Loading ...

Play interactive tourEdit tour

Analysis Report pjhjuc.jpg

Overview

General Information

Sample Name:pjhjuc.jpg (renamed file extension from jpg to exe)
Analysis ID:255322
MD5:24e578762b065d2df269dbe5b25a725c
SHA1:adf0aaf83b186fc9877c5632d66e11240db90f23
SHA256:49411c035bce033585bf1ab27827abf5ead0c9031064848e08014fb1aee182b3

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • pjhjuc.exe (PID: 4616 cmdline: 'C:\Users\user\Desktop\pjhjuc.exe' MD5: 24E578762B065D2DF269DBE5B25A725C)
    • pjhjuc.exe (PID: 4812 cmdline: 'C:\Users\user\Desktop\pjhjuc.exe' MD5: 24E578762B065D2DF269DBE5B25A725C)
      • explorer.exe (PID: 3416 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wlanext.exe (PID: 6952 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)
          • cmd.exe (PID: 7068 cmdline: /c del 'C:\Users\user\Desktop\pjhjuc.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 1576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.503253654.0000000003020000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.503253654.0000000003020000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8358:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x86e2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14365:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x13e51:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14467:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x145df:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x925a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x130cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9fd2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x18957:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x199ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.503253654.0000000003020000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16269:$sqlite3step: 68 34 1C 7B E1
    • 0x1637c:$sqlite3step: 68 34 1C 7B E1
    • 0x16298:$sqlite3text: 68 38 2A 90 C5
    • 0x163bd:$sqlite3text: 68 38 2A 90 C5
    • 0x162ab:$sqlite3blob: 68 53 D8 7F 8C
    • 0x163d3:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.233154231.0000000002590000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.233154231.0000000002590000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8358:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x86e2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14365:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x13e51:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14467:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x145df:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x925a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x130cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9fd2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x18957:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x199ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.pjhjuc.exe.25c0000.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.pjhjuc.exe.25c0000.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8358:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x86e2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14365:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13e51:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14467:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x145df:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x925a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x130cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9fd2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18957:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x199ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.pjhjuc.exe.25c0000.3.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16269:$sqlite3step: 68 34 1C 7B E1
        • 0x1637c:$sqlite3step: 68 34 1C 7B E1
        • 0x16298:$sqlite3text: 68 38 2A 90 C5
        • 0x163bd:$sqlite3text: 68 38 2A 90 C5
        • 0x162ab:$sqlite3blob: 68 53 D8 7F 8C
        • 0x163d3:$sqlite3blob: 68 53 D8 7F 8C
        0.2.pjhjuc.exe.2590000.2.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.pjhjuc.exe.2590000.2.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7558:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x78e2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13565:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13051:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13667:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x137df:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x845a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x122cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x91d2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x17b57:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x18bca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 19 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.503253654.0000000003020000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.233154231.0000000002590000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.498453289.00000000005F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.278143162.0000000000930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.231415179.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.233172661.00000000025C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.278122044.0000000000900000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.277857498.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.pjhjuc.exe.25c0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.pjhjuc.exe.2590000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.pjhjuc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.pjhjuc.exe.2590000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.pjhjuc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pjhjuc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pjhjuc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.pjhjuc.exe.25c0000.3.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: pjhjuc.exeJoe Sandbox ML: detected
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 0_2_0040546C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_0040546C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_0302F740 FindFirstFileW,FindNextFileW,FindClose,5_2_0302F740
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 4x nop then pop edi1_2_00415294
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 4x nop then pop esi1_2_0041545E
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 4x nop then pop ebx1_2_00406639
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 4x nop then pop edi1_1_00415294
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 4x nop then pop esi1_1_0041545E
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 4x nop then pop ebx1_1_00406639
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop edi5_2_03035294
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop ebx5_2_03026639
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop esi5_2_0303545E
          Source: global trafficHTTP traffic detected: GET /rcgc/?hbmT8RFH=YjwchmjBb6mlA3OajanWAoDJkec7ObUcl33zvEUxHs8VjPWEOpPt5NffZvTXomkpPR5fAXM/1g==&CZD87N=YV8pavf HTTP/1.1Host: www.xn--oy2b11lymexwcbzy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /rcgc/?hbmT8RFH=YjwchmjBb6mlA3OajanWAoDJkec7ObUcl33zvEUxHs8VjPWEOpPt5NffZvTXomkpPR5fAXM/1g==&CZD87N=YV8pavf HTTP/1.1Host: www.xn--oy2b11lymexwcbzy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
          Source: unknownDNS traffic detected: queries for: g.msn.com
          Source: explorer.exe, 00000002.00000000.258356096.000000000FA50000.00000002.00000001.sdmpString found in binary or memory: http://%s.com
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://amazon.fr/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
          Source: explorer.exe, 00000002.00000000.258356096.000000000FA50000.00000002.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://busca.orange.es/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://cnet.search.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.253237298.000000000872A000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://es.ask.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://find.joins.com/
          Source: explorer.exe, 00000002.00000000.260134632.0000000011516000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://rover.ebay.com
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.about.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.in/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.auone.jp/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.de/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.es/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.in/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.it/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.interpark.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.nate.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.nifty.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.sify.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search.yam.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://suche.aol.de/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
          Source: explorer.exe, 00000002.00000000.258356096.000000000FA50000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://web.ask.com/
          Source: explorer.exe, 00000002.00000000.258356096.000000000FA50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.com
          Source: explorer.exe, 00000002.00000000.243840910.0000000004020000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.de/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.260134632.0000000011516000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.ask.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.260134632.0000000011516000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.260134632.0000000011516000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.260134632.0000000011516000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.260134632.0000000011516000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.260134632.0000000011516000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.260134632.0000000011516000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.260134632.0000000011516000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.260134632.0000000011516000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.260134632.0000000011516000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.260134632.0000000011516000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.260134632.0000000011516000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.260134632.0000000011516000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.260134632.0000000011516000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.260134632.0000000011516000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.260134632.0000000011516000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
          Source: explorer.exe, 00000002.00000000.260134632.0000000011516000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.in/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.br/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.google.cz/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.google.de/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.google.es/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.google.fr/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.google.it/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.google.pl/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.google.ru/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.google.si/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.260134632.0000000011516000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.orange.fr/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
          Source: explorer.exe, 00000002.00000000.260134632.0000000011516000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.260134632.0000000011516000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.260134632.0000000011516000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
          Source: explorer.exe, 00000002.00000000.260134632.0000000011516000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
          Source: explorer.exe, 00000002.00000000.260134632.0000000011516000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.260134632.0000000011516000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.260134632.0000000011516000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
          Source: explorer.exe, 00000002.00000000.259014247.000000000FB43000.00000002.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
          Source: wlanext.exe, 00000005.00000002.498652331.0000000000685000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
          Source: wlanext.exe, 00000005.00000002.498652331.0000000000685000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
          Source: wlanext.exe, 00000005.00000002.498652331.0000000000685000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
          Source: wlanext.exe, 00000005.00000002.498652331.0000000000685000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2$c3O?
          Source: wlanext.exe, 00000005.00000003.351059679.0000000000682000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld29c3R-
          Source: wlanext.exe, 00000005.00000002.502985074.0000000002DE8000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2Ll
          Source: wlanext.exe, 00000005.00000002.498652331.0000000000685000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
          Source: wlanext.exe, 00000005.00000002.498652331.0000000000685000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
          Source: wlanext.exe, 00000005.00000002.498652331.0000000000685000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033ed
          Source: wlanext.exe, 00000005.00000002.498652331.0000000000685000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033=
          Source: wlanext.exe, 00000005.00000002.498652331.0000000000685000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
          Source: wlanext.exe, 00000005.00000002.498652331.0000000000685000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
          Source: wlanext.exe, 00000005.00000002.507237173.0000000003A9D000.00000004.00000001.sdmpString found in binary or memory: https://scottwhit.com/rcgc/?CZD87N=YV8pavf&hbmT8RFH=WzVl7Gsj/pf8368qyw6U/63Xbd
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 0_2_004276A0 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,0_2_004276A0
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 0_2_0044C860 GetKeyboardState,0_2_0044C860

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.503253654.0000000003020000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.233154231.0000000002590000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.498453289.00000000005F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.278143162.0000000000930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.231415179.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.233172661.00000000025C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.278122044.0000000000900000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.277857498.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.pjhjuc.exe.25c0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.pjhjuc.exe.2590000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.pjhjuc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.pjhjuc.exe.2590000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.pjhjuc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pjhjuc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pjhjuc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.pjhjuc.exe.25c0000.3.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000005.00000002.503253654.0000000003020000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.503253654.0000000003020000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.233154231.0000000002590000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.233154231.0000000002590000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.498453289.00000000005F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.498453289.00000000005F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.278143162.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.278143162.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.231415179.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.231415179.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.233172661.00000000025C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.233172661.00000000025C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.278122044.0000000000900000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.278122044.0000000000900000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.277857498.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.277857498.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.pjhjuc.exe.25c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.pjhjuc.exe.25c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.pjhjuc.exe.2590000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.pjhjuc.exe.2590000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.pjhjuc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.pjhjuc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.pjhjuc.exe.2590000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.pjhjuc.exe.2590000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.pjhjuc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.pjhjuc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.pjhjuc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.pjhjuc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.pjhjuc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.pjhjuc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.pjhjuc.exe.25c0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.pjhjuc.exe.25c0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 0_2_0046AF7C NtdllDefWindowProc_A,0_2_0046AF7C
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 0_2_00431438 NtdllDefWindowProc_A,0_2_00431438
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 0_2_0046B724 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_0046B724
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 0_2_0046B7D4 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_0046B7D4
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 0_2_0044F7DC NtdllDefWindowProc_A,GetCapture,0_2_0044F7DC
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 0_2_0045F864 GetSubMenu,SaveDC,RestoreDC,73B0B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_0045F864
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00417850 NtAllocateVirtualMemory,1_2_00417850
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00417670 NtCreateFile,1_2_00417670
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00417720 NtReadFile,1_2_00417720
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_004177A0 NtClose,1_2_004177A0
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_0041784C NtAllocateVirtualMemory,1_2_0041784C
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_0041766A NtCreateFile,1_2_0041766A
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_0041771A NtReadFile,1_2_0041771A
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A098F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00A098F0
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A09860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00A09860
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A09840 NtDelayExecution,LdrInitializeThunk,1_2_00A09840
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A099A0 NtCreateSection,LdrInitializeThunk,1_2_00A099A0
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A09910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00A09910
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A09A20 NtResumeThread,LdrInitializeThunk,1_2_00A09A20
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A09A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00A09A00
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A09A50 NtCreateFile,LdrInitializeThunk,1_2_00A09A50
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A095D0 NtClose,LdrInitializeThunk,1_2_00A095D0
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A09540 NtReadFile,LdrInitializeThunk,1_2_00A09540
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A096E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00A096E0
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A09660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00A09660
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A097A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00A097A0
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A09780 NtMapViewOfSection,LdrInitializeThunk,1_2_00A09780
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A09FE0 NtCreateMutant,LdrInitializeThunk,1_2_00A09FE0
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A09710 NtQueryInformationToken,LdrInitializeThunk,1_2_00A09710
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A098A0 NtWriteVirtualMemory,1_2_00A098A0
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A09820 NtEnumerateKey,1_2_00A09820
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A0B040 NtSuspendThread,1_2_00A0B040
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A099D0 NtCreateProcessEx,1_2_00A099D0
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A09950 NtQueueApcThread,1_2_00A09950
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A09A80 NtOpenDirectoryObject,1_2_00A09A80
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A09A10 NtQuerySection,1_2_00A09A10
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A0A3B0 NtGetContextThread,1_2_00A0A3B0
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A09B00 NtSetValueKey,1_2_00A09B00
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A095F0 NtQueryInformationFile,1_2_00A095F0
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A09520 NtWaitForSingleObject,1_2_00A09520
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A0AD30 NtSetContextThread,1_2_00A0AD30
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A09560 NtWriteFile,1_2_00A09560
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A096D0 NtCreateKey,1_2_00A096D0
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A09610 NtEnumerateValueKey,1_2_00A09610
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A09670 NtQueryInformationProcess,1_2_00A09670
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A09650 NtQueryValueKey,1_2_00A09650
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A09730 NtQueryVirtualMemory,1_2_00A09730
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A0A710 NtOpenProcessToken,1_2_00A0A710
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A09760 NtOpenProcess,1_2_00A09760
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A09770 NtSetInformationFile,1_2_00A09770
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A0A770 NtOpenThread,1_2_00A0A770
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_1_00417850 NtAllocateVirtualMemory,1_1_00417850
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_1_00417670 NtCreateFile,1_1_00417670
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_1_00417720 NtReadFile,1_1_00417720
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_1_004177A0 NtClose,1_1_004177A0
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_1_0041784C NtAllocateVirtualMemory,1_1_0041784C
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_1_0041766A NtCreateFile,1_1_0041766A
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_1_0041771A NtReadFile,1_1_0041771A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03037850 NtAllocateVirtualMemory,5_2_03037850
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03037720 NtReadFile,5_2_03037720
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_030377A0 NtClose,5_2_030377A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03037670 NtCreateFile,5_2_03037670
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_0303784C NtAllocateVirtualMemory,5_2_0303784C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_0303771A NtReadFile,5_2_0303771A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_0303766A NtCreateFile,5_2_0303766A
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 0_2_0040E83E0_2_0040E83E
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 0_2_0040EADC0_2_0040EADC
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 0_2_0040EBA80_2_0040EBA8
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 0_2_004311280_2_00431128
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 0_2_004654740_2_00465474
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 0_2_0045F8640_2_0045F864
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_0040102B1_2_0040102B
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_0041B9351_2_0041B935
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_0041A9DC1_2_0041A9DC
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00408B201_2_00408B20
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_0041ACC61_2_0041ACC6
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00402D871_2_00402D87
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_0041A6461_2_0041A646
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_0041AE291_2_0041AE29
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A920A81_2_00A920A8
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_009DB0901_2_009DB090
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_009F20A01_2_009F20A0
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A928EC1_2_00A928EC
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A9E8241_2_00A9E824
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A810021_2_00A81002
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_009EA8301_2_009EA830
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_009E99BF1_2_009E99BF
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_009CF9001_2_009CF900
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_009E41201_2_009E4120
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A922AE1_2_00A922AE
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A84AEF1_2_00A84AEF
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A7FA2B1_2_00A7FA2B
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_009FEBB01_2_009FEBB0
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A723E31_2_00A723E3
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_009FABD81_2_009FABD8
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A803DA1_2_00A803DA
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A8DBD21_2_00A8DBD2
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A92B281_2_00A92B28
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_009EA3091_2_009EA309
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_009EAB401_2_009EAB40
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A844961_2_00A84496
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_009D841F1_2_009D841F
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A8D4661_2_00A8D466
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_009F25811_2_009F2581
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A82D821_2_00A82D82
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A925DD1_2_00A925DD
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_009DD5E01_2_009DD5E0
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A92D071_2_00A92D07
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_009C0D201_2_009C0D20
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A91D551_2_00A91D55
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A92EF71_2_00A92EF7
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_009E6E301_2_009E6E30
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A8D6161_2_00A8D616
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A91FF11_2_00A91FF1
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_2_00A9DFCE1_2_00A9DFCE
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_1_0040102B1_1_0040102B
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_1_004010301_1_00401030
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_1_0041B9351_1_0041B935
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_1_0041A9DC1_1_0041A9DC
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_1_00408B201_1_00408B20
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_1_0041ACC61_1_0041ACC6
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_1_00402D871_1_00402D87
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_1_00402D901_1_00402D90
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_1_0041A6461_1_0041A646
          Source: C:\Users\user\Desktop\pjhjuc.exeCode function: 1_1_0041AE291_1_0041AE29
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03028B205_2_03028B20
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_0303B9355_2_0303B935
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03022FB05_2_03022FB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_0303A6465_2_0303A646
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03022D875_2_03022D87
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 5_2_03022D905_2_03022D90