Loading ...

Play interactive tourEdit tour

Analysis Report 0204.gif.dll

Overview

General Information

Sample Name:0204.gif.dll
Analysis ID:382560
MD5:75c8d835dbb17059c37f5bbe70736e4e
SHA1:12f7c7f15b85ef34ba3f77a364dcc480c99b6eda
SHA256:8b130f9fbdcfc64e2ef698a1f111409c66aff2ab6ce66ae0286f8c6817376064
Tags:dllGGGoziISFBUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Yara detected Ursnif
Machine Learning detection for sample
Writes or reads registry keys via WMI
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6356 cmdline: loaddll32.exe 'C:\Users\user\Desktop\0204.gif.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 6364 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0204.gif.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6388 cmdline: rundll32.exe 'C:\Users\user\Desktop\0204.gif.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6376 cmdline: rundll32.exe C:\Users\user\Desktop\0204.gif.dll,StartService MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 5920 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6660 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 3440 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17414 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5184 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5216 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5184 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 3440 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5184 CREDAT:82948 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5340 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 3228 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5340 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 3708 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5340 CREDAT:17414 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

[{"RSA Public Key": "Om1HeBhXBR6NHvmWFG5B2kyl5mdcRMsb8ux2uo9VgGW0O2LzHZKk3w9bxw9stgphU0ayytcOYkK6GCNJlKSeMTZJ5WPgZiX+MaXiUccStEUTXkW1ubp0gdr16sb5U4M+rzWWPvc3s7bj9o1yqSJtP7PmMVp7E+3llLULQ9/DZbAD7SXaft6wcY8wFjSkI+8D"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.500504435.000000000562F000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.363000651.000000000582B000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.442401635.0000000003B4D000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.362707401.0000000003C4B000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000002.499116859.0000000003490000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.rundll32.exe.3490000.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              2.2.rundll32.exe.2be0000.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                0.2.loaddll32.exe.10000000.4.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  0.2.loaddll32.exe.1580000.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    3.2.rundll32.exe.10000000.5.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.loaddll32.exe.38d94a0.3.raw.unpackMalware Configuration Extractor: Ursnif [{"RSA Public Key": "Om1HeBhXBR6NHvmWFG5B2kyl5mdcRMsb8ux2uo9VgGW0O2LzHZKk3w9bxw9stgphU0ayytcOYkK6GCNJlKSeMTZJ5WPgZiX+MaXiUccStEUTXkW1ubp0gdr16sb5U4M+rzWWPvc3s7bj9o1yqSJtP7PmMVp7E+3llLULQ9/DZbAD7SXaft6wcY8wFjSkI+8D"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 0204.gif.dllReversingLabs: Detection: 54%
                      Machine Learning detection for sampleShow sources
                      Source: 0204.gif.dllJoe Sandbox ML: detected
                      Source: 0.2.loaddll32.exe.10000000.4.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 3.2.rundll32.exe.10000000.5.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 0204.gif.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_017312D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_017312D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_035512D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_035512D4
                      Source: Joe Sandbox ViewIP Address: 185.243.114.196 185.243.114.196
                      Source: Joe Sandbox ViewIP Address: 185.186.244.95 185.186.244.95
                      Source: Joe Sandbox ViewASN Name: ACCELERATED-ITDE ACCELERATED-ITDE
                      Source: Joe Sandbox ViewASN Name: WEBZILLANL WEBZILLANL
                      Source: global trafficTCP traffic: 192.168.2.5:49742 -> 185.243.114.196:80
                      Source: global trafficTCP traffic: 192.168.2.5:49752 -> 185.186.244.95:80
                      Source: unknownDNS traffic detected: queries for: login.microsoftonline.com
                      Source: GiGr-rA9TBhE2c3LJn7PvDweiOo.gz[1].js.22.drString found in binary or memory: http://feross.org
                      Source: loaddll32.exe, 00000000.00000002.498740242.000000000174B000.00000004.00000020.sdmp, rundll32.exe, 00000003.00000002.499825406.0000000003633000.00000004.00000001.sdmpString found in binary or memory: http://under17.com
                      Source: ~DF0EA985D0D7E507FA.TMP.31.dr, {10347225-96F9-11EB-90E5-ECF4BB570DC9}.dat.31.drString found in binary or memory: http://under17.com/joomla/FoUDcBGCRMgOiC93_2Fr_/2FiFUTIFAwn6IXco/_2B0KkmSKvezPZ_/2Ftlw1zwyQYlkJ_2BV/
                      Source: {10347227-96F9-11EB-90E5-ECF4BB570DC9}.dat.31.drString found in binary or memory: http://under17.com/joomla/mDD1H_2FL9FujRk_2BcMx/L3jxGl_2F01C5tOn/lz8tvuPEfBFzKF7/SXzkoDSo5ot_2BU2a7/
                      Source: ~DF0D8D159CA42C338F.TMP.20.dr, {F32E7673-96F8-11EB-90E5-ECF4BB570DC9}.dat.20.drString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
                      Source: msnpopularnow[1].json.22.drString found in binary or memory: https://www.msn.com/de-ch/finanzen/top-stories/datenleck-bei-facebook-wachstum-z
                      Source: msnpopularnow[1].json.22.drString found in binary or memory: https://www.msn.com/de-ch/finanzen/top-stories/janet-yellen-us-finanzministerin-fordert-weltweite-mi
                      Source: msnpopularnow[1].json.22.drString found in binary or memory: https://www.msn.com/de-ch/finanzen/top-stories/staatliche-regulierung-allianz-gegen-big-tech-druck-a
                      Source: msnpopularnow[1].json.22.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/admirale-begehren-auf-gegen-das-verr
                      Source: msnpopularnow[1].json.22.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/alexej-nawalny-klagt-
                      Source: msnpopularnow[1].json.22.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/es-h
                      Source: msnpopularnow[1].json.22.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/so-tickt-kosovos-neue-staatspr
                      Source: msnpopularnow[1].json.22.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/ukrainekonflikt-maas-warnt-russland-und-ukraine-
                      Source: msnpopularnow[1].json.22.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/coronakrise-laschet-fordert-harten-br
                      Source: msnpopularnow[1].json.22.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/das-alles-h
                      Source: msnpopularnow[1].json.22.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/fdp-nur-keine-option-von-vornherein-ausschlie
                      Source: msnpopularnow[1].json.22.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/l
                      Source: msnpopularnow[1].json.22.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/manfred-weber-nennt-eu-beitritt-der-t
                      Source: msnpopularnow[1].json.22.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/vermischtes/die-altersheime-hat-man-vergessen/ar-BB1fkRPW?ocid
                      Source: msnpopularnow[1].json.22.drString found in binary or memory: https://www.msn.com/de-ch/news/other/auf-schmusekurs-mit-erdogan-eu-spitzen-reisen-in-die-t
                      Source: msnpopularnow[1].json.22.drString found in binary or memory: https://www.msn.com/de-ch/news/other/das-grosse-impfen-beginnt-geht-es-nun-endlich-vorw
                      Source: msnpopularnow[1].json.22.drString found in binary or memory: https://www.msn.com/de-ch/news/other/der-westen-muss-mit-sanktionen-drohen-die-wehtun/ar-BB1flkV9?oc
                      Source: msnpopularnow[1].json.22.drString found in binary or memory: https://www.msn.com/de-ch/news/other/neuseeland-und-australien-starten-quarant
                      Source: msnpopularnow[1].json.22.drString found in binary or memory: https://www.msn.com/de-ch/news/other/pentagon-usa-beobachten-russlands-aktivit
                      Source: msnpopularnow[1].json.22.drString found in binary or memory: https://www.msn.com/de-ch/news/other/polizei-sucht-mit-superpuma-nach-vermissten-minderj
                      Source: msnpopularnow[1].json.22.drString found in binary or memory: https://www.msn.com/de-ch/news/other/ressourcen-f

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000002.499116859.0000000003490000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.498490060.0000000001580000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.260461688.0000000002BE0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 3.2.rundll32.exe.3490000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.2be0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1580000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000002.500504435.000000000562F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.363000651.000000000582B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.442401635.0000000003B4D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.362707401.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.362777814.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.445053203.000000000572D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.363042900.000000000582B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.363073558.000000000582B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.362687587.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.362981300.000000000582B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.499756612.0000000003A4F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.362750136.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.363016213.000000000582B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.363030214.000000000582B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.362737439.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.362723633.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6356, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6388, type: MEMORY
                      Source: loaddll32.exe, 00000000.00000002.498740242.000000000174B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000002.499116859.0000000003490000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.498490060.0000000001580000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.260461688.0000000002BE0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 3.2.rundll32.exe.3490000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.2be0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1580000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000002.500504435.000000000562F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.363000651.000000000582B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.442401635.0000000003B4D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.362707401.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.362777814.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.445053203.000000000572D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.363042900.000000000582B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.363073558.000000000582B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.362687587.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.362981300.000000000582B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.499756612.0000000003A4F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.362750136.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.363016213.000000000582B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.363030214.000000000582B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.362737439.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.362723633.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6356, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6388, type: MEMORY

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001D9F NtMapViewOfSection,0_2_10001D9F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001EB5 GetProcAddress,NtCreateSection,memset,0_2_10001EB5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10002375 NtQueryVirtualMemory,0_2_10002375
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_017383B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_017383B7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0173B341 NtQueryVirtualMemory,0_2_0173B341
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_035583B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_035583B7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0355B341 NtQueryVirtualMemory,3_2_0355B341
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C348F0_2_016C348F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C596E0_2_016C596E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C237B0_2_016C237B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C247B0_2_016C247B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C13740_2_016C1374
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C5C760_2_016C5C76
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C554B0_2_016C554B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C48590_2_016C4859
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C64240_2_016C6424
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C10000_2_016C1000
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C19180_2_016C1918
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C33140_2_016C3314
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C52EC0_2_016C52EC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C20EE0_2_016C20EE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C28EB0_2_016C28EB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C5AF60_2_016C5AF6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C3BDB0_2_016C3BDB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C3FA80_2_016C3FA8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C3A850_2_016C3A85
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C1B950_2_016C1B95
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100021540_2_10002154
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0173B11C0_2_0173B11C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_017397F20_2_017397F2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_017340940_2_01734094
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0494348F2_2_0494348F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04941B952_2_04941B95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04943A852_2_04943A85
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04943FA82_2_04943FA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04943BDB2_2_04943BDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04945AF62_2_04945AF6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049452EC2_2_049452EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049420EE2_2_049420EE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049428EB2_2_049428EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049433142_2_04943314
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049419182_2_04941918
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049410002_2_04941000
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049464242_2_04946424
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049448592_2_04944859
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0494554B2_2_0494554B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049413742_2_04941374
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04945C762_2_04945C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0494237B2_2_0494237B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0494247B2_2_0494247B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0494596E2_2_0494596E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0343348F3_2_0343348F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0343554B3_2_0343554B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_034348593_2_03434859
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0343596E3_2_0343596E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03435C763_2_03435C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_034313743_2_03431374
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0343237B3_2_0343237B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0343247B3_2_0343247B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_034310003_2_03431000
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_034333143_2_03433314
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_034319183_2_03431918
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_034364243_2_03436424
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03433BDB3_2_03433BDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_034328EB3_2_034328EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_034320EE3_2_034320EE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_034352EC3_2_034352EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03435AF63_2_03435AF6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03433A853_2_03433A85
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03431B953_2_03431B95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03433FA83_2_03433FA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0355B11C3_2_0355B11C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_035597F23_2_035597F2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_035540943_2_03554094
                      Source: 0204.gif.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: classification engineClassification label: mal84.troj.winDLL@21/129@8/3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0173757F CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_0173757F
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F32E7671-96F8-11EB-90E5-ECF4BB570DC9}.datJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF4D64AB4697892AA4.TMPJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\0204.gif.dll,StartService
                      Source: 0204.gif.dllReversingLabs: Detection: 54%
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\0204.gif.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0204.gif.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\0204.gif.dll,StartService
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0204.gif.dll',#1
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17410 /prefetch:2
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17414 /prefetch:2
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5184 CREDAT:17410 /prefetch:2
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5340 CREDAT:17410 /prefetch:2
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5340 CREDAT:17414 /prefetch:2
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0204.gif.dll',#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\0204.gif.dll,StartServiceJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0204.gif.dll',#1Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17414 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5184 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5184 CREDAT:82948 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5340 CREDAT:17410 /prefetch:2
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5340 CREDAT:17414 /prefetch:2
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001745 LoadLibraryA,GetProcAddress,0_2_10001745
                      Source: 0204.gif.dllStatic PE information: section name: .code
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C348F push dword ptr [ebp-10h]; mov dword ptr [esp], ecx0_2_016C34A1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C348F push dword ptr [ebp-0Ch]; mov dword ptr [esp], ecx0_2_016C3632
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C348F push 00000000h; mov dword ptr [esp], edx0_2_016C37FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C348F push edx; mov dword ptr [esp], 00000002h0_2_016C384A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C348F push 00000000h; mov dword ptr [esp], ecx0_2_016C38D7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C6194 push eax; mov dword ptr [esp], 00000004h0_2_016C61AF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C6194 push esi; mov dword ptr [esp], 00001000h0_2_016C61B7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C6194 push 00000000h; mov dword ptr [esp], ebp0_2_016C6267
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C237B push 00000000h; mov dword ptr [esp], edi0_2_016C2502
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C237B push 00000000h; mov dword ptr [esp], ecx0_2_016C2524
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C237B push dword ptr [ebp-10h]; mov dword ptr [esp], ecx0_2_016C269D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C237B push dword ptr [ebp-10h]; mov dword ptr [esp], esi0_2_016C2737
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C237B push edi; mov dword ptr [esp], 00000004h0_2_016C2759
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C247B push 00000000h; mov dword ptr [esp], eax0_2_016C2498
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C247B push 00000000h; mov dword ptr [esp], edi0_2_016C2502
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C247B push 00000000h; mov dword ptr [esp], ecx0_2_016C2524
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C247B push dword ptr [ebp-10h]; mov dword ptr [esp], ecx0_2_016C269D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C247B push dword ptr [ebp-10h]; mov dword ptr [esp], esi0_2_016C2737
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C247B push edi; mov dword ptr [esp], 00000004h0_2_016C2759
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C4859 push dword ptr [ebp-08h]; mov dword ptr [esp], edi0_2_016C48B7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C4859 push dword ptr [ebp-10h]; mov dword ptr [esp], edx0_2_016C490D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C4859 push 00000000h; mov dword ptr [esp], ecx0_2_016C4918
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C4859 push dword ptr [ebp-10h]; mov dword ptr [esp], edi0_2_016C4990
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C4859 push dword ptr [ebp-0Ch]; mov dword ptr [esp], ecx0_2_016C4A23
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C4859 push 00000000h; mov dword ptr [esp], ebp0_2_016C4A2E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C4859 push ebx; mov dword ptr [esp], 00000001h0_2_016C4AD0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C4859 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax0_2_016C4BE3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C4859 push 00000000h; mov dword ptr [esp], edx0_2_016C4C36
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C4859 push dword ptr [ebp-08h]; mov dword ptr [esp], edi0_2_016C4D62
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C4859 push 00000000h; mov dword ptr [esp], edx0_2_016C4D67
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C4859 push 00000000h; mov dword ptr [esp], ecx0_2_016C4D74

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000002.499116859.0000000003490000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.498490060.0000000001580000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.260461688.0000000002BE0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 3.2.rundll32.exe.3490000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.2be0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1580000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000002.500504435.000000000562F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.363000651.000000000582B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.442401635.0000000003B4D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.362707401.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.362777814.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.445053203.000000000572D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.363042900.000000000582B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.363073558.000000000582B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.362687587.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.362981300.000000000582B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.499756612.0000000003A4F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.362750136.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.363016213.000000000582B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.363030214.000000000582B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.362737439.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.362723633.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6356, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6388, type: MEMORY
                      Source: C:\Windows\System32\loaddll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_017312D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_017312D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_035512D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_035512D4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001745 LoadLibraryA,GetProcAddress,0_2_10001745
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_016C2DF5 or edx, dword ptr fs:[00000030h]0_2_016C2DF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04942DF5 or edx, dword ptr fs:[00000030h]2_2_04942DF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03432DF5 or edx, dword ptr fs:[00000030h]3_2_03432DF5
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0204.gif.dll',#1Jump to behavior
                      Source: loaddll32.exe, 00000000.00000002.499142491.0000000001CD0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.499900881.0000000003A40000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000002.499142491.0000000001CD0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.499900881.0000000003A40000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000002.499142491.0000000001CD0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.499900881.0000000003A40000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
                      Source: loaddll32.exe, 00000000.00000002.499142491.0000000001CD0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.499900881.0000000003A40000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: loaddll32.exe, 00000000.00000002.499142491.0000000001CD0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.499900881.0000000003A40000.00000002.00000001.sdmpBinary or memory string: Progmanlock