,0_2_10001745
                      Source: gg.gif.dllStatic PE information: section name: .code
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10002143 push ecx; ret 0_2_10002153
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100020F0 push ecx; ret 0_2_100020F9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02CEE4C9 push ecx; ret 0_2_02CEE4CA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02CEEAE5 push ds; retf 0_2_02CEEAEB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02CED00A push 00000076h; iretd 0_2_02CED01A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02CEAD50 push ecx; ret 0_2_02CEAD59
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02CEB10B push ecx; ret 0_2_02CEB11B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E348F push dword ptr [ebp-10h]; mov dword ptr [esp], ecx2_2_048E34A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E348F push dword ptr [ebp-0Ch]; mov dword ptr [esp], ecx2_2_048E3632
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E348F push 00000000h; mov dword ptr [esp], edx2_2_048E37FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E348F push edx; mov dword ptr [esp], 00000002h2_2_048E384A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E348F push 00000000h; mov dword ptr [esp], ecx2_2_048E38D7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E6194 push eax; mov dword ptr [esp], 00000004h2_2_048E61AF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E6194 push esi; mov dword ptr [esp], 00001000h2_2_048E61B7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E6194 push 00000000h; mov dword ptr [esp], ebp2_2_048E6267
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E6099 push esi; mov dword ptr [esp], FFFF0000h2_2_048E60A8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E6099 push ecx; mov dword ptr [esp], 00005267h2_2_048E60C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E6099 push 00000000h; mov dword ptr [esp], edi2_2_048E60D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E6099 push ebx; mov dword ptr [esp], 00001000h2_2_048E60F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E6099 push ebx; mov dword ptr [esp], 000FFFFFh2_2_048E615F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E6099 push ebx; mov dword ptr [esp], 00406194h2_2_048E6175
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E1B95 push dword ptr [ebp-1Ch]; mov dword ptr [esp], esp2_2_048E1BF2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E1B95 push 00000000h; mov dword ptr [esp], esi2_2_048E1CD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E1B95 push 00000000h; mov dword ptr [esp], esi2_2_048E1D37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E1B95 push dword ptr [ebp-20h]; mov dword ptr [esp], esi2_2_048E1DC0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E1B95 push 00000000h; mov dword ptr [esp], ebp2_2_048E1E4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E1B95 push dword ptr [ebp-20h]; mov dword ptr [esp], ecx2_2_048E1F23
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E20EE push 00000000h; mov dword ptr [esp], esi2_2_048E210B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E20EE push dword ptr [ebp-10h]; mov dword ptr [esp], esi2_2_048E2177
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E20EE push dword ptr [ebp-10h]; mov dword ptr [esp], ecx2_2_048E222E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E20EE push 00000000h; mov dword ptr [esp], eax2_2_048E2498

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000002.922918490.0000000001020000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.923540871.0000000002C70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.684429763.0000000002FB0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 2.2.rundll32.exe.2fb0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1020000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2c70000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.796910446.000000000507B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.796966176.000000000507B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.924347640.0000000004E7F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.797626012.00000000037EB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.797603385.00000000037EB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.796946194.000000000507B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.797550182.00000000037EB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.796993950.000000000507B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.797787648.00000000037EB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.797669563.00000000037EB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.797658293.00000000037EB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.878138434.00000000036ED000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876439503.0000000004F7D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.796929617.000000000507B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.796879072.000000000507B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.923843062.00000000035EF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6768, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6796, type: MEMORY
                      Source: C:\Windows\System32\loaddll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02CE12D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_02CE12D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_047C12D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_047C12D4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001745 LoadLibraryA,GetProcAddress,0_2_10001745
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E2DF5 or edx, dword ptr fs:[00000030h]2_2_048E2DF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04542DF5 or edx, dword ptr fs:[00000030h]3_2_04542DF5
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg.gif.dll',#1Jump to behavior
                      Source: loaddll32.exe, 00000000.00000002.923414060.0000000001880000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.923825911.0000000003130000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: loaddll32.exe, 00000000.00000002.923414060.0000000001880000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.923825911.0000000003130000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000002.923414060.0000000001880000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.923825911.0000000003130000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000002.923414060.0000000001880000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.923825911.0000000003130000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02CE269C cpuid 0_2_02CE269C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000102F GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,0_2_1000102F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02CE269C RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,0_2_02CE269C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001850 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_10001850

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000002.922918490.0000000001020000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.923540871.0000000002C70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.684429763.0000000002FB0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 2.2.rundll32.exe.2fb0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1020000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2c70000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.796910446.000000000507B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.796966176.000000000507B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.924347640.0000000004E7F000.00000004.00000040.sdmp, type: MEMORY