Loading ...

Play interactive tourEdit tour

Analysis Report 0204_1.gif.dll

Overview

General Information

Sample Name:0204_1.gif.dll
Analysis ID:382559
MD5:6ebc18a521638630f9b89ddb23c13b22
SHA1:6bf2fd63e47f2b278ef75cca3893d87855c646d6
SHA256:65179a35467708828de13c9a53f254c956cc4235a0196e3c53ca5022c176a6aa
Tags:dllGGGoziISFBUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Yara detected Ursnif
Machine Learning detection for sample
Writes or reads registry keys via WMI
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 5452 cmdline: loaddll32.exe 'C:\Users\user\Desktop\0204_1.gif.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 4904 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0204_1.gif.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 68 cmdline: rundll32.exe 'C:\Users\user\Desktop\0204_1.gif.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 2628 cmdline: rundll32.exe C:\Users\user\Desktop\0204_1.gif.dll,StartService MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 6664 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6708 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6664 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 6972 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6664 CREDAT:82952 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 6780 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 1268 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6780 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 5188 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6780 CREDAT:17414 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 6384 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 3360 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6384 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

[[{"RSA Public Key": "Om1HeBhXBR6NHvmWFG5B2kyl5mdcRMsb8ux2uo9VgGW0O2LzHZKk3w9bxw9stgphU0ayytcOYkK6GCNJlKSeMTZJ5WPgZiX+MaXiUccStEUTXkW1ubp0gdr16sb5U4M+rzWWPvc3s7bj9o1yqSJtP7PmMVp7E+3llLULQ9/DZbAD7SXaft6wcY8wFjSkI+8D"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]]

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000003.323251536.0000000004FAB000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000005.00000002.486714562.0000000000BE0000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000001.00000003.318966853.0000000003B2B000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000001.00000003.318950554.0000000003B2B000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000005.00000003.480525805.0000000004DAF000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.rundll32.exe.bd0000.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              1.2.loaddll32.exe.2ed0000.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                5.2.rundll32.exe.be0000.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  1.2.loaddll32.exe.10000000.4.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    5.2.rundll32.exe.10000000.5.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 4.2.rundll32.exe.bd0000.1.raw.unpackMalware Configuration Extractor: Ursnif [[{"RSA Public Key": "Om1HeBhXBR6NHvmWFG5B2kyl5mdcRMsb8ux2uo9VgGW0O2LzHZKk3w9bxw9stgphU0ayytcOYkK6GCNJlKSeMTZJ5WPgZiX+MaXiUccStEUTXkW1ubp0gdr16sb5U4M+rzWWPvc3s7bj9o1yqSJtP7PmMVp7E+3llLULQ9/DZbAD7SXaft6wcY8wFjSkI+8D"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]]
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: urs-world.comVirustotal: Detection: 5%Perma Link
                      Source: under17.comVirustotal: Detection: 5%Perma Link
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 0204_1.gif.dllReversingLabs: Detection: 54%
                      Machine Learning detection for sampleShow sources
                      Source: 0204_1.gif.dllJoe Sandbox ML: detected
                      Source: 5.2.rundll32.exe.10000000.5.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 1.2.loaddll32.exe.1200000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen3
                      Source: 1.2.loaddll32.exe.10000000.4.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 0204_1.gif.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02F912D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,1_2_02F912D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02D712D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,5_2_02D712D4
                      Source: Joe Sandbox ViewIP Address: 185.243.114.196 185.243.114.196
                      Source: Joe Sandbox ViewIP Address: 185.186.244.95 185.186.244.95
                      Source: Joe Sandbox ViewASN Name: ACCELERATED-ITDE ACCELERATED-ITDE
                      Source: Joe Sandbox ViewASN Name: WEBZILLANL WEBZILLANL
                      Source: global trafficTCP traffic: 192.168.2.3:49731 -> 185.243.114.196:80
                      Source: global trafficTCP traffic: 192.168.2.3:49758 -> 185.186.244.95:80
                      Source: unknownDNS traffic detected: queries for: login.microsoftonline.com
                      Source: GiGr-rA9TBhE2c3LJn7PvDweiOo.gz[1].js.14.drString found in binary or memory: http://feross.org
                      Source: ~DF4EC0ACC0598C2A74.TMP.28.dr, {FBAD85DA-96F8-11EB-90E4-ECF4BB862DED}.dat.28.drString found in binary or memory: http://under17.com/joomla/5Ee9Djbm01gK/tl8o1rQRrf7/ve4VcCWGPHbKdt/oB2JQB1Ds_2Fi7cV4n7xM/odh0a6MBnYBo
                      Source: {FBAD85D8-96F8-11EB-90E4-ECF4BB862DED}.dat.28.drString found in binary or memory: http://under17.com/joomla/7ilxUUc2eQiB_2BWW/6r_2BMwbjonk/83d_2FHHC15/HJRFbBiTdFKAEO/luoufpwcpxd9B2Df
                      Source: {12812620-96F9-11EB-90E4-ECF4BB862DED}.dat.38.drString found in binary or memory: http://urs-world.com/joomla/swXAVHGoBGvGk1d/ryn6afaNNl5GqYjk6D/Ylnh1Zekh/Fo40Y2SBz206KbWZIB4F/dye0VS
                      Source: ~DFB5C248C8321BA21B.TMP.38.dr, {12812622-96F9-11EB-90E4-ECF4BB862DED}.dat.38.drString found in binary or memory: http://urs-world.com/joomla/xTET0B_2F/unrIzOSyB0AEFaeRqGqR/IAdUqUxpeEtOrtoms_2/FwF1t6izGIt_2BMjrNqXK
                      Source: ~DF9401D896BB639998.TMP.13.drString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
                      Source: msnpopularnow[1].json.14.drString found in binary or memory: https://www.msn.com/de-ch/finanzen/top-stories/datenleck-bei-facebook-wachstum-z
                      Source: msnpopularnow[1].json.14.drString found in binary or memory: https://www.msn.com/de-ch/finanzen/top-stories/janet-yellen-us-finanzministerin-fordert-weltweite-mi
                      Source: msnpopularnow[1].json.14.drString found in binary or memory: https://www.msn.com/de-ch/finanzen/top-stories/staatliche-regulierung-allianz-gegen-big-tech-druck-a
                      Source: msnpopularnow[1].json.14.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/admirale-begehren-auf-gegen-das-verr
                      Source: msnpopularnow[1].json.14.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/alexej-nawalny-klagt-
                      Source: msnpopularnow[1].json.14.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/es-h
                      Source: msnpopularnow[1].json.14.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/so-tickt-kosovos-neue-staatspr
                      Source: msnpopularnow[1].json.14.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/ukrainekonflikt-maas-warnt-russland-und-ukraine-
                      Source: msnpopularnow[1].json.14.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/coronakrise-laschet-fordert-harten-br
                      Source: msnpopularnow[1].json.14.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/das-alles-h
                      Source: msnpopularnow[1].json.14.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/fdp-nur-keine-option-von-vornherein-ausschlie
                      Source: msnpopularnow[1].json.14.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/l
                      Source: msnpopularnow[1].json.14.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/manfred-weber-nennt-eu-beitritt-der-t
                      Source: msnpopularnow[1].json.14.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/vermischtes/die-altersheime-hat-man-vergessen/ar-BB1fkRPW?ocid
                      Source: msnpopularnow[1].json.14.drString found in binary or memory: https://www.msn.com/de-ch/news/other/auf-schmusekurs-mit-erdogan-eu-spitzen-reisen-in-die-t
                      Source: msnpopularnow[1].json.14.drString found in binary or memory: https://www.msn.com/de-ch/news/other/das-grosse-impfen-beginnt-geht-es-nun-endlich-vorw
                      Source: msnpopularnow[1].json.14.drString found in binary or memory: https://www.msn.com/de-ch/news/other/der-westen-muss-mit-sanktionen-drohen-die-wehtun/ar-BB1flkV9?oc
                      Source: msnpopularnow[1].json.14.drString found in binary or memory: https://www.msn.com/de-ch/news/other/neuseeland-und-australien-starten-quarant
                      Source: msnpopularnow[1].json.14.drString found in binary or memory: https://www.msn.com/de-ch/news/other/pentagon-usa-beobachten-russlands-aktivit
                      Source: msnpopularnow[1].json.14.drString found in binary or memory: https://www.msn.com/de-ch/news/other/polizei-sucht-mit-superpuma-nach-vermissten-minderj
                      Source: msnpopularnow[1].json.14.drString found in binary or memory: https://www.msn.com/de-ch/news/other/ressourcen-f

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000005.00000002.486714562.0000000000BE0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.248258066.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.487763309.0000000002ED0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 4.2.rundll32.exe.bd0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.2ed0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.be0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000005.00000003.323251536.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.318966853.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.318950554.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.480525805.0000000004DAF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.323328029.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.319029773.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.318997670.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.323362066.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.401164058.0000000003A2D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.318987145.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.480876876.000000000392F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.323281366.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.323298116.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.404525963.0000000004EAD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.318925659.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.323337362.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 68, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5452, type: MEMORY

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000005.00000002.486714562.0000000000BE0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.248258066.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.487763309.0000000002ED0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 4.2.rundll32.exe.bd0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.2ed0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.be0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000005.00000003.323251536.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.318966853.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.318950554.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.480525805.0000000004DAF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.323328029.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.319029773.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.318997670.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.323362066.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.401164058.0000000003A2D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.318987145.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.480876876.000000000392F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.323281366.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.323298116.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.404525963.0000000004EAD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.318925659.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.323337362.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 68, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5452, type: MEMORY

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001D9F NtMapViewOfSection,1_2_10001D9F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001EB5 GetProcAddress,NtCreateSection,memset,1_2_10001EB5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10002375 NtQueryVirtualMemory,1_2_10002375
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02F983B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,1_2_02F983B7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02F9B341 NtQueryVirtualMemory,1_2_02F9B341
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02D783B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,5_2_02D783B7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02D7B341 NtQueryVirtualMemory,5_2_02D7B341
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_100021541_2_10002154
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02F940941_2_02F94094
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02F997F21_2_02F997F2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02F9B11C1_2_02F9B11C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA348F4_2_02CA348F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA3BDB4_2_02CA3BDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA28EB4_2_02CA28EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA20EE4_2_02CA20EE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA52EC4_2_02CA52EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA5AF64_2_02CA5AF6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA3A854_2_02CA3A85
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA1B954_2_02CA1B95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA3FA84_2_02CA3FA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA554B4_2_02CA554B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA48594_2_02CA4859
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA596E4_2_02CA596E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA237B4_2_02CA237B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA247B4_2_02CA247B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA5C764_2_02CA5C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA13744_2_02CA1374
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA10004_2_02CA1000
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA19184_2_02CA1918
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA33144_2_02CA3314
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA64244_2_02CA6424
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02CD348F5_2_02CD348F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02CD3BDB5_2_02CD3BDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02CD52EC5_2_02CD52EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02CD20EE5_2_02CD20EE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02CD28EB5_2_02CD28EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02CD5AF65_2_02CD5AF6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02CD3A855_2_02CD3A85
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02CD1B955_2_02CD1B95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02CD3FA85_2_02CD3FA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02CD554B5_2_02CD554B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02CD48595_2_02CD4859
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02CD596E5_2_02CD596E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02CD237B5_2_02CD237B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02CD247B5_2_02CD247B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02CD13745_2_02CD1374
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02CD5C765_2_02CD5C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02CD10005_2_02CD1000
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02CD19185_2_02CD1918
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02CD33145_2_02CD3314
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02CD64245_2_02CD6424
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02D740945_2_02D74094
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02D797F25_2_02D797F2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02D7B11C5_2_02D7B11C
                      Source: 0204_1.gif.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: classification engineClassification label: mal92.troj.winDLL@21/108@9/2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02F9757F CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,1_2_02F9757F
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF429EC30D8A24338F.TMPJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\0204_1.gif.dll,StartService
                      Source: 0204_1.gif.dllReversingLabs: Detection: 54%
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\0204_1.gif.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0204_1.gif.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\0204_1.gif.dll,StartService
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0204_1.gif.dll',#1
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6664 CREDAT:17410 /prefetch:2
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6664 CREDAT:82952 /prefetch:2
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6780 CREDAT:17410 /prefetch:2
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6780 CREDAT:17414 /prefetch:2
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6384 CREDAT:17410 /prefetch:2
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0204_1.gif.dll',#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\0204_1.gif.dll,StartServiceJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0204_1.gif.dll',#1Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6664 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6664 CREDAT:82952 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6780 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6780 CREDAT:17414 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6384 CREDAT:17410 /prefetch:2
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: unknown unknown
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001745 LoadLibraryA,GetProcAddress,1_2_10001745
                      Source: 0204_1.gif.dllStatic PE information: section name: .code
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10002143 push ecx; ret 1_2_10002153
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_100020F0 push ecx; ret 1_2_100020F9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02F9EAE5 push ds; retf 1_2_02F9EAEB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02F9E4C9 push ecx; ret 1_2_02F9E4CA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02F9AD50 push ecx; ret 1_2_02F9AD59
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02F9D343 pushfd ; retf 0003h1_2_02F9D346
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02F9B10B push ecx; ret 1_2_02F9B11B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA348F push dword ptr [ebp-10h]; mov dword ptr [esp], ecx4_2_02CA34A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA348F push dword ptr [ebp-0Ch]; mov dword ptr [esp], ecx4_2_02CA3632
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA348F push 00000000h; mov dword ptr [esp], edx4_2_02CA37FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA348F push edx; mov dword ptr [esp], 00000002h4_2_02CA384A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA348F push 00000000h; mov dword ptr [esp], ecx4_2_02CA38D7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA6194 push eax; mov dword ptr [esp], 00000004h4_2_02CA61AF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA6194 push esi; mov dword ptr [esp], 00001000h4_2_02CA61B7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA6194 push 00000000h; mov dword ptr [esp], ebp4_2_02CA6267
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA20EE push 00000000h; mov dword ptr [esp], esi4_2_02CA210B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA20EE push dword ptr [ebp-10h]; mov dword ptr [esp], esi4_2_02CA2177
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA20EE push dword ptr [ebp-10h]; mov dword ptr [esp], ecx4_2_02CA222E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA20EE push 00000000h; mov dword ptr [esp], eax4_2_02CA2498
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA20EE push 00000000h; mov dword ptr [esp], edi4_2_02CA2502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA20EE push 00000000h; mov dword ptr [esp], ecx4_2_02CA2524
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA20EE push dword ptr [ebp-10h]; mov dword ptr [esp], ecx4_2_02CA269D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA20EE push dword ptr [ebp-10h]; mov dword ptr [esp], esi4_2_02CA2737
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA20EE push edi; mov dword ptr [esp], 00000004h4_2_02CA2759
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA5AF6 push esi; mov dword ptr [esp], 0000F000h4_2_02CA5C11
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA4DF5 push 00000000h; mov dword ptr [esp], edi4_2_02CA4EA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA2DF5 push dword ptr [ebp-04h]; mov dword ptr [esp], edi4_2_02CA2E1C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA2DF5 push 00000000h; mov dword ptr [esp], edx4_2_02CA2EAD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA2DF5 push 00000000h; mov dword ptr [esp], ebp4_2_02CA2EC1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA6099 push esi; mov dword ptr [esp], FFFF0000h4_2_02CA60A8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA6099 push ecx; mov dword ptr [esp], 00005267h4_2_02CA60C0

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000005.00000002.486714562.0000000000BE0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.248258066.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.487763309.0000000002ED0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 4.2.rundll32.exe.bd0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.2ed0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.be0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000005.00000003.323251536.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.318966853.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.318950554.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.480525805.0000000004DAF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.323328029.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.319029773.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.318997670.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.323362066.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.401164058.0000000003A2D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.318987145.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.480876876.000000000392F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.323281366.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.323298116.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.404525963.0000000004EAD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.318925659.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.323337362.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 68, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5452, type: MEMORY
                      Source: C:\Windows\System32\loaddll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02F912D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,1_2_02F912D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02D712D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,5_2_02D712D4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001745 LoadLibraryA,GetProcAddress,1_2_10001745
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02CA2DF5 or edx, dword ptr fs:[00000030h]4_2_02CA2DF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02CD2DF5 or edx, dword ptr fs:[00000030h]5_2_02CD2DF5
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0204_1.gif.dll',#1Jump to behavior
                      Source: loaddll32.exe, 00000001.00000002.487376121.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.487898300.0000000003120000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: loaddll32.exe, 00000001.00000002.487376121.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.487898300.0000000003120000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000001.00000002.487376121.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.487898300.0000000003120000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000001.00000002.487376121.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.487898300.0000000003120000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02F9269C cpuid 1_2_02F9269C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_1000102F GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,1_2_1000102F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02F9269C RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,1_2_02F9269C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001850 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,1_2_10001850

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000005.00000002.486714562.0000000000BE0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.248258066.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.487763309.0000000002ED0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 4.2.rundll32.exe.bd0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.2ed0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.be0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000005.00000003.323251536.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.318966853.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.318950554.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.480525805.0000000004DAF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.323328029.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.319029773.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.318997670.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.323362066.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.401164058.0000000003A2D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.318987145.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.480876876.000000000392F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.323281366.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.323298116.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.404525963.0000000004EAD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.318925659.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.323337362.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 68, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5452, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000005.00000002.486714562.0000000000BE0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.248258066.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.487763309.0000000002ED0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 4.2.rundll32.exe.bd0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.2ed0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.be0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000005.00000003.323251536.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003