Loading ...

Play interactive tourEdit tour

Analysis Report 191bfstrategiv.exe

Overview

General Information

Sample Name:191bfstrategiv.exe
Analysis ID:255223
MD5:7c2d0c1730d45a7c74411f6405402afb
SHA1:d2ea52d9ee47b7c470a0cbdd3886408cec3cccc9
SHA256:e8664a43f817709d6e233408681c258c8a99aca41f85462280bd3003ec290b4f

Most interesting Screenshot:

Detection

Ursnif
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Yara detected Ursnif
Creates a COM Internet Explorer object
Machine Learning detection for sample
Writes or reads registry keys via WMI
Writes registry values via WMI
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • 191bfstrategiv.exe (PID: 7036 cmdline: 'C:\Users\user\Desktop\191bfstrategiv.exe' MD5: 7C2D0C1730D45A7C74411F6405402AFB)
  • iexplore.exe (PID: 5672 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 2460 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5672 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • ssvagent.exe (PID: 6372 cmdline: 'C:\PROGRA~2\Java\JRE18~1.0_2\bin\ssvagent.exe' -new MD5: A3DBA514D38464A5C5A9DEA19E6159F9)
  • iexplore.exe (PID: 4856 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4724 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4856 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 6328 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 500 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6328 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 6860 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5020 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6860 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5644 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6056 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5644 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5232 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5472 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5232 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.269561710.0000000003360000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.269846892.0000000003360000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.269291500.0000000003360000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.270209589.0000000003360000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.269633768.0000000003360000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 30 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Machine Learning detection for sampleShow sources
            Source: 191bfstrategiv.exeJoe Sandbox ML: detected

            Networking:

            barindex
            Creates a COM Internet Explorer objectShow sources
            Source: C:\Users\user\Desktop\191bfstrategiv.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Users\user\Desktop\191bfstrategiv.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Users\user\Desktop\191bfstrategiv.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\191bfstrategiv.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Users\user\Desktop\191bfstrategiv.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
            Source: msapplication.xml1.8.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x3c15709f,0x01d667b1</date><accdate>0x3c15709f,0x01d667b1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml1.8.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x3c15709f,0x01d667b1</date><accdate>0x3c15709f,0x01d667b1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml6.8.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x3c1a354d,0x01d667b1</date><accdate>0x3c1a354d,0x01d667b1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml6.8.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x3c1a354d,0x01d667b1</date><accdate>0x3c1c979a,0x01d667b1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml8.8.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x3c1c979a,0x01d667b1</date><accdate>0x3c1c979a,0x01d667b1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml8.8.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x3c1c979a,0x01d667b1</date><accdate>0x3c1c979a,0x01d667b1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: appealingedge.xyz
            Source: iexplore.exe, 0000001B.00000002.541805384.00000000055F0000.00000002.00000001.sdmpString found in binary or memory: http://%s.com
            Source: 191bfstrategiv.exe, 00000000.00000003.269633768.0000000003360000.00000004.00000040.sdmpString found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://amazon.fr/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.541805384.00000000055F0000.00000002.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://busca.orange.es/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://cnet.search.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
            Source: 191bfstrategiv.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
            Source: 191bfstrategiv.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
            Source: 191bfstrategiv.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
            Source: 191bfstrategiv.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
            Source: 191bfstrategiv.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://es.ask.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://find.joins.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
            Source: 191bfstrategiv.exeString found in binary or memory: http://ocsp.comodoca.com0
            Source: 191bfstrategiv.exeString found in binary or memory: http://ocsp.sectigo.com0
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://rover.ebay.com
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.about.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.in/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.auone.jp/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.de/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.es/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.in/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.it/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.interpark.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.nate.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.nifty.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.sify.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search.yam.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://suche.aol.de/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.541805384.00000000055F0000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://web.ask.com/
            Source: iexplore.exe, 0000001B.00000002.541805384.00000000055F0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.com
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
            Source: msapplication.xml.8.drString found in binary or memory: http://www.amazon.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.de/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.ask.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.in/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.br/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
            Source: msapplication.xml2.8.drString found in binary or memory: http://www.google.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.cz/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.de/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.es/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.fr/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.it/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.pl/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.ru/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.si/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
            Source: msapplication.xml3.8.drString found in binary or memory: http://www.live.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
            Source: msapplication.xml4.8.drString found in binary or memory: http://www.nytimes.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.orange.fr/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
            Source: msapplication.xml5.8.drString found in binary or memory: http://www.reddit.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
            Source: msapplication.xml6.8.drString found in binary or memory: http://www.twitter.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
            Source: msapplication.xml7.8.drString found in binary or memory: http://www.wikipedia.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
            Source: msapplication.xml8.8.drString found in binary or memory: http://www.youtube.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
            Source: iexplore.exe, 0000001B.00000002.542319122.00000000056E3000.00000002.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
            Source: 191bfstrategiv.exe, 00000000.00000003.269633768.0000000003360000.00000004.00000040.sdmp, iexplore.exe, 0000001B.00000002.543050396.0000000006165000.00000004.00000001.sdmp, iexplore.exe, 0000001B.00000002.539506631.0000000002A94000.00000004.00000020.sdmpString found in binary or memory: https://appealingedge.xyz
            Source: iexplore.exe, 0000001B.00000002.539331462.0000000002A33000.00000004.00000020.sdmpString found in binary or memory: https://appealingedge.xyz/W
            Source: iexplore.exe, 0000001B.00000002.539331462.0000000002A33000.00000004.00000020.sdmpString found in binary or memory: https://appealingedge.xyz/_
            Source: iexplore.exe, 0000001B.00000002.539331462.0000000002A33000.00000004.00000020.sdmp, ~DFA16645170D0ECFD5.TMP.20.drString found in binary or memory: https://appealingedge.xyz/index.htm
            Source: iexplore.exe, 0000001B.00000002.539331462.0000000002A33000.00000004.00000020.sdmpString found in binary or memory: https://appealingedge.xyz/index.htm&4
            Source: iexplore.exe, 0000001B.00000002.539232767.00000000029F6000.00000004.00000020.sdmpString found in binary or memory: https://appealingedge.xyz/index.htm/4
            Source: iexplore.exe, 0000001B.00000002.539232767.00000000029F6000.00000004.00000020.sdmpString found in binary or memory: https://appealingedge.xyz/index.htmA
            Source: iexplore.exe, 0000001B.00000002.539166717.00000000029CB000.00000004.00000020.sdmpString found in binary or memory: https://appealingedge.xyz/index.htmE
            Source: iexplore.exe, 0000001B.00000002.539481842.0000000002A82000.00000004.00000020.sdmpString found in binary or memory: https://appealingedge.xyz/index.htmHs
            Source: iexplore.exe, 0000001B.00000002.539232767.00000000029F6000.00000004.00000020.sdmpString found in binary or memory: https://appealingedge.xyz/index.htmN
            Source: {62FF0D8E-D3A4-11EA-90E0-ECF4BB2D2496}.dat.8.drString found in binary or memory: https://appealingedge.xyz/index.htmRoot
            Source: iexplore.exe, 0000001B.00000002.539232767.00000000029F6000.00000004.00000020.sdmp, iexplore.exe, 0000001B.00000002.539166717.00000000029CB000.00000004.00000020.sdmpString found in binary or memory: https://appealingedge.xyz/index.htmS
            Source: iexplore.exe, 0000001B.00000002.539506631.0000000002A94000.00000004.00000020.sdmpString found in binary or memory: https://appealingedge.xyz/index.htmStatus=0x800C0005&DNSError=9003
            Source: iexplore.exe, 0000001B.00000002.539232767.00000000029F6000.00000004.00000020.sdmpString found in binary or memory: https://appealingedge.xyz/index.htma
            Source: iexplore.exe, 0000001B.00000002.539232767.00000000029F6000.00000004.00000020.sdmpString found in binary or memory: https://appealingedge.xyz/index.htmd
            Source: iexplore.exe, 0000001B.00000002.539232767.00000000029F6000.00000004.00000020.sdmpString found in binary or memory: https://appealingedge.xyz/index.htmdllf
            Source: iexplore.exe, 0000001B.00000002.539506631.0000000002A94000.00000004.00000020.sdmpString found in binary or memory: https://appealingedge.xyz/index.htmi
            Source: iexplore.exe, 0000001B.00000002.539506631.0000000002A94000.00000004.00000020.sdmpString found in binary or memory: https://appealingedge.xyz/index.htmme
            Source: iexplore.exe, 0000001B.00000002.539331462.0000000002A33000.00000004.00000020.sdmpString found in binary or memory: https://appealingedge.xyz/index.htmo
            Source: {62FF0D8E-D3A4-11EA-90E0-ECF4BB2D2496}.dat.8.drString found in binary or memory: https://appealingedge.xyz/index.htmxyz/index.htm
            Source: iexplore.exe, 0000001B.00000002.539331462.0000000002A33000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com
            Source: iexplore.exe, 0000001B.00000002.539232767.00000000029F6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/
            Source: iexplore.exe, 0000001B.00000002.539232767.00000000029F6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/8
            Source: 191bfstrategiv.exeString found in binary or memory: https://sectigo.com/CPS0
            Source: 191bfstrategiv.exeString found in binary or memory: https://sectigo.com/CPS0D

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.269561710.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269846892.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269291500.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270209589.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269633768.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270251842.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270065505.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270364674.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270502826.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270521009.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270595016.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269088362.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.359315417.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269962480.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270570836.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270015773.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269774997.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270164444.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269906203.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269177443.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.538676899.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270330397.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270293617.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270436624.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269702364.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270552508.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269489466.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270115883.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.268990492.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270537961.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270460769.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269398771.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270481780.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270398370.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 191bfstrategiv.exe PID: 7036, type: MEMORY
            Source: C:\Users\user\Desktop\191bfstrategiv.exeCode function: 0_2_004361D0 AnyPopup,ReleaseCapture,WidenPath,GetCaretBlinkTime,SaveDC,CreatePopupMenu,GetKeyState,CloseClipboard,GetInputState,CreateMenu,GetFocus,GetCaretBlinkTime,GetDialogBaseUnits,CharNextW,EndMenu,GetAsyncKeyState,GetCursor,CountClipboardFormats,GetKBCodePage,ReleaseCapture,CloseDesktop,GetDlgCtrlID,GetParent,CharLowerW,GetClipboardSequenceNumber,GetClipboardData,GetDialogBaseUnits,WidenPath,GetInputState,GetSysColor,CharLowerW,GetSysColorBrush,SaveDC,GetActiveWindow,GetDesktopWindow,GetMenu,GetListBoxInfo,GetClipboardOwner,GetCaretBlinkTime,SaveDC,GetCaretBlinkTime,CopyIcon,GetInputState,CountClipboardFormats,CloseClipboard,DestroyCursor,GetSysColorBrush,GetOpenClipboardWindow,GetKBCodePage,InSendMessage,SaveDC,ReleaseCapture,GetOpenClipboardWindow,GetClipboardData,EnumClipboardFormats,GetCapture,GetMenuContextHelpId,GetProcessWindowStation,GetMenuContextHelpId,StrokePath,GetDesktopWindow,CountClipboardFormats,EndMenu,StrokePath,GetClipboardSequenceNumber,AnyPopup,GetSysColor,GetKeyboardType,SaveDC,InSendMessage,SwapBuffers,GetKeyboardLayout,DestroyMenu,GetFocus,GetListBoxInfo,StrokePath,CopyIcon,GetMessageTime,GetActiveWindow,GetOpenClipboardWindow,GetClipboardSequenceNumber,GetMessageTime,EndMenu,GetAsyncKeyState,GetSysColor,CountClipboardFormats,GetKeyboardType,GetListBoxInfo,GetLastActivePopup,GetInputState,CharLowerA,CharLowerA,GetMessagePos,CloseDesktop,SetMetaRgn,CharLowerW,CopyIcon,CharUpperA,0_2_004361D0
            Source: C:\Users\user\Desktop\191bfstrategiv.exeCode function: 0_2_004361D0 AnyPopup,ReleaseCapture,WidenPath,GetCaretBlinkTime,SaveDC,CreatePopupMenu,GetKeyState,CloseClipboard,GetInputState,CreateMenu,GetFocus,GetCaretBlinkTime,GetDialogBaseUnits,CharNextW,EndMenu,GetAsyncKeyState,GetCursor,CountClipboardFormats,GetKBCodePage,ReleaseCapture,CloseDesktop,GetDlgCtrlID,GetParent,CharLowerW,GetClipboardSequenceNumber,GetClipboardData,GetDialogBaseUnits,WidenPath,GetInputState,GetSysColor,CharLowerW,GetSysColorBrush,SaveDC,GetActiveWindow,GetDesktopWindow,GetMenu,GetListBoxInfo,GetClipboardOwner,GetCaretBlinkTime,SaveDC,GetCaretBlinkTime,CopyIcon,GetInputState,CountClipboardFormats,CloseClipboard,DestroyCursor,GetSysColorBrush,GetOpenClipboardWindow,GetKBCodePage,InSendMessage,SaveDC,ReleaseCapture,GetOpenClipboardWindow,GetClipboardData,EnumClipboardFormats,GetCapture,GetMenuContextHelpId,GetProcessWindowStation,GetMenuContextHelpId,StrokePath,GetDesktopWindow,CountClipboardFormats,EndMenu,StrokePath,GetClipboardSequenceNumber,AnyPopup,GetSysColor,GetKeyboardType,SaveDC,InSendMessage,SwapBuffers,GetKeyboardLayout,DestroyMenu,GetFocus,GetListBoxInfo,StrokePath,CopyIcon,GetMessageTime,GetActiveWindow,GetOpenClipboardWindow,GetClipboardSequenceNumber,GetMessageTime,EndMenu,GetAsyncKeyState,GetSysColor,CountClipboardFormats,GetKeyboardType,GetListBoxInfo,GetLastActivePopup,GetInputState,CharLowerA,CharLowerA,GetMessagePos,CloseDesktop,SetMetaRgn,CharLowerW,CopyIcon,CharUpperA,0_2_004361D0
            Source: C:\Users\user\Desktop\191bfstrategiv.exeCode function: 0_2_004361D0 AnyPopup,ReleaseCapture,WidenPath,GetCaretBlinkTime,SaveDC,CreatePopupMenu,GetKeyState,CloseClipboard,GetInputState,CreateMenu,GetFocus,GetCaretBlinkTime,GetDialogBaseUnits,CharNextW,EndMenu,GetAsyncKeyState,GetCursor,CountClipboardFormats,GetKBCodePage,ReleaseCapture,CloseDesktop,GetDlgCtrlID,GetParent,CharLowerW,GetClipboardSequenceNumber,GetClipboardData,GetDialogBaseUnits,WidenPath,GetInputState,GetSysColor,CharLowerW,GetSysColorBrush,SaveDC,GetActiveWindow,GetDesktopWindow,GetMenu,GetListBoxInfo,GetClipboardOwner,GetCaretBlinkTime,SaveDC,GetCaretBlinkTime,CopyIcon,GetInputState,CountClipboardFormats,CloseClipboard,DestroyCursor,GetSysColorBrush,GetOpenClipboardWindow,GetKBCodePage,InSendMessage,SaveDC,ReleaseCapture,GetOpenClipboardWindow,GetClipboardData,EnumClipboardFormats,GetCapture,GetMenuContextHelpId,GetProcessWindowStation,GetMenuContextHelpId,StrokePath,GetDesktopWindow,CountClipboardFormats,EndMenu,StrokePath,GetClipboardSequenceNumber,AnyPopup,GetSysColor,GetKeyboardType,SaveDC,InSendMessage,SwapBuffers,GetKeyboardLayout,DestroyMenu,GetFocus,GetListBoxInfo,StrokePath,CopyIcon,GetMessageTime,GetActiveWindow,GetOpenClipboardWindow,GetClipboardSequenceNumber,GetMessageTime,EndMenu,GetAsyncKeyState,GetSysColor,CountClipboardFormats,GetKeyboardType,GetListBoxInfo,GetLastActivePopup,GetInputState,CharLowerA,CharLowerA,GetMessagePos,CloseDesktop,SetMetaRgn,CharLowerW,CopyIcon,CharUpperA,0_2_004361D0

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.269561710.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269846892.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269291500.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270209589.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269633768.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270251842.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270065505.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270364674.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270502826.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270521009.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270595016.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269088362.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.359315417.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269962480.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270570836.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270015773.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269774997.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270164444.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269906203.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269177443.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.538676899.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270330397.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270293617.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270436624.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269702364.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270552508.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269489466.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270115883.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.268990492.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270537961.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270460769.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269398771.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270481780.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270398370.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 191bfstrategiv.exe PID: 7036, type: MEMORY

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Users\user\Desktop\191bfstrategiv.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetDWORDValue
            Source: C:\Users\user\Desktop\191bfstrategiv.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\191bfstrategiv.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\191bfstrategiv.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\191bfstrategiv.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\191bfstrategiv.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Users\user\Desktop\191bfstrategiv.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\191bfstrategiv.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\191bfstrategiv.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\191bfstrategiv.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\191bfstrategiv.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Users\user\Desktop\191bfstrategiv.exeCode function: 0_2_00401EB1 NtQueryVirtualMemory,0_2_00401EB1
            Source: C:\Users\user\Desktop\191bfstrategiv.exeCode function: 0_2_00565213 memcpy,memcpy,lstrcatW,CreateEventA,NtQueryInformationProcess,CloseHandle,0_2_00565213
            Source: C:\Users\user\Desktop\191bfstrategiv.exeCode function: 0_2_0056D5A3 NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,RtlNtStatusToDosError,0_2_0056D5A3
            Source: C:\Users\user\Desktop\191bfstrategiv.exeCode function: 0_2_0056E0FC RtlInitUnicodeString,NtClose,RtlNtStatusToDosError,0_2_0056E0FC
            Source: C:\Users\user\Desktop\191bfstrategiv.exeCode function: 0_2_00401C900_2_00401C90
            Source: C:\Users\user\Desktop\191bfstrategiv.exeCode function: 0_2_0056E66C0_2_0056E66C
            Source: C:\Users\user\Desktop\191bfstrategiv.exeCode function: 0_2_0056F2200_2_0056F220
            Source: 191bfstrategiv.exeStatic PE information: Resource name: RT_RCDATA type: MS-DOS executable
            Source: 191bfstrategiv.exe, 00000000.00000002.538479091.00000000022C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs 191bfstrategiv.exe
            Source: 191bfstrategiv.exe, 00000000.00000002.538405174.0000000002110000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemsvfw32.dll.muij% vs 191bfstrategiv.exe
            Source: 191bfstrategiv.exe, 00000000.00000002.538541412.0000000002360000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs 191bfstrategiv.exe
            Source: classification engineClassification label: mal80.bank.troj.evad.winEXE@20/61@23/0
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Users\user\Desktop\191bfstrategiv.exeMutant created: \Sessions\1\BaseNamedObjects\Local\1978EE24-ED7A-8F95-C655-46BAE5CC03A0
            Source: C:\Users\user\Desktop\191bfstrategiv.exeFile created: C:\Users\user\AppData\Local\Temp\7B11.binJump to behavior
            Source: 191bfstrategiv.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\191bfstrategiv.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\191bfstrategiv.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\191bfstrategiv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\191bfstrategiv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\191bfstrategiv.exe 'C:\Users\user\Desktop\191bfstrategiv.exe'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5672 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe 'C:\PROGRA~2\Java\JRE18~1.0_2\bin\ssvagent.exe' -new
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4856 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6328 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6860 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5644 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5232 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5672 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe 'C:\PROGRA~2\Java\JRE18~1.0_2\bin\ssvagent.exe' -newJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4856 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6328 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6860 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5644 CREDAT:17410 /prefetch:2
            Source: C:\Users\user\Desktop\191bfstrategiv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\LyncJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior

            Data Obfuscation:

            barindex
            Detected unpacking (changes PE section rights)Show sources
            Source: C:\Users\user\Desktop\191bfstrategiv.exeUnpacked PE file: 0.2.191bfstrategiv.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.reloc:R;
            Detected unpacking (overwrites its own PE header)Show sources
            Source: C:\Users\user\Desktop\191bfstrategiv.exeUnpacked PE file: 0.2.191bfstrategiv.exe.400000.0.unpack
            Source: C:\Users\user\Desktop\191bfstrategiv.exeCode function: 0_2_004019E1 GetModuleHandleW,LoadLibraryW,GetProcAddress,0_2_004019E1
            Source: 191bfstrategiv.exeStatic PE information: real checksum: 0x4476e should be: 0x44808
            Source: C:\Users\user\Desktop\191bfstrategiv.exeCode function: 0_2_00401C7F push ecx; ret 0_2_00401C8F
            Source: C:\Users\user\Desktop\191bfstrategiv.exeCode function: 0_2_004120DE pushad ; iretd 0_2_004120ED
            Source: C:\Users\user\Desktop\191bfstrategiv.exeCode function: 0_2_00412080 pushad ; iretd 0_2_004120ED
            Source: C:\Users\user\Desktop\191bfstrategiv.exeCode function: 0_2_004127A5 push edx; iretd 0_2_004127AC
            Source: C:\Users\user\Desktop\191bfstrategiv.exeCode function: 0_2_0056F20F push ecx; ret 0_2_0056F21F

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.269561710.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269846892.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269291500.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270209589.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269633768.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270251842.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270065505.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270364674.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270502826.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270521009.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270595016.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269088362.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.359315417.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269962480.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270570836.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270015773.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269774997.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270164444.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269906203.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269177443.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.538676899.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270330397.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270293617.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270436624.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269702364.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270552508.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269489466.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270115883.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.268990492.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270537961.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270460769.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269398771.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270481780.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270398370.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 191bfstrategiv.exe PID: 7036, type: MEMORY
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\191bfstrategiv.exe TID: 2920Thread sleep time: -60000s >= -30000sJump to behavior
            Source: iexplore.exe, 0000001B.00000002.539232767.00000000029F6000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\191bfstrategiv.exeCode function: 0_2_004019E1 GetModuleHandleW,LoadLibraryW,GetProcAddress,0_2_004019E1
            Source: C:\Users\user\Desktop\191bfstrategiv.exeCode function: 0_2_00401921 EntryPoint,GetModuleHandleA,GetProcessHeap,GetCurrentThread,WaitForSingleObject,ExitProcess,0_2_00401921
            Source: C:\Users\user\Desktop\191bfstrategiv.exeMemory protected: page execute read | page execute and read and write | page guardJump to behavior
            Source: 191bfstrategiv.exe, 00000000.00000002.538309044.0000000000CC0000.00000002.00000001.sdmp, iexplore.exe, 0000001B.00000002.539590753.0000000003050000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: 191bfstrategiv.exe, 00000000.00000002.538309044.0000000000CC0000.00000002.00000001.sdmp, iexplore.exe, 0000001B.00000002.539590753.0000000003050000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: 191bfstrategiv.exe, 00000000.00000002.538309044.0000000000CC0000.00000002.00000001.sdmp, iexplore.exe, 0000001B.00000002.539590753.0000000003050000.00000002.00000001.sdmpBinary or memory string: Program ManagerNd[\
            Source: 191bfstrategiv.exe, 00000000.00000002.538309044.0000000000CC0000.00000002.00000001.sdmp, iexplore.exe, 0000001B.00000002.539590753.0000000003050000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\191bfstrategiv.exeCode function: 0_2_0056C97C cpuid 0_2_0056C97C
            Source: C:\Users\user\Desktop\191bfstrategiv.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,0_2_00568DE8
            Source: C:\Users\user\Desktop\191bfstrategiv.exeCode function: 0_2_0040180B GetSystemTimeAsFileTime,memcpy,memcpy,memcpy,memset,0_2_0040180B
            Source: C:\Users\user\Desktop\191bfstrategiv.exeCode function: 0_2_0056C97C GetUserNameW,0_2_0056C97C
            Source: C:\Users\user\Desktop\191bfstrategiv.exeCode function: 0_2_0056B11E CreateMutexW,GetLastError,GetLastError,GetVersionExA,GetModuleHandleA,RtlImageNtHeader,CloseHandle,0_2_0056B11E
            Source: C:\Users\user\Desktop\191bfstrategiv.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.269561710.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269846892.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269291500.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270209589.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269633768.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270251842.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270065505.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270364674.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270502826.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270521009.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270595016.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269088362.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.359315417.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269962480.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270570836.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270015773.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269774997.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270164444.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269906203.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269177443.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.538676899.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270330397.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270293617.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270436624.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269702364.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270552508.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269489466.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270115883.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.268990492.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270537961.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270460769.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269398771.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270481780.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270398370.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 191bfstrategiv.exe PID: 7036, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.269561710.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269846892.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269291500.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270209589.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269633768.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270251842.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270065505.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270364674.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270502826.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270521009.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270595016.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269088362.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.359315417.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269962480.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270570836.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270015773.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269774997.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270164444.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269906203.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269177443.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.538676899.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270330397.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270293617.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270436624.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269702364.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270552508.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269489466.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270115883.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.268990492.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270537961.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270460769.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.269398771.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270481780.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.270398370.0000000003360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 191bfstrategiv.exe PID: 7036, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection2Masquerading1Input Capture11System Time Discovery1Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemorySecurity Software Discovery21Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesClipboard Data2Automated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection2NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing2Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemFile and Directory Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery25Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet