Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report tS9P6wPz9x

Overview

General Information

Sample Name:tS9P6wPz9x (renamed file extension from none to exe)
Analysis ID:353325
MD5:39d22b8f3da4a83cd957f324f2423309
SHA1:70baae39f80e8917a71353110bb85e797e23524a
SHA256:c8c169ad2628ff3860c4d0bd04afeb81262051f664f9d5a334c32c78e791a7f8

Most interesting Screenshot:

Detection

Sodinokibi
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Found ransom note / readme
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Sodinokibi Ransomware
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Found Tor onion address
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for sample
Abnormal high CPU Usage
Checks for available system drives (often done to infect USB drives)
Connects to many different domains
Connects to several IPs in different countries
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to delete services
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Yara signature match

Classification

Startup

  • System is w10x64
  • tS9P6wPz9x.exe (PID: 2844 cmdline: 'C:\Users\user\Desktop\tS9P6wPz9x.exe' MD5: 39D22B8F3DA4A83CD957F324F2423309)
  • unsecapp.exe (PID: 6192 cmdline: C:\Windows\system32\wbem\unsecapp.exe -Embedding MD5: 9CBD3EC8D9E4F8CE54258B0573C66BEB)
  • cleanup

Malware Configuration

Threatname: Sodinokibi

{"prc": ["dbsnmp", "excel", "ocssd", "outlook", "sql", "mydesktopqos", "infopath", "thunderbird", "synctime", "ocomm", "wordpad", "sqbcoreservice", "encsvc", "msaccess", "agntsvc", "mydesktopservice", "xfssvccon", "powerpnt", "isqlplussvc", "winword", "onenote", "firefox", "thebat", "dbeng50", "tbirdconfig", "visio", "mspub", "steam", "oracle", "ocautoupds"], "sub": "6815", "svc": ["mepocs", "sophos", "backup", "veeam", "sql", "svc$", "memtas", "vss"], "wht": {"ext": ["com", "386", "ldf", "cur", "deskthemepack", "spl", "ocx", "cpl", "prf", "icl", "scr", "msi", "msu", "msp", "ico", "drv", "ps1", "ics", "bat", "exe", "diagpkg", "themepack", "nomedia", "rtp", "msstyles", "msc", "hlp", "key", "adv", "dll", "theme", "lock", "diagcab", "sys", "icns", "nls", "diagcfg", "cmd", "hta", "mpa", "mod", "lnk", "bin", "idx", "cab", "rom", "wpx", "shs", "ani"], "fls": ["boot.ini", "bootfont.bin", "ntuser.dat", "desktop.ini", "bootsect.bak", "iconcache.db", "ntuser.ini", "ntldr", "thumbs.db", "ntuser.dat.log", "autorun.inf"], "fld": ["windows.old", "boot", "$recycle.bin", "program files (x86)", "mozilla", "programdata", "appdata", "google", "tor browser", "perflogs", "intel", "$windows.~bt", "msocache", "application data", "program files", "$windows.~ws", "system volume information", "windows"]}, "img": "QQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAhAA0ACgANAAoARgBpAG4AZAAgAHsARQBYAFQAfQAtAHIAZQBhAGQAbQBlAC4AdAB4AHQAIABhAG4AZAAgAGYAbwBsAGwAbwB3ACAAaQBuAHMAdAB1AGMAdABpAG8AbgBzAAAA", "dmn": "asgestion.com;binder-buerotechnik.at;narcert.com;dontpassthepepper.com;bbsmobler.se;baylegacy.com;trulynolen.co.uk;testcoreprohealthuk.com;summitmarketingstrategies.com;bigbaguettes.eu;aarvorg.com;wien-mitte.co.at;tulsawaterheaterinstallation.com;latribuessentielle.com;maratonaclubedeportugal.com;n1-headache.com;bxdf.info;withahmed.com;transportesycementoshidalgo.es;digivod.de;365questions.org;truenyc.co;ikads.org;theduke.de;manifestinglab.com;stacyloeb.com;mediaacademy-iraq.org;gemeentehetkompas.nl;daklesa.de;pierrehale.com;conexa4papers.trade;bargningavesta.se;humancondition.com;thewellnessmimi.com;huehnerauge-entfernen.de;12starhd.online;brandl-blumen.de;you-bysia.com.au;kmbshipping.co.uk;idemblogs.com;nsec.se;havecamerawilltravel2017.wordpress.com;delawarecorporatelaw.com;quickyfunds.com;sojamindbody.com;jasonbaileystudio.com;jameskibbie.com;modamilyon.com;mapawood.com;vesinhnha.com.vn;mrxermon.de;boompinoy.com;xn--singlebrsen-vergleich-nec.com;radaradvies.nl;international-sound-awards.com;mbxvii.com;profectis.de;helenekowalsky.com;southeasternacademyofprosthodontics.org;zieglerbrothers.de;eraorastudio.com;liveottelut.com;thedad.com;malychanieruchomoscipremium.com;tampaallen.com;amylendscrestview.com;sabel-bf.com;offroadbeasts.com;enovos.de;serce.info.pl;mindpackstudios.com;qlog.de;woodworkersolution.com;milanonotai.it;smartypractice.com;expandet.dk;tinyagency.com;westdeptfordbuyrite.com;porno-gringo.com;labobit.it;innote.fi;aminaboutique247.com;ledmes.ru;stemenstilte.nl;smale-opticiens.nl;cactusthebrand.com;mardenherefordshire-pc.gov.uk;pubweb.carnet.hr;nvwoodwerks.com;wmiadmin.com;allfortheloveofyou.com;aselbermachen.com;sinal.org;coding-marking.com;drfoyle.com;scenepublique.net;sla-paris.com;morawe-krueger.de;kindersitze-vergleich.de;tinkoff-mobayl.ru;dutchbrewingcoffee.com;argos.wityu.fund;ctrler.cn;nosuchthingasgovernment.com;caffeinternet.it;berliner-versicherungsvergleich.de;airconditioning-waalwijk.nl;id-vet.com;cuppacap.com;podsosnami.ru;ora-it.de;ahouseforlease.com;celularity.com;1team.es;love30-chanko.com;arteservicefabbro.com;friendsandbrgrs.com;spinheal.ru;mountaintoptinyhomes.com;koken-voor-baby.nl;skanah.com;haremnick.com;bptdmaluku.com;xoabigail.com;kamienny-dywan24.pl;architecturalfiberglass.org;dlc.berlin;homecomingstudio.com;kosterra.com;hiddencitysecrets.com.au;hotelsolbh.com.br;imperfectstore.com;flexicloud.hk;devstyle.org;blood-sports.net;centrospgolega.com;sipstroysochi.ru;braffinjurylawfirm.com;ki-lowroermond.nl;craftleathermnl.com;brevitempore.net;vietlawconsultancy.com;commercialboatbuilding.com;americafirstcommittee.org;glennroberts.co.nz;sexandfessenjoon.wordpress.com;prochain-voyage.net;kamahouse.net;walter-lemm.de;behavioralmedicinespecialists.com;myhealth.net.au;ausbeverage.com.au;nancy-informatique.fr;faizanullah.com;revezlimage.com;cursosgratuitosnainternet.com;testzandbakmetmening.online;zflas.com;gmto.fr;ligiercenter-sachsen.de;pawsuppetlovers.com;new.devon.gov.uk;vibethink.net;tophumanservicescourses.com;commonground-stories.com;lorenacarnero.com;chandlerpd.com;upmrkt.co;baumkuchenexpo.jp;anteniti.com;body-guards.it;pointos.com;quemargrasa.net;johnsonfamilyfarmblog.wordpress.com;ruralarcoiris.com;ilcdover.com;zonamovie21.net;bastutunnan.se;nativeformulas.com;nokesvilledentistry.com;huesges-gruppe.de;ditog.fr;meusharklinithome.wordpress.com;pay4essays.net;lightair.com;faroairporttransfers.net;navyfederalautooverseas.com;caribdoctor.org;bayoga.co.uk;psnacademy.in;iphoneszervizbudapest.hu;lapinlviasennus.fi;allentownpapershow.com;parkstreetauto.net;torgbodenbollnas.se;rushhourappliances.com;lecantou-coworking.com;camsadviser.com;licor43.de;wurmpower.at;securityfmm.com;sw1m.ru;parking.netgateway.eu;ouryoungminds.wordpress.com;alten-mebel63.ru;seitzdruck.com;yousay.site;lubetkinmediacompanies.com;abogados-en-alicante.es;hoteledenpadova.it;naturstein-hotte.de;pixelarttees.com;vermoote.de;knowledgemuseumbd.com;vannesteconstruct.be;ontrailsandboulevards.com;sweering.fr;kao.at;restaurantesszimmer.de;filmstreamingvfcomplet.be;stingraybeach.com;shadebarandgrillorlando.com;nacktfalter.de;kenhnoithatgo.com;personalenhancementcenter.com;mikeramirezcpa.com;hellohope.com;copystar.co.uk;importardechina.info;marcuswhitten.site;oslomf.no;sanyue119.com;tigsltd.com;dezatec.es;fiscalsort.com;teczowadolina.bytom.pl;zzyjtsgls.com;rumahminangberdaya.com;lefumetdesdombes.com;bafuncs.org;blogdecachorros.com;osterberg.fi;softsproductkey.com;greenpark.ch;kevinjodea.com;coursio.com;kikedeoliveira.com;grupocarvalhoerodrigues.com.br;myteamgenius.com;citymax-cr.com;agence-chocolat-noir.com;hotelzentral.at;tandartspraktijkheesch.nl;joyeriaorindia.com;c-a.co.in;stormwall.se;amerikansktgodis.se;waywithwords.net;ivivo.es;tradiematepro.com.au;webhostingsrbija.rs;corola.es;crediacces.com;ymca-cw.org.uk;bimnapratica.com;jolly-events.com;work2live.de;visiativ-industry.fr;frontierweldingllc.com;hebkft.hu;all-turtles.com;bingonearme.org;pocket-opera.de;financescorecard.com;global-kids.info;elpa.se;linnankellari.fi;yourobgyn.net;puertamatic.es;mooglee.com;polymedia.dk;psa-sec.de;funjose.org.gt;baptisttabernacle.com;hrabritelefon.hr;artallnightdc.com;danholzmann.com;vickiegrayimages.com;desert-trails.com;lusak.at;bigasgrup.com;alhashem.net;highlinesouthasc.com;servicegsm.net;outcomeisincome.com;pmc-services.de;macabaneaupaysflechois.com;kath-kirche-gera.de;marketingsulweb.com;creamery201.com;biapi-coaching.fr;hkr-reise.de;jenniferandersonwriter.com;team-montage.dk;pickanose.com;rota-installations.co.uk;tanciu.com;plastidip.com.ar;collaborativeclassroom.org;pivoineetc.fr;onlyresultsmarketing.com;zervicethai.co.th;senson.fi;turkcaparbariatrics.com;pridoxmaterieel.nl;foryourhealth.live;tux-espacios.com;thee.network;balticdentists.com;jyzdesign.com;starsarecircular.org;milestoneshows.com;krcove-zily.eu;gadgetedges.com;carlosja.com;trystana.com;healthyyworkout.com;spylista.com;veybachcenter.de;broseller.com;naswrrg.org;asiluxury.com;kafu.ch;live-your-life.jp;montrium.com;makeflowers.ru;mylolis.com;richard-felix.co.uk;herbstfeststaefa.ch;groupe-frayssinet.fr;zimmerei-deboer.de;newyou.at;chaotrang.com;bildungsunderlebnis.haus;zweerscreatives.nl;manijaipur.com;groupe-cets.com;devlaur.com;bundabergeyeclinic.com.au;midmohandyman.com;pferdebiester.de;abitur-undwieweiter.de;abogadosadomicilio.es;psc.de;dr-pipi.de;patrickfoundation.net;321play.com.hk;babcockchurch.org;naturavetal.hr;deko4you.at;logopaedie-blomberg.de;naturalrapids.com;ilso.net;nuzech.com;talentwunder.com;familypark40.com;kingfamily.construction;geekwork.pl;solerluethi-allart.ch;beautychance.se;steampluscarpetandfloors.com;burkert-ideenreich.de;justinvieira.com;asteriag.com;cortec-neuro.com;thenewrejuveme.com;slashdb.com;sporthamper.com;apprendrelaudit.com;buymedical.biz;maxadams.london;stefanpasch.me;jobmap.at;fransespiegels.nl;ziegler-praezisionsteile.de;rosavalamedahr.com;caribbeansunpoker.com;aprepol.com;mirjamholleman.nl;rerekatu.com;tonelektro.nl;iqbalscientific.com;nhadatcanho247.com;paymybill.guru;lykkeliv.net;d1franchise.com;cerebralforce.net;interactcenter.org;loprus.pl;iwelt.de;mymoneyforex.com;lucidinvestbank.com;besttechie.com;antenanavi.com;deschl.net;dublikator.com;ussmontanacommittee.us;stoneys.ch;alfa-stroy72.com;lascuola.nl;remcakram.com;strategicstatements.com;toponlinecasinosuk.co.uk;courteney-cox.net;coffreo.biz;solinegraphic.com;spacecitysisters.org;no-plans.com;milltimber.aberdeen.sch.uk;eglectonk.online;aakritpatel.com;botanicinnovations.com;chrissieperry.com;run4study.com;bradynursery.com;garage-lecompte-rouen.fr;neuschelectrical.co.za;pomodori-pizzeria.de;shonacox.com;hashkasolutindo.com;aurum-juweliere.de;gymnasedumanagement.com;kaminscy.com;mariposapropaneaz.com;geoffreymeuli.com;apolomarcas.com;kirkepartner.dk;slwgs.org;gasbarre.com;mepavex.nl;web.ion.ag;irishmachineryauctions.com;xn--vrftet-pua.biz;levihotelspa.fi;eadsmurraypugh.com;sportsmassoren.com;siliconbeach-realestate.com;worldhealthbasicinfo.com;c2e-poitiers.com;iwr.nl;hatech.io;thedresserie.com;evangelische-pfarrgemeinde-tuniberg.de;extraordinaryoutdoors.com;andersongilmour.co.uk;calxplus.eu;zewatchers.com;antiaginghealthbenefits.com;officehymy.com;executiveairllc.com;bouncingbonanza.com;zimmerei-fl.de;wasmachtmeinfonds.at;leeuwardenstudentcity.nl;bigler-hrconsulting.ch;campus2day.de;toreria.es;admos-gleitlager.de;the-domain-trader.com;smart-light.co.uk;greenfieldoptimaldentalcare.com;carolinepenn.com;architekturbuero-wagner.net;waynela.com;ncuccr.org;dubnew.com;advizewealth.com;mediaplayertest.net;mrtour.site;durganews.com;jorgobe.at;moveonnews.com;nijaplay.com;trackyourconstruction.com;mank.de;ravensnesthomegoods.com;shsthepapercut.com;finediningweek.pl;easytrans.com.au;ecoledansemulhouse.fr;heurigen-bauer.at;bodyforwife.com;phantastyk.com;quizzingbee.com;dinslips.se;urclan.net;accountancywijchen.nl;ncs-graphic-studio.com;tennisclubetten.nl;allure-cosmetics.at;smhydro.com.pl;gopackapp.com;colorofhorses.com;actecfoundation.org;kojima-shihou.com;gasolspecialisten.se;winrace.no;tetinfo.in;mank.de;corelifenutrition.com;ihr-news.jp;oldschoolfun.net;charlottepoudroux-photographie.fr;uimaan.fi;4net.guru;gaiam.nl;boulderwelt-muenchen-west.de;gw2guilds.org;htchorst.nl;minipara.com;haar-spange.com;ceres.org.au;aglend.com.au;nestor-swiss.ch;dr-seleznev.com;pier40forall.org;refluxreducer.com;muamuadolls.com;embracinghiscall.com;celeclub.org;schlafsack-test.net;101gowrie.com;bookspeopleplaces.com;romeguidedvisit.com;smogathon.com;gporf.fr;rhinosfootballacademy.com;edelman.jp;blgr.be;mrsplans.net;fitnessbazaar.com;lapmangfpt.info.vn;cityorchardhtx.com;balticdermatology.lt;harveybp.com;jvanvlietdichter.nl;corendonhotels.com;iwelt.de;foretprivee.ca;craigmccabe.fun;notmissingout.com;themadbotter.com;bowengroup.com.au;blacksirius.de;sairaku.net;darrenkeslerministries.com;chavesdoareeiro.com;kuntokeskusrok.fi;mytechnoway.com;edgewoodestates.org;precisionbevel.com;modelmaking.nl;theadventureedge.com;resortmtn.com;corona-handles.com;dr-tremel-rednitzhembach.de;destinationclients.fr;theclubms.com;partnertaxi.sk;vox-surveys.com;despedidascostablanca.es;noixdecocom.fr;hairnetty.wordpress.com;sarbatkhalsafoundation.org;paulisdogshop.de;bristolaeroclub.co.uk;jobcenterkenya.com;roadwarrior.app;kedak.de;henricekupper.com;miriamgrimm.de;lebellevue.fr;lmtprovisions.com;d2marketing.co.uk;simpkinsedwards.co.uk;blumenhof-wegleitner.at;promalaga.es;lbcframingelectrical.com;comarenterprises.com;insp.bi;vloeren-nu.nl;michaelsmeriglioracing.com;parkcf.nl;iwelt.de;humanityplus.org;schoellhammer.com;solhaug.tk;completeweddingkansas.com;proudground.org;songunceliptv.com;bordercollie-nim.nl;mooreslawngarden.com;plantag.de;8449nohate.org;notsilentmd.org;rieed.de;mousepad-direkt.de;oceanastudios.com;strandcampingdoonbeg.com;kissit.ca;almosthomedogrescue.dog;krlosdavid.com;firstpaymentservices.com;abl1.net;anthonystreetrimming.com;filmvideoweb.com;onlybacklink.com;dekkinngay.com;1kbk.com.ua;ventti.com.ar;basisschooldezonnewijzer.nl;cheminpsy.fr;fayrecreations.com;ai-spt.jp;todocaracoles.com;vitavia.lt;vihannesporssi.fi;agence-referencement-naturel-geneve.net;fannmedias.com;hardinggroup.com;i-trust.dk;catholicmusicfest.com;antonmack.de;femxarxa.cat;freie-baugutachterpraxis.de;aniblinova.wordpress.com;vetapharma.fr;digi-talents.com;theletter.company;imadarchid.com;siluet-decor.ru;marietteaernoudts.nl;tarotdeseidel.com;schraven.de;ladelirante.fr;jerling.de;tomoiyuma.com;victoriousfestival.co.uk;rocketccw.com;stoeferlehalle.de;edrcreditservices.nl;adultgamezone.com;xlarge.at;seevilla-dr-sturm.at;wari.com.pe;grelot-home.com;leather-factory.co.jp;wraithco.com;augenta.com;assurancesalextrespaille.fr;rostoncastings.co.uk;thomasvicino.com;anybookreader.de;fotoscondron.com;bunburyfreightservices.com.au;sportiomsportfondsen.nl;tomaso.gr;littlebird.salon;urist-bogatyr.ru;sportverein-tambach.de;tandartspraktijkhartjegroningen.nl;carriagehousesalonvt.com;hypozentrum.com;darnallwellbeing.org.uk;oncarrot.com;liliesandbeauties.org;conasmanagement.de;katketytaanet.fi;tecnojobsnet.com;centromarysalud.com;hexcreatives.co;sloverse.com;sofavietxinh.com;operaslovakia.sk;smalltownideamill.wordpress.com;makeurvoiceheard.com;tastewilliamsburg.com;sanaia.com;micahkoleoso.de;instatron.net;mirjamholleman.nl;first-2-aid-u.com;mountsoul.de;musictreehouse.net;geisterradler.de;cnoia.org;socialonemedia.com;charlesreger.com;answerstest.ru;iwelt.de;igfap.com;otsu-bon.com;backstreetpub.com;mediaclan.info;boldcitydowntown.com;fitnessingbyjessica.com;icpcnj.org;coastalbridgeadvisors.com;oneplusresource.org;videomarketing.pro;controldekk.com;lenreactiv-shop.ru;eaglemeetstiger.de;raschlosser.de;schoolofpassivewealth.com;harpershologram.wordpress.com;thaysa.com;irinaverwer.com;em-gmbh.ch;extensionmaison.info;opatrovanie-ako.sk;triggi.de;pcp-nc.com;renergysolution.com;maureenbreezedancetheater.org;kaliber.co.jp;aco-media.nl;iyengaryogacharlotte.com;csgospeltips.se;stemplusacademy.com;iyahayki.nl;polychromelabs.com;ostheimer.at;roygolden.com;jacquin-maquettes.com;pv-design.de;houseofplus.com;panelsandwichmadrid.es;surespark.org.uk;clos-galant.com;artige.com;myzk.site;wellplast.se;art2gointerieurprojecten.nl;petnest.ir;sobreholanda.com;verifort-capital.de;artotelamsterdam.com;philippedebroca.com;autopfand24.de;walkingdeadnj.com;mylovelybluesky.com;lionware.de;live-con-arte.de;abogadoengijon.es;seminoc.com;tuuliautio.fi;2ekeus.nl;cimanchesterescorts.co.uk;sachnendoc.com;people-biz.com;figura.team;teknoz.net;bridgeloanslenders.com;kisplanning.com.au;nmiec.com;koko-nora.dk;kunze-immobilien.de;sauschneider.info;microcirc.net;unim.su;qualitaetstag.de;forskolorna.org;deltacleta.cat;jiloc.com;webmaster-peloton.com;seproc.hn;crosspointefellowship.church;marchand-sloboda.com;crowd-patch.co.uk;connectedace.com;nataschawessels.com;acomprarseguidores.com;creative-waves.co.uk;bodyfulls.com;advokathuset.dk;deepsouthclothingcompany.com;berlin-bamboo-bikes.org;vorotauu.ru;xtptrack.com;presseclub-magdeburg.de;lescomtesdemean.be;shiresresidential.com;insidegarage.pl;reddysbakery.com;triactis.com;devok.info;y-archive.com;pogypneu.sk;luxurytv.jp;modestmanagement.com;waveneyrivercentre.co.uk;hannah-fink.de;satyayoga.de;noesis.tech;tenacitytenfold.com;dw-css.de;pasvenska.se;argenblogs.com.ar;pasivect.co.uk;jakekozmor.com;facettenreich27.de;izzi360.com;fensterbau-ziegler.de;shiftinspiration.com;analiticapublica.es;fibrofolliculoma.info;jbbjw.com;troegs.com;makeitcount.at;schutting-info.nl;atozdistribution.co.uk;aodaichandung.com;physiofischer.de;cranleighscoutgroup.org;bloggyboulga.net;stopilhan.com;saka.gr;marathonerpaolo.com;alvinschwartz.wordpress.com;candyhouseusa.com;maineemploymentlawyerblog.com;hhcourier.com;qualitus.com;ecpmedia.vn;dsl-ip.de;blewback.com;transliminaltribe.wordpress.com;lynsayshepherd.co.uk;lachofikschiet.nl;birnam-wood.com;xn--rumung-bua.online;ecopro-kanto.com;monark.com;theapifactory.com;upplandsspar.se;dramagickcom.wordpress.com;maryloutaylor.com;coding-machine.com;homng.net;classycurtainsltd.co.uk;slimidealherbal.com;pelorus.group;rafaut.com;stoeberstuuv.de;yassir.pro;memaag.com;kaotikkustomz.com;bouldercafe-wuppertal.de;ogdenvision.com;praxis-foerderdiagnostik.de;dirittosanitario.biz;woodleyacademy.org;luckypatcher-apkz.com;christ-michael.net;crowcanyon.com;plv.media;miraclediet.fun;kadesignandbuild.co.uk;oneheartwarriors.at;drugdevice.org;brigitte-erler.com;bierensgebakkramen.nl;kidbucketlist.com.au;fax-payday-loans.com;deoudedorpskernnoordwijk.nl;werkkring.nl;www1.proresult.no;autodemontagenijmegen.nl;euro-trend.pl;bargningharnosand.se;finde-deine-marke.de;lichencafe.com;abogadosaccidentetraficosevilla.es;mmgdouai.fr;rksbusiness.com;echtveilig.nl;readberserk.com;verytycs.com;itelagen.com;sagadc.com;symphonyenvironmental.com;huissier-creteil.com;helikoptervluchtnewyork.nl;journeybacktolife.com;vanswigchemdesign.com;leoben.at;mdk-mediadesign.de;dutchcoder.nl;nicoleaeschbachorg.wordpress.com;4youbeautysalon.com;slupetzky.at;evologic-technologies.com;hihaho.com;gratispresent.se;adoptioperheet.fi;kariokids.com;fizzl.ru;travelffeine.com;markelbroch.com;verbisonline.com;schmalhorst.de;DupontSellsHomes.com;comparatif-lave-linge.fr;saarland-thermen-resort.com;socstrp.org;smessier.com;rehabilitationcentersinhouston.net;norpol-yachting.com;fitovitaforum.com;gamesboard.info;praxis-management-plus.de;norovirus-ratgeber.de;hairstylesnow.site;hugoversichert.de;bauertree.com;yamalevents.com;hmsdanmark.dk;shhealthlaw.com;fotoideaymedia.es;cwsitservices.co.uk;homesdollar.com;mrsfieldskc.com;levdittliv.se;poultrypartners.nl;nurturingwisdom.com;ianaswanson.com;takeflat.com;vdberg-autoimport.nl;bricotienda.com;simpliza.com;beaconhealthsystem.org;ftf.or.at;urmasiimariiuniri.ro;calabasasdigest.com;appsformacpc.com;xn--logopdie-leverkusen-kwb.de;spd-ehningen.de;cleliaekiko.online;epwritescom.wordpress.com;selfoutlet.com;purposeadvisorsolutions.com;slimani.net;vitalyscenter.es;xltyu.com;wacochamber.com;danubecloud.com;stupbratt.no;cite4me.org;carrybrands.nl;newstap.com.ng;baronloan.org;penco.ie;polzine.net;blossombeyond50.com;ino-professional.ru;dpo-as-a-service.com;employeesurveys.com;punchbaby.com;erstatningsadvokaterne.dk;bestbet.com;brawnmediany.com;denovofoodsgroup.com;sotsioloogia.ee;stampagrafica.es;cursoporcelanatoliquido.online;planchaavapor.net;rozemondcoaching.nl;happyeasterimages.org;danskretursystem.dk;esope-formation.fr;atmos-show.com;educar.org;falcou.fr;schmalhorst.de;dushka.ua;alsace-first.com;buroludo.nl;cyntox.com;webcodingstudio.com;rimborsobancario.net;croftprecision.co.uk;igorbarbosa.com;maasreusel.nl;farhaani.com;tanzschule-kieber.de;effortlesspromo.com;123vrachi.ru;pcprofessor.com;launchhubl.com;aunexis.ch;bee4win.com;odiclinic.org;dareckleyministries.com;castillobalduz.es;ulyssemarketing.com;nandistribution.nl;lillegrandpalais.com;datacenters-in-europe.com;klusbeter.nl;campusoutreach.org;mooshine.com;highimpactoutdoors.net;cafemattmeera.com;lange.host;systemate.dk;stallbyggen.se;edv-live.de;tstaffing.nl;parks-nuernberg.de;whittier5k.com;otto-bollmann.de;retroearthstudio.com;lapinvihreat.fi;madinblack.com;pmcimpact.com;compliancesolutionsstrategies.com;girlillamarketing.com;heliomotion.com;julis-lsa.de;katiekerr.co.uk;judithjansen.com;biortaggivaldelsa.com;smokeysstoves.com;layrshift.eu;syndikat-asphaltfieber.de;x-ray.ca;bouquet-de-roses.com;sterlingessay.com;mdacares.com;xn--fn-kka.no;rebeccarisher.com;gastsicht.de;streamerzradio1.site;baustb.de;nakupunafoundation.org;chefdays.de;ungsvenskarna.se;thomas-hospital.de;milsing.hr;klimt2012.info;kalkulator-oszczednosci.pl;space.ua;samnewbyjax.com;wsoil.com.sg;globedivers.wordpress.com;thailandholic.com;sandd.nl;pt-arnold.de;rollingrockcolumbia.com;eco-southafrica.com;forestlakeuca.org.au;drinkseed.com;greenko.pl;ftlc.es;herbayupro.com;better.town;trapiantofue.it;ceid.info.tr;iviaggisonciliegie.it;thefixhut.com;centuryrs.com;mirjamholleman.nl;tips.technology;autofolierung-lu.de;ilive.lt;i-arslan.de;sahalstore.com;ccpbroadband.com;suncrestcabinets.ca;ncid.bc.ca;plotlinecreative.com;lloydconstruction.com;diversiapsicologia.es;jsfg.com;ampisolabergeggi.it;supportsumba.nl;vyhino-zhulebino-24.ru;cuspdental.com;zso-mannheim.de;dubscollective.com;ohidesign.com;waermetauscher-berechnen.de;zenderthelender.com;goodgirlrecovery.com;bogdanpeptine.ro;spsshomeworkhelp.com;unetica.fr;evergreen-fishing.com;parebrise-tla.fr;delchacay.com.ar;associationanalytics.com;liikelataamo.fi;kojinsaisei.info;deprobatehelp.com;paradicepacks.com;freie-gewerkschaften.de;entopic.com;mezhdu-delom.ru;allamatberedare.se;corelifenutrition.com;body-armour.online;vancouver-print.ca;the-virtualizer.com;faronics.com;galserwis.pl;boisehosting.net;hushavefritid.dk;austinlchurch.com;teresianmedia.org;mastertechengineering.com;bhwlawfirm.com;simulatebrain.com;spectrmash.ru;smithmediastrategies.com;abuelos.com;merzi.info;ralister.co.uk;tongdaifpthaiphong.net;imaginado.de;cirugiauretra.es;bsaship.com;autodujos.lt;mir-na-iznanku.com;associacioesportivapolitg.cat;lukeshepley.wordpress.com;denifl-consulting.at;nachhilfe-unterricht.com;bockamp.com;myhostcloud.com;joseconstela.com;ivfminiua.com;elimchan.com;smejump.co.th;perbudget.com;exenberger.at;juneauopioidworkgroup.org;ausair.com.au;ateliergamila.com;id-et-d.fr;karacaoglu.nl;higadograsoweb.com;twohourswithlena.wordpress.com;longislandelderlaw.com;xn--thucmctc-13a1357egba.com;seagatesthreecharters.com;piajeppesen.dk;real-estate-experts.com;tsklogistik.eu;villa-marrakesch.de;tanzprojekt.com;sevenadvertising.com;directwindowco.com;35-40konkatsu.net;theshungiteexperience.com.au;fairfriends18.de;beyondmarcomdotcom.wordpress.com;oemands.dk;projetlyonturin.fr;limassoldriving.com;drinkseed.com;simoneblum.de;jadwalbolanet.info;igrealestate.com;handi-jack-llc.com;gantungankunciakrilikbandung.com;drnice.de;kostenlose-webcams.com;dnepr-beskid.com.ua;jusibe.com;hokagestore.com;fundaciongregal.org;daniel-akermann-architektur-und-planung.ch;wolf-glas-und-kunst.de;christinarebuffetcourses.com;platformier.com;skiltogprint.no;manutouchmassage.com;promesapuertorico.com;kampotpepper.gives;danielblum.info;blog.solutionsarchitect.guru;consultaractadenacimiento.com;mercantedifiori.com;jeanlouissibomana.com;degroenetunnel.com;micro-automation.de;hvccfloorcare.com;peterstrobos.com;insigniapmg.com;div-vertriebsforschung.de;atalent.fi;leda-ukraine.com.ua;saxtec.com;whyinterestingly.ru;galleryartfair.com;craigvalentineacademy.com;boosthybrid.com.au;heidelbergartstudio.gallery;vibehouse.rw;simplyblessedbykeepingitreal.com;mbfagency.com;synlab.lt;olejack.ru;noskierrenteria.com;wychowanieprzedszkolne.pl;uranus.nl;mirkoreisser.de;xn--fnsterputssollentuna-39b.se;fatfreezingmachines.com;ra-staudte.de;portoesdofarrobo.com;latestmodsapks.com;intecwi.com;chatizel-paysage.fr;gonzalezfornes.es;alysonhoward.com;pinkexcel.com;spargel-kochen.de;jandaonline.com", "dbg": false, "pid": "$2a$10$sYj.VWTKCY5QkbqRNRCogemc/JqEL1sMmXrIjgYNnJIardparjHz.", "nbody": "LQAtAC0APQA9AD0AIABXAGUAbABjAG8AbQBlAC4AIABBAGcAYQBpAG4ALgAgAD0APQA9AC0ALQAtAA0ACgANAAoALQAtAC0APQA9AD0AIABXAGUAbABjAG8AbQBlAC4AIABBAGcAYQBpAG4ALgAgAD0APQA9AC0ALQAtAA0ACgANAAoAWwArAF0AIABXAGgAYQB0AHMAIABIAGEAcABwAGUAbgA/ACAAWwArAF0ADQAKAA0ACgBZAG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAsACAAYQBuAGQAIABjAHUAcgByAGUAbgB0AGwAeQAgAHUAbgBhAHYAYQBpAGwAYQBiAGwAZQAuACAAWQBvAHUAIABjAGEAbgAgAGMAaABlAGMAawAgAGkAdAA6ACAAYQBsAGwAIABmAGkAbABlAHMAIABvAG4AIAB5AG8AdQByACAAcwB5AHMAdABlAG0AIABoAGEAcwAgAGUAeAB0AGUAbgBzAGkAbwBuACAAewBFAFgAVAB9AC4ADQAKAEIAeQAgAHQAaABlACAAdwBhAHkALAAgAGUAdgBlAHIAeQB0AGgAaQBuAGcAIABpAHMAIABwAG8AcwBzAGkAYgBsAGUAIAB0AG8AIAByAGUAYwBvAHYAZQByACAAKAByAGUAcwB0AG8AcgBlACkALAAgAGIAdQB0ACAAeQBvAHUAIABuAGUAZQBkACAAdABvACAAZgBvAGwAbABvAHcAIABvAHUAcgAgAGkAbgBzAHQAcgB1AGMAdABpAG8AbgBzAC4AIABPAHQAaABlAHIAdwBpAHMAZQAsACAAeQBvAHUAIABjAGEAbgB0ACAAcgBlAHQAdQByAG4AIAB5AG8AdQByACAAZABhAHQAYQAgACgATgBFAFYARQBSACkALgANAAoADQAKAFsAKwBdACAARABhAHQAYQAgAGwAZQBhAGsAIABbACsAXQANAAoADQAKAEYAaQByAHMAdAAgAG8AZgAgAGEAbABsACAAdwBlACAAaABhAHYAZQAgAHUAcABsAG8AYQBkAGUAZAAgAG0AbwByAGUAIAB0AGgAZQBuACAAOAAwACAARwBCACAAYQByAGMAaABpAHYAZQBkACAAZABhAHQAYQAgAGYAcgBvAG0AIABcAFwAVQBEAEEAVABBAC4ADQAKAA0ACgBFAHgAYQBtAHAAbABlACAAbwBmACAAZABhAHQAYQA6AA0ACgAtACAAQQBjAGMAbwB1AG4AdABpAG4AZwANAAoALQAgAEYAaQBuAGEAbgBjAGUADQAKAC0AIABQAGUAcgBzAG8AbgBhAGwAIABEAGEAdABhAA0ACgAtACAAQgBhAG4AawBpAG4AZwAgAGQAYQB0AGEADQAKAC0AIABTAHQAcgBhAHQAZQBnAGkAYwAgAHMAbwB1AHIAYwBpAG4AZwANAAoALQAgAE0AYQBuAGEAZwBlAG0AZQBuAHQADQAKAC0AIABwAHIAbwBqAGUAYwB0AHMALAAgAHAAbABhAG4AcwANAAoALQAgAEMAbwBuAGYAaQBkAGUAbgB0AGkAYQBsACAAZgBpAGwAZQBzAA0ACgBBAG4AZAAgAG0AbwByAGUAIABvAHQAaABlAHIALgAuAC4ADQAKAA0ACgBPAHUAcgAgAGIAbABvAGcAOgANAAoAaAB0AHQAcAA6AC8ALwBkAG4AcABzAGMAbgBiAGEAaQB4ADYAbgBrAHcAdgB5AHMAdABsADMAeQB4AGcAbAB6ADcAbgB0AGUAaQBjAHEAcgBvAHUAMwB0ADcANQB0AHAAYwBjADUANQAzADIAYwB6AHQAYwA0ADYAcQB5AGQALgBvAG4AaQBvAG4ALwANAAoAUgBlAGEAZAAgAHcAaABhAHQAIABoAGEAcABwAGUAbgBzACAAdABvACAAdABoAG8AcwBlACAAdwBoAG8AIABkAG8AIABuAG8AdAAgAHAAYQB5AC4ADQAKAA0ACgBXAGUAIABhAHIAZQAgAHIAZQBhAGQAeQA6AA0ACgAtACAAVABvACAAcAByAG8AdgBpAGQAZQAgAHkAbwB1ACAAdABoAGUAIABlAHYAaQBkAGUAbgBjAGUAIABvAGYAIABzAHQAbwBsAGUAbgAgAGQAYQB0AGEADQAKAC0AIABUAG8AIABnAGkAdgBlACAAeQBvAHUAIAB1AG4AaQB2AGUAcgBzAGEAbAAgAGQAZQBjAHIAeQBwAHQAaQBuAGcAIAB0AG8AbwBsACAAZgBvAHIAIABhAGwAbAAgAGUAbgBjAHIAeQBwAHQAZQBkACAAZgBpAGwAZQBzAC4ADQAKAC0AIABUAG8AIABkAGUAbABlAHQAZQAgAGEAbABsACAAdABoAGUAIABzAHQAbwBsAGUAbgAgAGQAYQB0AGEALgANAAoAWwArAF0AIABXAGgAYQB0ACAAZwB1AGEAcgBhAG4AdABlAGUAcwA/ACAAWwArAF0ADQAKAA0ACgBJAHQAcwAgAGoAdQBzAHQAIABhACAAYgB1AHMAaQBuAGUAcwBzAC4AIABXAGUAIABhAGIAcwBvAGwAdQB0AGUAbAB5ACAAZABvACAAbgBvAHQAIABjAGEAcgBlACAAYQBiAG8AdQB0ACAAeQBvAHUAIABhAG4AZAAgAHkAbwB1AHIAIABkAGUAYQBsAHMALAAgAGUAeABjAGUAcAB0ACAAZwBlAHQAdABpAG4AZwAgAGIAZQBuAGUAZgBpAHQAcwAuACAASQBmACAAdwBlACAAZABvACAAbgBvAHQAIABkAG8AIABvAHUAcgAgAHcAbwByAGsAIABhAG4AZAAgAGwAaQBhAGIAaQBsAGkAdABpAGUAcwAgAC0AIABuAG8AYgBvAGQAeQAgAHcAaQBsAGwAIABuAG8AdAAgAGMAbwBvAHAAZQByAGEAdABlACAAdwBpAHQAaAAgAHUAcwAuACAASQB0AHMAIABuAG8AdAAgAGkAbgAgAG8AdQByACAAaQBuAHQAZQByAGUAcwB0AHMALgANAAoAVABvACAAYwBoAGUAYwBrACAAdABoAGUAIABhAGIAaQBsAGkAdAB5ACAAbwBmACAAcgBlAHQAdQByAG4AaQBuAGcAIABmAGkAbABlAHMALAAgAFkAbwB1ACAAcwBoAG8AdQBsAGQAIABnAG8AIAB0AG8AIABvAHUAcgAgAHcAZQBiAHMAaQB0AGUALgAgAFQAaABlAHIAZQAgAHkAbwB1ACAAYwBhAG4AIABkAGUAYwByAHkAcAB0ACAAbwBuAGUAIABmAGkAbABlACAAZgBvAHIAIABmAHIAZQBlAC4AIABUAGgAYQB0ACAAaQBzACAAbwB1AHIAIABnAHUAYQByAGEAbgB0AGUAZQAuAA0ACgBJAGYAIAB5AG8AdQAgAHcAaQBsAGwAIABuAG8AdAAgAGMAbwBvAHAAZQByAGEAdABlACAAdwBpAHQAaAAgAG8AdQByACAAcwBlAHIAdgBpAGMAZQAgAC0AIABmAG8AcgAgAHUAcwAsACAAaQB0AHMAIABkAG8AZQBzACAAbgBvAHQAIABtAGEAdAB0AGUAcgAuACAAQgB1AHQAIAB5AG8AdQAgAHcAaQBsAGwAIABsAG8AcwBlACAAeQBvAHUAcgAgAHQAaQBtAGUAIABhAG4AZAAgAGQAYQB0AGEALAAgAGMAYQB1AHMAZQAgAGoAdQBzAHQAIAB3AGUAIABoAGEAdgBlACAAdABoAGUAIABwAHIAaQB2AGEAdABlACAAawBlAHkALgAgAEkAbgAgAHAAcgBhAGMAdABpAHMAZQAgAC0AIAB0AGkAbQBlACAAaQBzACAAbQB1AGMAaAAgAG0AbwByAGUAIAB2AGEAbAB1AGEAYgBsAGUAIAB0AGgAYQBuACAAbQBvAG4AZQB5AC4ADQAKAA0ACgBbACsAXQAgAEgAbwB3ACAAdABvACAAZwBlAHQAIABhAGMAYwBlAHMAcwAgAG8AbgAgAHcAZQBiAHMAaQB0AGUAPwAgAFsAKwBdAA0ACgANAAoAWQBvAHUAIABoAGEAdgBlACAAdAB3AG8AIAB3AGEAeQBzADoADQAKAA0ACgAxACkAIABbAFIAZQBjAG8AbQBtAGUAbgBkAGUAZABdACAAVQBzAGkAbgBnACAAYQAgAFQATwBSACAAYgByAG8AdwBzAGUAcgAhAA0ACgBhACkAIABEAG8AdwBuAGwAbwBhAGQAIABhAG4AZAAgAGkAbgBzAHQAYQBsAGwAIABUAE8AUgAgAGIAcgBvAHcAcwBlAHIAIABmAHIAbwBtACAAdABoAGkAcwAgAHMAaQB0AGUAOgAgAGgAdAB0AHAAcwA6AC8ALwB0AG8AcgBwAHIAbwBqAGUAYwB0AC4AbwByAGcALwANAAoAYgApACAATwBwAGUAbgAgAG8AdQByACAAdwBlAGIAcwBpAHQAZQA6ACAAaAB0AHQAcAA6AC8ALwBhAHAAbABlAGIAegB1ADQANwB3AGcAYQB6AGEAcABkAHEAawBzADYAdgByAGMAdgA2AHoAYwBuAGoAcABwAGsAYgB4AGIAcgA2AHcAawBlAHQAZgA1ADYAbgBmADYAYQBxADIAbgBtAHkAbwB5AGQALgBvAG4AaQBvAG4ALwB7AFUASQBEAH0ADQAKAA0ACgAyACkAIABJAGYAIABUAE8AUgAgAGIAbABvAGMAawBlAGQAIABpAG4AIAB5AG8AdQByACAAYwBvAHUAbgB0AHIAeQAsACAAdAByAHkAIAB0AG8AIAB1AHMAZQAgAFYAUABOACEAIABCAHUAdAAgAHkAbwB1ACAAYwBhAG4AIAB1AHMAZQAgAG8AdQByACAAcwBlAGMAbwBuAGQAYQByAHkAIAB3AGUAYgBzAGkAdABlAC4AIABGAG8AcgAgAHQAaABpAHMAOgANAAoAYQApACAATwBwAGUAbgAgAHkAbwB1AHIAIABhAG4AeQAgAGIAcgBvAHcAcwBlAHIAIAAoAEMAaAByAG8AbQBlACwAIABGAGkAcgBlAGYAbwB4ACwAIABPAHAAZQByAGEALAAgAEkARQAsACAARQBkAGcAZQApAA0ACgBiACkAIABPAHAAZQBuACAAbwB1AHIAIABzAGUAYwBvAG4AZABhAHIAeQAgAHcAZQBiAHMAaQB0AGUAOgAgAGgAdAB0AHAAOgAvAC8AZABlAGMAbwBkAGUAcgAuAHIAZQAvAHsAVQBJAEQAfQANAAoADQAKAFcAYQByAG4AaQBuAGcAOgAgAHMAZQBjAG8AbgBkAGEAcgB5ACAAdwBlAGIAcwBpAHQAZQAgAGMAYQBuACAAYgBlACAAYgBsAG8AYwBrAGUAZAAsACAAdABoAGEAdABzACAAdwBoAHkAIABmAGkAcgBzAHQAIAB2AGEAcgBpAGEAbgB0ACAAbQB1AGMAaAAgAGIAZQB0AHQAZQByACAAYQBuAGQAIABtAG8AcgBlACAAYQB2AGEAaQBsAGEAYgBsAGUALgANAAoADQAKAFcAaABlAG4AIAB5AG8AdQAgAG8AcABlAG4AIABvAHUAcgAgAHcAZQBiAHMAaQB0AGUALAAgAHAAdQB0ACAAdABoAGUAIABmAG8AbABsAG8AdwBpAG4AZwAgAGQAYQB0AGEAIABpAG4AIAB0AGgAZQAgAGkAbgBwAHUAdAAgAGYAbwByAG0AOgANAAoASwBlAHkAOgANAAoADQAKAA0ACgB7AEsARQBZAH0ADQAKAA0ACgANAAoALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAA0ACgANAAoAIQAhACEAIABEAEEATgBHAEUAUgAgACEAIQAhAA0ACgBEAE8ATgBUACAAdAByAHkAIAB0AG8AIABjAGgAYQBuAGcAZQAgAGYAaQBsAGUAcwAgAGIAeQAgAHkAbwB1AHIAcwBlAGwAZgAsACAARABPAE4AVAAgAHUAcwBlACAAYQBuAHkAIAB0AGgAaQByAGQAIABwAGEAcgB0AHkAIABzAG8AZgB0AHcAYQByAGUAIABmAG8AcgAgAHIAZQBzAHQAbwByAGkAbgBnACAAeQBvAHUAcgAgAGQAYQB0AGEAIABvAHIAIABhAG4AdABpAHYAaQByAHUAcwAgAHMAbwBsAHUAdABpAG8AbgBzACAALQAgAGkAdABzACAAbQBhAHkAIABlAG4AdABhAGkAbAAgAGQAYQBtAGcAZQAgAG8AZgAgAHQAaABlACAAcAByAGkAdgBhAHQAZQAgAGsAZQB5ACAAYQBuAGQALAAgAGEAcwAgAHIAZQBzAHUAbAB0ACwAIABUAGgAZQAgAEwAbwBzAHMAIABhAGwAbAAgAGQAYQB0AGEALgANAAoAIQAhACEAIAAhACEAIQAgACEAIQAhAA0ACgBPAE4ARQAgAE0ATwBSAEUAIABUAEkATQBFADoAIABJAHQAcwAgAGkAbgAgAHkAbwB1AHIAIABpAG4AdABlAHIAZQBzAHQAcwAgAHQAbwAgAGcAZQB0ACAAeQBvAHUAcgAgAGYAaQBsAGUAcwAgAGIAYQBjAGsALgAgAEYAcgBvAG0AIABvAHUAcgAgAHMAaQBkAGUALAAgAHcAZQAgACgAdABoAGUAIABiAGUAcwB0ACAAcwBwAGUAYwBpAGEAbABpAHMAdABzACkAIABtAGEAawBlACAAZQB2AGUAcgB5AHQAaABpAG4AZwAgAGYAbwByACAAcgBlAHMAdABvAHIAaQBuAGcALAAgAGIAdQB0ACAAcABsAGUAYQBzAGUAIABzAGgAbwB1AGwAZAAgAG4AbwB0ACAAaQBuAHQAZQByAGYAZQByAGUALgANAAoAIQAhACEAIAAhACEAIQAgACEAIQAhAAAA", "et": 0, "wipe": true, "wfld": ["backup"], "rdmcnt": 0, "nname": "{EXT}-readme.txt", "pk": "FDtJqlbkMA5DjrKi/sH653OY4J4hBtpB+JyN0FRpo3U=", "net": true, "exp": false, "arn": false}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
tS9P6wPz9x.exeMAL_RANSOM_REvil_Oct20_1Detects REvil ransomwareFlorian Roth
  • 0x4cee:$op1: 0F 8C 74 FF FF FF 33 C0 5F 5E 5B 8B E5 5D C3 8B
  • 0x9a4e:$op2: 8D 85 68 FF FF FF 50 E8 2A FE FF FF 8D 85 68 FF
  • 0xa03a:$op3: 89 4D F4 8B 4E 0C 33 4E 34 33 4E 5C 33 8E 84
  • 0x9273:$op4: 8D 85 68 FF FF FF 50 E8 05 06 00 00 8D 85 68 FF
  • 0x9a3d:$op5: 8D 85 68 FF FF FF 56 57 FF 75 0C 50 E8 2F

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.204386386.0000000002DB9000.00000004.00000040.sdmpJoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security
    00000000.00000003.204547357.0000000002DB9000.00000004.00000040.sdmpJoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security
      00000000.00000000.203907016.00000000009C1000.00000020.00020000.sdmpMAL_RANSOM_REvil_Oct20_1Detects REvil ransomwareFlorian Roth
      • 0x48ee:$op1: 0F 8C 74 FF FF FF 33 C0 5F 5E 5B 8B E5 5D C3 8B
      • 0x964e:$op2: 8D 85 68 FF FF FF 50 E8 2A FE FF FF 8D 85 68 FF
      • 0x9c3a:$op3: 89 4D F4 8B 4E 0C 33 4E 34 33 4E 5C 33 8E 84
      • 0x8e73:$op4: 8D 85 68 FF FF FF 50 E8 05 06 00 00 8D 85 68 FF
      • 0x963d:$op5: 8D 85 68 FF FF FF 56 57 FF 75 0C 50 E8 2F
      00000000.00000003.204201424.0000000002DB9000.00000004.00000040.sdmpJoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security
        00000000.00000003.204266101.0000000002DB9000.00000004.00000040.sdmpJoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security
          Click to see the 6 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.tS9P6wPz9x.exe.9c0000.1.unpackMAL_RANSOM_REvil_Oct20_1Detects REvil ransomwareFlorian Roth
          • 0x4cee:$op1: 0F 8C 74 FF FF FF 33 C0 5F 5E 5B 8B E5 5D C3 8B
          • 0x9a4e:$op2: 8D 85 68 FF FF FF 50 E8 2A FE FF FF 8D 85 68 FF
          • 0xa03a:$op3: 89 4D F4 8B 4E 0C 33 4E 34 33 4E 5C 33 8E 84
          • 0x9273:$op4: 8D 85 68 FF FF FF 50 E8 05 06 00 00 8D 85 68 FF
          • 0x9a3d:$op5: 8D 85 68 FF FF FF 56 57 FF 75 0C 50 E8 2F
          0.0.tS9P6wPz9x.exe.9c0000.0.unpackMAL_RANSOM_REvil_Oct20_1Detects REvil ransomwareFlorian Roth
          • 0x4cee:$op1: 0F 8C 74 FF FF FF 33 C0 5F 5E 5B 8B E5 5D C3 8B
          • 0x9a4e:$op2: 8D 85 68 FF FF FF 50 E8 2A FE FF FF 8D 85 68 FF
          • 0xa03a:$op3: 89 4D F4 8B 4E 0C 33 4E 34 33 4E 5C 33 8E 84
          • 0x9273:$op4: 8D 85 68 FF FF FF 50 E8 05 06 00 00 8D 85 68 FF
          • 0x9a3d:$op5: 8D 85 68 FF FF FF 56 57 FF 75 0C 50 E8 2F

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: tS9P6wPz9x.exeAvira: detected
          Found malware configurationShow sources
          Source: tS9P6wPz9x.exe.2844.0.memstrMalware Configuration Extractor: Sodinokibi {"prc": ["dbsnmp", "excel", "ocssd", "outlook", "sql", "mydesktopqos", "infopath", "thunderbird", "synctime", "ocomm", "wordpad", "sqbcoreservice", "encsvc", "msaccess", "agntsvc", "mydesktopservice", "xfssvccon", "powerpnt", "isqlplussvc", "winword", "onenote", "firefox", "thebat", "dbeng50", "tbirdconfig", "visio", "mspub", "steam", "oracle", "ocautoupds"], "sub": "6815", "svc": ["mepocs", "sophos", "backup", "veeam", "sql", "svc$", "memtas", "vss"], "wht": {"ext": ["com", "386", "ldf", "cur", "deskthemepack", "spl", "ocx", "cpl", "prf", "icl", "scr", "msi", "msu", "msp", "ico", "drv", "ps1", "ics", "bat", "exe", "diagpkg", "themepack", "nomedia", "rtp", "msstyles", "msc", "hlp", "key", "adv", "dll", "theme", "lock", "diagcab", "sys", "icns", "nls", "diagcfg", "cmd", "hta", "mpa", "mod", "lnk", "bin", "idx", "cab", "rom", "wpx", "shs", "ani"], "fls": ["boot.ini", "bootfont.bin", "ntuser.dat", "desktop.ini", "bootsect.bak", "iconcache.db", "ntuser.ini", "ntldr", "thumbs.db", "ntuser.dat.log", "autorun.inf"], "fld": ["windows.old", "boot", "$recycle.bin", "program files (x86)", "mozilla", "programdata", "appdata", "google", "tor browser", "perflogs", "intel", "$windows.~bt", "msocache", "application data", "program files", "$windows.~ws", "system volume information", "windows"]}, "img": "QQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAhAA0ACgANAAoARgBpAG4AZAAgAHsARQBYAFQAfQAtAHIAZQBhAGQAbQBlAC4AdAB4AHQAIABhAG4AZAAgAGYAbwBsAGwAbwB3ACAAaQBuAHMAdAB1AGMAdABpAG8AbgBzAAAA", "dmn": "asgestion.com;binder-buerotechnik.at;narcert.com;dontpassthepepper.com;bbsmobler.se;baylegacy.com;trulynolen.co.uk;testcoreprohealthuk.com;summitmarketingstrategies.com;bigbaguettes.eu;aarvorg.com;wien-mitte.co.at;tulsawaterheaterinstallation.com;latribuessentielle.com;maratonaclubedeportugal.com;n1-headache.com;bxdf.info;withahmed.com;transportesycementoshidalgo.es;digivod.de;365questions.org;truenyc.co;ikads.org;theduke.de;manifestinglab.com;stacyloeb.com;mediaacademy-iraq.org;gemeentehetkompas.nl;daklesa.de;pierrehale.com;conexa4papers.trade;bargningavesta.se;humancondition.com;thewellnessmimi.com;huehnerauge-entfernen.de;12starhd.online;brandl-blumen.de;you-bysia.com.au;kmbshipping.co.uk;idemblogs.com;nsec.se;havecamerawilltravel2017.wordpress.com;delawarecorporatelaw.com;quickyfunds.com;sojamindbody.com;jasonbaileystudio.com;jameskibbie.com;modamilyon.com;mapawood.com;vesinhnha.com.vn;mrxermon.de;boompinoy.com;xn--singlebrsen-vergleich-nec.com;radaradvies.nl;international-sound-awards.com;mbxvii.com;profectis.de;helenekowalsky.com;southeasternacademyofprosthodontics.org;zieglerbrothers.de;eraorastudio.com;liveottelut.com;thedad.com;malychanieruchomoscipremium.com;tampaallen.com;amylendscrestview.com;sabel-bf.com;offroadbeasts.com;enovos.de;serce.info.pl;mindpackstudios.com;qlog.de;woodworkersolution.com;milanonotai.it;smartypractice.com;expandet.dk;tinyagency.com;westdeptfordbuyrite.com;porno-gringo.com;labobit.it;innote.fi;
          Multi AV Scanner detection for domain / URLShow sources
          Source: 365questions.orgVirustotal: Detection: 6%Perma Link
          Multi AV Scanner detection for submitted fileShow sources
          Source: tS9P6wPz9x.exeVirustotal: Detection: 75%Perma Link
          Machine Learning detection for sampleShow sources
          Source: tS9P6wPz9x.exeJoe Sandbox ML: detected
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeCode function: 0_2_009C5CDE CryptStringToBinaryW,CryptStringToBinaryW,0_2_009C5CDE
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeCode function: 0_2_009C541B CryptAcquireContextW,CryptGenRandom,0_2_009C541B
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeCode function: 0_2_009C5D3F CryptBinaryToStringW,CryptBinaryToStringW,0_2_009C5D3F

          Compliance:

          barindex
          Uses 32bit PE filesShow sources
          Source: tS9P6wPz9x.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Creates license or readme fileShow sources
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile created: C:\4wfaj7427w-readme.txtJump to behavior
          Uses secure TLS version for HTTPS connectionsShow sources
          Source: unknownHTTPS traffic detected: 185.2.4.64:443 -> 192.168.2.3:49741 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 87.230.41.243:443 -> 192.168.2.3:49742 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 166.62.110.232:443 -> 192.168.2.3:49743 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 74.220.215.94:443 -> 192.168.2.3:49744 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 91.201.60.54:443 -> 192.168.2.3:49745 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 66.155.35.240:443 -> 192.168.2.3:49746 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 77.72.5.145:443 -> 192.168.2.3:49748 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 77.72.5.145:443 -> 192.168.2.3:49749 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 184.175.106.113:443 -> 192.168.2.3:49751 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 91.195.240.117:443 -> 192.168.2.3:49752 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 89.46.91.28:443 -> 192.168.2.3:49753 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 184.168.131.241:443 -> 192.168.2.3:49754 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 136.243.147.81:443 -> 192.168.2.3:49755 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.165.53.185:443 -> 192.168.2.3:49756 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 85.234.145.174:443 -> 192.168.2.3:49757 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 85.234.145.174:443 -> 192.168.2.3:49758 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.137.75.185:443 -> 192.168.2.3:49759 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 185.107.227.241:443 -> 192.168.2.3:49760 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.78.13:443 -> 192.168.2.3:49761 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.139.128.10:443 -> 192.168.2.3:49762 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 159.69.118.212:443 -> 192.168.2.3:49763 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 185.98.131.150:443 -> 192.168.2.3:49764 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 83.166.155.153:443 -> 192.168.2.3:49765 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 142.93.110.250:443 -> 192.168.2.3:49766 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 94.16.115.81:443 -> 192.168.2.3:49767 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 35.221.46.9:443 -> 192.168.2.3:49768 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 198.12.145.239:443 -> 192.168.2.3:49769 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 144.76.225.204:443 -> 192.168.2.3:49770 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 52.29.252.113:443 -> 192.168.2.3:49771 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 178.250.15.192:443 -> 192.168.2.3:49772 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 155.133.142.13:443 -> 192.168.2.3:49773 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.9.188:443 -> 192.168.2.3:49774 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.26.13.9:443 -> 192.168.2.3:49775 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 142.93.110.250:443 -> 192.168.2.3:49776 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 46.30.215.215:443 -> 192.168.2.3:49777 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 172.67.222.33:443 -> 192.168.2.3:49778 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 116.90.53.15:443 -> 192.168.2.3:49779 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 116.90.53.15:443 -> 192.168.2.3:49780 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 85.119.82.125:443 -> 192.168.2.3:49781 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 85.119.82.125:443 -> 192.168.2.3:49782 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 91.121.58.131:443 -> 192.168.2.3:49783 version: TLS 1.2
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: z:Jump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: x:Jump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: v:Jump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: t:Jump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: r:Jump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: p:Jump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: n:Jump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: l:Jump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: j:Jump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: h:Jump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: f:Jump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: b:Jump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: y:Jump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: w:Jump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: u:Jump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: s:Jump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: q:Jump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: o:Jump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: m:Jump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: k:Jump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: i:Jump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: g:Jump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: e:Jump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: c:Jump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: a:Jump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeCode function: 0_2_009C761A FindFirstFileExW,FindFirstFileW,FindNextFileW,FindClose,0_2_009C761A
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: C:\Program Files\Google\Chrome\Application\85.0.4183.121\WidevineCdm\NULLJump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: C:\Program Files\Google\Chrome\Application\85.0.4183.121\WidevineCdm\manifest.jsonJump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: C:\Program Files\Google\Chrome\Application\85.0.4183.121\WidevineCdm\_platform_specificJump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: C:\Program Files\Google\Chrome\Application\85.0.4183.121\WidevineCdm\_platform_specific\win_x64Jump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: C:\Program Files\Google\Chrome\Application\85.0.4183.121\WidevineCdm\_platform_specific\NULLJump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: C:\Program Files\Google\Chrome\Application\85.0.4183.121\WidevineCdm\LICENSEJump to behavior

          Networking:

          barindex
          Found Tor onion addressShow sources
          Source: tS9P6wPz9x.exe, 00000000.00000003.204300775.0000000002DF5000.00000004.00000040.sdmpString found in binary or memory: http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/
          Source: tS9P6wPz9x.exe, 00000000.00000003.204300775.0000000002DF5000.00000004.00000040.sdmpString found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID}
          Source: tS9P6wPz9x.exe, 00000000.00000003.364421083.0000000002DF0000.00000004.00000040.sdmpString found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/05EE5FC73EB66605
          Source: 4wfaj7427w-readme.txt.0.drString found in binary or memory: http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/
          Source: 4wfaj7427w-readme.txt.0.drString found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/05EE5FC73EB66605
          Source: unknownNetwork traffic detected: DNS query count 46
          Source: unknownNetwork traffic detected: IP country count 13
          Source: Joe Sandbox ViewIP Address: 136.243.147.81 136.243.147.81
          Source: Joe Sandbox ViewIP Address: 184.168.131.241 184.168.131.241
          Source: Joe Sandbox ViewASN Name: SIMPLYTRANSITGB SIMPLYTRANSITGB
          Source: Joe Sandbox ViewASN Name: REGISTER_UK-ASGB REGISTER_UK-ASGB
          Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
          Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmpString found in binary or memory: <li><a href="https://www.youtube.com/user/youbysia" target="_blank"><i class="fab fa-youtube"></i></a></li> equals www.youtube.com (Youtube)
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmpString found in binary or memory: <li><a href="https://www.facebook.com/YouBySia" target="_blank"><i class="fab fa-facebook-f"></i></a></li> equals www.facebook.com (Facebook)
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: <a href="#" class="instagram"><img src="https://www.maratonaclubedeportugal.com/wp-content/themes/maratonas/images/instagram.png" class="img-fluid" /></a> <a href="#" class="facebook"><img src="https://www.maratonaclubedeportugal.com/wp-content/themes/maratonas/images/facebook.png" class="img-fluid" /></a> equals www.facebook.com (Facebook)
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: <a href="https://www.instagram.com/maratonadelisboa/" class="instagram" target="_blank"><img src="https://www.maratonaclubedeportugal.com/wp-content/themes/maratonas/images/instagram.png" class="img-fluid" /></a> <a href="https://www.facebook.com/MaratonaDeLisboa/" target="_blank" class="facebook"><img src="https://www.maratonaclubedeportugal.com/wp-content/themes/maratonas/images/facebook.png" class="img-fluid" /></a> equals www.facebook.com (Facebook)
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: <iframe style="width:100%;" frameborder="0" allowfullscreen src="https://www.youtube.com/embed/fxyo5CpHgqA"></iframe> equals www.youtube.com (Youtube)
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: <meta property="article:publisher" content="https://www.facebook.com/YouBySia" /> equals www.facebook.com (Facebook)
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: <a target="_blank" href="https://www.youtube.com/watch?v=fxyo5CpHgqA&t=10s" class="btn-black btn-design hvr-float-shadow">Learn More</a> equals www.youtube.com (Youtube)
          Source: tS9P6wPz9x.exe, 00000000.00000002.597646329.0000000000BC0000.00000004.00000020.sdmpString found in binary or memory: </html><li><a href="https://www.facebook.com/YouBySia" target="_blank"><i class="fab fa-facebook-f"></i></a></li> equals www.facebook.com (Facebook)
          Source: tS9P6wPz9x.exe, 00000000.00000003.474321416.00000000038CA000.00000004.00000001.sdmpString found in binary or memory: <a id="" class="uk-button custom " style="border: 1px solid rgba(255, 255, 255, 0.00); font-weight: 400; font-size: 1.00rem; color:rgba(255, 255, 255, 1.00);background-color: rgba(51, 51, 51, 1.00);border-radius: 50px; padding: 3px 10px; :hover{color: rgba(255, 255, 255, 1.00);background-color: rgba(226, 49, 57, 0.99);}" onmouseover="this.style='border: 1px solid rgba(255, 255, 255, 0.00); font-size: 1.00rem; background-color: rgba(226, 49, 57, 0.99); color: rgba(255, 255, 255, 1.00); border-radius: 50px; padding: 3px 10px; font-weight: 400';" onmouseout="this.style='border: 1px solid rgba(255, 255, 255, 0.00); font-size: 1.00rem; background-color: rgba(51, 51, 51, 1.00); color: rgba(255, 255, 255, 1.00); border-radius: 50px; padding: 3px 10px; font-weight: 400';" type="link" href="https://www.facebook.com/Trulynolenni/" target="_blank" rel="" ><span class="" uk-icon="icon: facebook; ratio: 1.30"></span></a> equals www.facebook.com (Facebook)
          Source: tS9P6wPz9x.exe, 00000000.00000003.474321416.00000000038CA000.00000004.00000001.sdmpString found in binary or memory: <a id="" class="uk-button custom " style="border: 1px solid rgba(255, 255, 255, 0.00); font-weight: 400; font-size: 1.00rem; color:rgba(255, 255, 255, 1.00);background-color: rgba(51, 51, 51, 1.00);border-radius: 50px; padding: 3px 10px; :hover{color: rgba(255, 255, 255, 1.00);background-color: rgba(226, 49, 57, 0.99);}" onmouseover="this.style='border: 1px solid rgba(255, 255, 255, 0.00); font-size: 1.00rem; background-color: rgba(226, 49, 57, 0.99); color: rgba(255, 255, 255, 1.00); border-radius: 50px; padding: 3px 10px; font-weight: 400';" onmouseout="this.style='border: 1px solid rgba(255, 255, 255, 0.00); font-size: 1.00rem; background-color: rgba(51, 51, 51, 1.00); color: rgba(255, 255, 255, 1.00); border-radius: 50px; padding: 3px 10px; font-weight: 400';" type="link" href="https://www.linkedin.com/in/neilstranney/" target="_blank" rel="" ><span class="" uk-icon="icon: linkedin; ratio: 1.30"></span></a> equals www.linkedin.com (Linkedin)
          Source: unknownDNS traffic detected: queries for: asgestion.com
          Source: tS9P6wPz9x.exe, 00000000.00000003.204300775.0000000002DF5000.00000004.00000040.sdmpString found in binary or memory: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/
          Source: tS9P6wPz9x.exe, 00000000.00000003.364421083.0000000002DF0000.00000004.00000040.sdmp, 4wfaj7427w-readme.txt.0.drString found in binary or memory: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/05EE5FC73EB66605
          Source: tS9P6wPz9x.exe, 00000000.00000003.537157164.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstr
          Source: tS9P6wPz9x.exe, 00000000.00000003.494446514.0000000000BE4000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
          Source: tS9P6wPz9x.exe, 00000000.00000003.552385040.0000000000BE1000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
          Source: tS9P6wPz9x.exe, 00000000.00000003.532898674.0000000000BE5000.00000004.00000001.sdmpString found in binary or memory: http://certificates.godadd
          Source: tS9P6wPz9x.exe, 00000000.00000003.532898674.0000000000BE5000.00000004.00000001.sdmpString found in binary or memory: http://certificates.godaddy.com/r
          Source: tS9P6wPz9x.exe, 00000000.00000002.597646329.0000000000BC0000.00000004.00000020.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
          Source: tS9P6wPz9x.exe, 00000000.00000003.487651393.0000000000BD6000.00000004.00000001.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/0
          Source: tS9P6wPz9x.exe, 00000000.00000003.487651393.0000000000BD6000.00000004.00000001.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/sfig2.crt0
          Source: tS9P6wPz9x.exe, 00000000.00000003.532898674.0000000000BE5000.00000004.00000001.sdmpString found in binary or memory: http://certs.godaddy.com/reposi
          Source: tS9P6wPz9x.exe, 00000000.00000002.597646329.0000000000BC0000.00000004.00000020.sdmpString found in binary or memory: http://certs.godaddy.com/repository
          Source: tS9P6wPz9x.exe, 00000000.00000002.597646329.0000000000BC0000.00000004.00000020.sdmpString found in binary or memory: http://certs.godaddy.com/repository/1301
          Source: tS9P6wPz9x.exe, 00000000.00000003.487651393.0000000000BD6000.00000004.00000001.sdmpString found in binary or memory: http://certs.starfieldtech.com/repository/1402
          Source: tS9P6wPz9x.exe, 00000000.00000003.537157164.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsen
          Source: tS9P6wPz9x.exe, 00000000.00000003.494446514.0000000000BE4000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
          Source: tS9P6wPz9x.exe, 00000000.00000003.552472095.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.y
          Source: tS9P6wPz9x.exe, 00000000.00000003.487651393.0000000000BD6000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsen
          Source: tS9P6wPz9x.exe, 00000000.00000003.537157164.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.o
          Source: tS9P6wPz9x.exe, 00000000.00000003.494446514.0000000000BE4000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
          Source: tS9P6wPz9x.exe, 00000000.00000003.475262020.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
          Source: tS9P6wPz9x.exe, 00000000.00000003.494465726.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
          Source: tS9P6wPz9x.exe, 00000000.00000003.475262020.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
          Source: tS9P6wPz9x.exe, 00000000.00000003.475105112.0000000000BDA000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAu
          Source: tS9P6wPz9x.exe, 00000000.00000003.475262020.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
          Source: tS9P6wPz9x.exe, 00000000.00000003.532898674.0000000000BE5000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdig
          Source: tS9P6wPz9x.exe, 00000000.00000002.597646329.0000000000BC0000.00000004.00000020.sdmpString found in binary or memory: http://crl.i
          Source: tS9P6wPz9x.exe, 00000000.00000003.494446514.0000000000BE4000.00000004.00000001.sdmpString found in binary or memory: http://crl.identr3f
          Source: tS9P6wPz9x.exe, 00000000.00000003.537157164.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl
          Source: tS9P6wPz9x.exe, 00000000.00000003.494446514.0000000000BE4000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
          Source: tS9P6wPz9x.exe, 00000000.00000003.463616465.0000000000C06000.00000004.00000001.sdmpString found in binary or memory: http://crl.starfieldtech.com/sfig2s1-252.crl0c
          Source: tS9P6wPz9x.exe, 00000000.00000003.487651393.0000000000BD6000.00000004.00000001.sdmpString found in binary or memory: http://crl.starfieldtech.com/sfig2s3-1.crl0b
          Source: tS9P6wPz9x.exe, 00000000.00000003.487651393.0000000000BD6000.00000004.00000001.sdmpString found in binary or memory: http://crl.starfieldtech.com/sfroot-g2.crl0L
          Source: tS9P6wPz9x.exe, 00000000.00000003.487651393.0000000000BD6000.00000004.00000001.sdmpString found in binary or memory: http://crl.starfieldtech.com/sfroot.crl0L
          Source: tS9P6wPz9x.exe, 00000000.00000003.552385040.0000000000BE1000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
          Source: tS9P6wPz9x.exe, 00000000.00000003.508481116.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
          Source: tS9P6wPz9x.exe, 00000000.00000003.552385040.0000000000BE1000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
          Source: tS9P6wPz9x.exe, 00000000.00000003.494465726.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
          Source: tS9P6wPz9x.exe, 00000000.00000003.533010928.00000000038CD000.00000004.00000001.sdmpString found in binary or memory: http://dachdeckermeisterpatrickholzapfel.deinclude/images/zuqgvtakam.gif
          Source: tS9P6wPz9x.exe, 00000000.00000003.204300775.0000000002DF5000.00000004.00000040.sdmpString found in binary or memory: http://decoder.re/
          Source: tS9P6wPz9x.exe, 00000000.00000003.364421083.0000000002DF0000.00000004.00000040.sdmp, 4wfaj7427w-readme.txt.0.drString found in binary or memory: http://decoder.re/05EE5FC73EB66605
          Source: tS9P6wPz9x.exe, 00000000.00000003.204300775.0000000002DF5000.00000004.00000040.sdmp, 4wfaj7427w-readme.txt.0.drString found in binary or memory: http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/
          Source: tS9P6wPz9x.exe, 00000000.00000003.466766008.0000000000BFC000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000003.536985973.00000000038ED000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000003.517359060.00000000038FC000.00000004.00000001.sdmpString found in binary or memory: http://gmpg.org/xfn/11
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: http://mailchi.mp/a586a5225aac/get-summer-ready-body
          Source: tS9P6wPz9x.exe, 00000000.00000003.475105112.0000000000BDA000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.co.
          Source: tS9P6wPz9x.exe, 00000000.00000003.475262020.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
          Source: tS9P6wPz9x.exe, 00000000.00000003.552385040.0000000000BE1000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: tS9P6wPz9x.exe, 00000000.00000003.508481116.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
          Source: tS9P6wPz9x.exe, 00000000.00000002.597646329.0000000000BC0000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.godaddy.com/0
          Source: tS9P6wPz9x.exe, 00000000.00000003.468482047.0000000000BC0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
          Source: tS9P6wPz9x.exe, 00000000.00000003.533010928.00000000038CD000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0%
          Source: tS9P6wPz9x.exe, 00000000.00000003.494465726.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0G
          Source: tS9P6wPz9x.exe, 00000000.00000003.487651393.0000000000BD6000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.starfieldtech.com/08
          Source: tS9P6wPz9x.exe, 00000000.00000003.487651393.0000000000BD6000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.starfieldtech.com/0;
          Source: tS9P6wPz9x.exe, 00000000.00000003.487651393.0000000000BD6000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.starfieldtech.com/0F
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000003.517359060.00000000038FC000.00000004.00000001.sdmpString found in binary or memory: http://ogp.me/ns#
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: http://ogp.me/ns/fb#
          Source: tS9P6wPz9x.exe, 00000000.00000003.537157164.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.or
          Source: tS9P6wPz9x.exe, 00000000.00000003.494446514.0000000000BE4000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000003.487651393.0000000000BD6000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0
          Source: tS9P6wPz9x.exe, 00000000.00000003.508481116.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0%
          Source: tS9P6wPz9x.exe, 00000000.00000003.494465726.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0)
          Source: tS9P6wPz9x.exe, 00000000.00000003.494465726.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0-
          Source: tS9P6wPz9x.exe, 00000000.00000003.494465726.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0.
          Source: tS9P6wPz9x.exe, 00000000.00000003.508481116.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/01
          Source: tS9P6wPz9x.exe, 00000000.00000002.597408377.0000000000BAA000.00000004.00000020.sdmpString found in binary or memory: http://r3.i.lencr.org/03
          Source: tS9P6wPz9x.exe, 00000000.00000003.537209069.0000000000C0E000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/05
          Source: tS9P6wPz9x.exe, 00000000.00000003.537076311.00000000038C6000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/07
          Source: tS9P6wPz9x.exe, 00000000.00000003.517436386.0000000000BFD000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/09
          Source: tS9P6wPz9x.exe, 00000000.00000003.533049801.0000000000BED000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0;
          Source: tS9P6wPz9x.exe, 00000000.00000003.487651393.0000000000BD6000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0=
          Source: tS9P6wPz9x.exe, 00000000.00000003.508481116.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0?
          Source: tS9P6wPz9x.exe, 00000000.00000002.597646329.0000000000BC0000.00000004.00000020.sdmpString found in binary or memory: http://r3.i.lencr.org/0C
          Source: tS9P6wPz9x.exe, 00000000.00000003.508481116.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0M
          Source: tS9P6wPz9x.exe, 00000000.00000002.597178188.0000000000B7E000.00000004.00000020.sdmpString found in binary or memory: http://r3.i.lencr.org/0i
          Source: tS9P6wPz9x.exe, 00000000.00000002.597646329.0000000000BC0000.00000004.00000020.sdmpString found in binary or memory: http://r3.o.l9
          Source: tS9P6wPz9x.exe, 00000000.00000003.552472095.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org
          Source: tS9P6wPz9x.exe, 00000000.00000003.494446514.0000000000BE4000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/BreadcrumbList
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/ListItem
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: http://social101.com/beauty-101you-by-sia-2/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: http://staging.you-bysia.com.au/about-us/#our-team
          Source: tS9P6wPz9x.exe, 00000000.00000003.552472095.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: http://www.brandl-blumen.de/static/assets/wuklveryuffb.png
          Source: tS9P6wPz9x.exe, 00000000.00000002.597646329.0000000000BC0000.00000004.00000020.sdmpString found in binary or memory: http://www.brandl-blumen.de/static/assets/wuklveryuffb.pngI
          Source: tS9P6wPz9x.exe, 00000000.00000003.466766008.0000000000BFC000.00000004.00000001.sdmpString found in binary or memory: http://zerossl.crt.sectigo.com/ZeroSSLRSADomainSecureSiteCA.crt0
          Source: tS9P6wPz9x.exe, 00000000.00000003.466766008.0000000000BFC000.00000004.00000001.sdmpString found in binary or memory: http://zerossl.ocsp.sectigo.com0
          Source: tS9P6wPz9x.exe, 00000000.00000003.508481116.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: https://365questions.org/
          Source: tS9P6wPz9x.exe, 00000000.00000003.508481116.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: https://365questions.org/=LA
          Source: tS9P6wPz9x.exe, 00000000.00000003.508481116.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: https://365questions.org/P9
          Source: tS9P6wPz9x.exe, 00000000.00000003.508481116.0000000000BEF000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000003.533049801.0000000000BED000.00000004.00000001.sdmpString found in binary or memory: https://365questions.org/include/pics/oovmiwlu.jpg
          Source: tS9P6wPz9x.exe, 00000000.00000003.508481116.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: https://365questions.org:443/include/pics/oovmiwlu.jpg
          Source: tS9P6wPz9x.exe, 00000000.00000002.597646329.0000000000BC0000.00000004.00000020.sdmpString found in binary or memory: https://api.w.org/
          Source: tS9P6wPz9x.exe, 00000000.00000003.536985973.00000000038ED000.00000004.00000001.sdmpString found in binary or memory: https://bargningavesta.se/wp-json/
          Source: tS9P6wPz9x.exe, 00000000.00000003.475105112.0000000000BDA000.00000004.00000001.sdmpString found in binary or memory: https://baw.trulynolen.co.uk/
          Source: tS9P6wPz9x.exe, 00000000.00000003.487569474.0000000000BED000.00000004.00000001.sdmpString found in binary or memory: https://baylegacy.com:443/news/image/plvl.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.466766008.0000000000BFC000.00000004.00000001.sdmpString found in binary or memory: https://bbsmobler.se/
          Source: tS9P6wPz9x.exe, 00000000.00000003.466766008.0000000000BFC000.00000004.00000001.sdmpString found in binary or memory: https://bbsmobler.se/W:S
          Source: tS9P6wPz9x.exe, 00000000.00000003.466766008.0000000000BFC000.00000004.00000001.sdmpString found in binary or memory: https://bbsmobler.se/static/assets/ugdl.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.466766008.0000000000BFC000.00000004.00000001.sdmpString found in binary or memory: https://bbsmobler.se/static/assets/ugdl.pngC
          Source: tS9P6wPz9x.exe, 00000000.00000003.468365295.0000000000BFC000.00000004.00000001.sdmpString found in binary or memory: https://bbsmobler.se/static/assets/ugdl.pngW;R
          Source: tS9P6wPz9x.exe, 00000000.00000003.468365295.0000000000BFC000.00000004.00000001.sdmpString found in binary or memory: https://bbsmobler.se/wp-json/
          Source: tS9P6wPz9x.exe, 00000000.00000003.494465726.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: https://bbsmobler.se:443/static/assets/ugdl.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.475105112.0000000000BDA000.00000004.00000001.sdmpString found in binary or memory: https://bbylegacy.com/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://bookings.gettimely.com/youbysia/book
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://bookings.gettimely.com/youbysia/book?
          Source: tS9P6wPz9x.exe, 00000000.00000003.494465726.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: https://bxdf.info:443/content/pictures/gasjxkutrxct.jpg
          Source: tS9P6wPz9x.exe, 00000000.00000003.487651393.0000000000BD6000.00000004.00000001.sdmpString found in binary or memory: https://certs.starfieldtY9R
          Source: tS9P6wPz9x.exe, 00000000.00000003.487651393.0000000000BD6000.00000004.00000001.sdmpString found in binary or memory: https://certs.starfieldtech.com/repository/0
          Source: tS9P6wPz9x.exe, 00000000.00000003.533241518.0000000000C0B000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000003.533049801.0000000000BED000.00000004.00000001.sdmpString found in binary or memory: https://conexa4papers.trade/data/pictures/ku.gif
          Source: tS9P6wPz9x.exe, 00000000.00000003.533241518.0000000000C0B000.00000004.00000001.sdmpString found in binary or memory: https://conexa4papers.trade/data/pictures/ku.gifC
          Source: tS9P6wPz9x.exe, 00000000.00000003.533049801.0000000000BED000.00000004.00000001.sdmpString found in binary or memory: https://conexa4papers.trade:443/data/pictures/ku.gifpsvmkrt.pngmediaacademy-iraq.orgmediaacademy-ira
          Source: tS9P6wPz9x.exe, 00000000.00000003.487569474.0000000000BED000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000003.515240536.00000000038F6000.00000004.00000001.sdmpString found in binary or memory: https://developers.google.com/analytics/devguides/collection/analyticsjs/
          Source: tS9P6wPz9x.exe, 00000000.00000003.515274231.00000000038C1000.00000004.00000001.sdmpString found in binary or memory: https://digivod.de/feed/
          Source: tS9P6wPz9x.exe, 00000000.00000003.515274231.00000000038C1000.00000004.00000001.sdmpString found in binary or memory: https://digivod.de/wp-
          Source: tS9P6wPz9x.exe, 00000000.00000003.515274231.00000000038C1000.00000004.00000001.sdmpString found in binary or memory: https://digivod.de/wp-content/plugins/bst-dsgvo-cookie/includes/css/bst-mesage.css?ver=5.6.1
          Source: tS9P6wPz9x.exe, 00000000.00000003.515274231.00000000038C1000.00000004.00000001.sdmpString found in binary or memory: https://digivod.de/wp-content/plugins/bst-dsgvo-cookie/includes/css/style.css?ver=5.6.1
          Source: tS9P6wPz9x.exe, 00000000.00000003.515274231.00000000038C1000.00000004.00000001.sdmpString found in binary or memory: https://digivod.de/wp-includes/css/dist/block-library/style.min.css?ver=5.6.1
          Source: tS9P6wPz9x.exe, 00000000.00000003.515274231.00000000038C1000.00000004.00000001.sdmpString found in binary or memory: https://digivod.de/wp-json/
          Source: tS9P6wPz9x.exe, 00000000.00000003.468482047.0000000000BC0000.00000004.00000001.sdmpString found in binary or memory: https://dontpassthepepper.com/1
          Source: tS9P6wPz9x.exe, 00000000.00000003.466766008.0000000000BFC000.00000004.00000001.sdmpString found in binary or memory: https://dontpassthepepper.com/wp-content/tmp/mitn.jpgt
          Source: tS9P6wPz9x.exe, 00000000.00000003.466766008.0000000000BFC000.00000004.00000001.sdmpString found in binary or memory: https://dontpassthepepper.com:443/wp-content/tmp/mitn.jpgo
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Lato:100
          Source: tS9P6wPz9x.exe, 00000000.00000003.552769617.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Oswald
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
          Source: tS9P6wPz9x.exe, 00000000.00000003.474321416.00000000038CA000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Ubuntu
          Source: tS9P6wPz9x.exe, 00000000.00000003.474321416.00000000038CA000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Ubuntu:400
          Source: tS9P6wPz9x.exe, 00000000.00000003.487569474.0000000000BED000.00000004.00000001.sdmpString found in binary or memory: https://fonts.gstatic.com
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://fonts.gstatic.com/s/anticslab/v9/bWt97fPFfRzkCa9Jlp6IacVcWkxq9Qs.woff)
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://fonts.gstatic.com/s/ptsans/v12/jizYRExUiTo99u79D0e0w8mOAjcQ-woy.woff)
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://fonts.gstatic.com/s/ptsans/v12/jizYRExUiTo99u79D0e0x8mOAjcQ-w.woff)
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://fonts.gstatic.com/s/ptsans/v12/jizYRExUiTo99u79D0e0ycmOAjcQ-woy.woff)
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://fonts.gstatic.com/s/ptsans/v12/jizYRExUiTo99u79D0e0ysmOAjcQ-woy.woff)
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://fonts.gstatic.com/s/ptsans/v12/jizaRExUiTo99u79D0-Ew8OPIDUg-g.woff)
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://fonts.gstatic.com/s/ptsans/v12/jizdRExUiTo99u79D0e8fOydIRUb0TA7i2bI.woff)
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://fonts.gstatic.com/s/ptsans/v12/jizdRExUiTo99u79D0e8fOydIhUb0TA7i2bI.woff)
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://fonts.gstatic.com/s/ptsans/v12/jizdRExUiTo99u79D0e8fOydKxUb0TA7i2bI.woff)
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://fonts.gstatic.com/s/ptsans/v12/jizdRExUiTo99u79D0e8fOydLxUb0TA7iw.woff)
          Source: tS9P6wPz9x.exe, 00000000.00000002.597646329.0000000000BC0000.00000004.00000020.sdmpString found in binary or memory: https://gemeentehetkompas.nl/
          Source: tS9P6wPz9x.exe, 00000000.00000003.532818048.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://gemeentehetkompas.nl/wp-json/
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://gmpg.org/xfn/11
          Source: tS9P6wPz9x.exe, 00000000.00000002.602165365.0000000002E15000.00000004.00000040.sdmpString found in binary or memory: https://havecamerawilltravel2017.wordpress.com/include/assets/afgilbpg.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.537209069.0000000000C0E000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000003.552769617.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://huehnerauge-entfernen.de/
          Source: tS9P6wPz9x.exe, 00000000.00000003.552769617.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://huehnerauge-entfernen.de/#website
          Source: tS9P6wPz9x.exe, 00000000.00000003.552769617.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://huehnerauge-entfernen.de/comments/feed/
          Source: tS9P6wPz9x.exe, 00000000.00000003.537157164.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: https://huehnerauge-entfernen.de/include/pics/ejtmxcqjwhdy.gif
          Source: tS9P6wPz9x.exe, 00000000.00000003.537209069.0000000000C0E000.00000004.00000001.sdmpString found in binary or memory: https://huehnerauge-entfernen.de/l
          Source: tS9P6wPz9x.exe, 00000000.00000003.552769617.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://huehnerauge-entfernen.de/wp-content/plugins/cookie-law-info/public/css/cookie-law-info-gdpr.
          Source: tS9P6wPz9x.exe, 00000000.00000003.552769617.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://huehnerauge-entfernen.de/wp-content/plugins/google-a
          Source: tS9P6wPz9x.exe, 00000000.00000003.552769617.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://huehnerauge-entfernen.de/wp-content/plugins/google-analytics-dashboard-for-wp/assets/css/fro
          Source: tS9P6wPz9x.exe, 00000000.00000003.552769617.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://huehnerauge-entfernen.de/wp-content/plugins/tablepress/css/default.min.css?ver=1.12
          Source: tS9P6wPz9x.exe, 00000000.00000003.552769617.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://huehnerauge-entfernen.de/wp-content/themes/rainforest/style.css?ver=5.6.1
          Source: tS9P6wPz9x.exe, 00000000.00000003.552769617.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://huehnerauge-entfernen.de/wp-includes/css/di
          Source: tS9P6wPz9x.exe, 00000000.00000003.552769617.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://huehnerauge-entfernen.de/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2
          Source: tS9P6wPz9x.exe, 00000000.00000003.552769617.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://huehnerauge-entfernen.de/wp-includes/js/jquery/jquery.min.js?ver=3.5.1
          Source: tS9P6wPz9x.exe, 00000000.00000003.552769617.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://huehnerauge-entfernen.de/wp-json/
          Source: tS9P6wPz9x.exe, 00000000.00000003.537157164.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: https://huehnerauge-entfernen.de:443/include/pics/ejtmxcqjwhdy.gif
          Source: tS9P6wPz9x.exe, 00000000.00000003.537209069.0000000000C0E000.00000004.00000001.sdmpString found in binary or memory: https://humancondition.com/include/assets/fkyihxilog.gif
          Source: tS9P6wPz9x.exe, 00000000.00000002.596864356.0000000000B4A000.00000004.00000020.sdmpString found in binary or memory: https://idemblogs.com/
          Source: tS9P6wPz9x.exe, 00000000.00000002.597646329.0000000000BC0000.00000004.00000020.sdmpString found in binary or memory: https://idemblogs.com/wp-json/
          Source: tS9P6wPz9x.exe, 00000000.00000002.597646329.0000000000BC0000.00000004.00000020.sdmpString found in binary or memory: https://idemblogs.com:443/uploads/image/aeun.jpgwww.kmbshipping.co.ukwww.kmbshipping.co.ukW
          Source: tS9P6wPz9x.exe, 00000000.00000003.515334796.0000000000BFD000.00000004.00000001.sdmpString found in binary or memory: https://ikads.org/admin/graphic/fnblbl.gif
          Source: tS9P6wPz9x.exe, 00000000.00000003.515334796.0000000000BFD000.00000004.00000001.sdmpString found in binary or memory: https://ikads.org/admin/graphic/fnblbl.gifC
          Source: tS9P6wPz9x.exe, 00000000.00000003.517413012.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: https://ikads.org/gF
          Source: tS9P6wPz9x.exe, 00000000.00000003.515334796.0000000000BFD000.00000004.00000001.sdmpString found in binary or memory: https://ikads.org:443/admin/graphic/fnblbl.gifn.jpg
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://issuu.com/theintermediagroup/docs/spa___clinic_volume_83
          Source: tS9P6wPz9x.exe, 00000000.00000002.597178188.0000000000B7E000.00000004.00000020.sdmp, tS9P6wPz9x.exe, 00000000.00000002.597646329.0000000000BC0000.00000004.00000020.sdmpString found in binary or memory: https://kmbshipping.co.uk/admin/pics/xukxqlujcu.gif
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://kreaturamedia.com/layerslider-responsive-wordpress-slider-plugin/
          Source: tS9P6wPz9x.exe, 00000000.00000003.487569474.0000000000BED000.00000004.00000001.sdmpString found in binary or memory: https://latribuessentielle.com/
          Source: tS9P6wPz9x.exe, 00000000.00000003.487569474.0000000000BED000.00000004.00000001.sdmpString found in binary or memory: https://latribuessentielle.com/#website
          Source: tS9P6wPz9x.exe, 00000000.00000003.487569474.0000000000BED000.00000004.00000001.sdmpString found in binary or memory: https://latribuessentielle.com/?s=
          Source: tS9P6wPz9x.exe, 00000000.00000003.494465726.0000000000BEF000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000003.487651393.0000000000BD6000.00000004.00000001.sdmpString found in binary or memory: https://latribuessentielle.com/admin/assets/gzpcgard.jpg
          Source: tS9P6wPz9x.exe, 00000000.00000003.487569474.0000000000BED000.00000004.00000001.sdmpString found in binary or memory: https://latribuessentielle.com/comments/feed/
          Source: tS9P6wPz9x.exe, 00000000.00000003.487569474.0000000000BED000.00000004.00000001.sdmpString found in binary or memory: https://latribuessentielle.com/feed/
          Source: tS9P6wPz9x.exe, 00000000.00000003.487569474.0000000000BED000.00000004.00000001.sdmpString found in binary or memory: https://latribuessentielle.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.3.2
          Source: tS9P6wPz9x.exe, 00000000.00000003.487569474.0000000000BED000.00000004.00000001.sdmpString found in binary or memory: https://latribuessentielle.com/wp-content/plugins/salient-social/css/style.css?ver=1.1
          Source: tS9P6wPz9x.exe, 00000000.00000003.487569474.0000000000BED000.00000004.00000001.sdmpString found in binary or memory: https://latribuessentielle.com/wp-includes/css/dist/block-library/style.min.css?ver=5.6.1
          Source: tS9P6wPz9x.exe, 00000000.00000003.487569474.0000000000BED000.00000004.00000001.sdmpString found in binary or memory: https://latribuessentielle.com/wp-json/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://mailchi.mp/1cfeb1a8f2e4/this-offer-is-lit-30-off-when-your-a-luxe-vip-member
          Source: tS9P6wPz9x.exe, 00000000.00000003.517436386.0000000000BFD000.00000004.00000001.sdmpString found in binary or memory: https://manifestinglab.com/
          Source: tS9P6wPz9x.exe, 00000000.00000003.517436386.0000000000BFD000.00000004.00000001.sdmpString found in binary or memory: https://manifestinglab.com/news/tmp/pakc.jpg
          Source: tS9P6wPz9x.exe, 00000000.00000003.517436386.0000000000BFD000.00000004.00000001.sdmpString found in binary or memory: https://manifestinglab.com/news/tmp/pakc.jpgC
          Source: tS9P6wPz9x.exe, 00000000.00000003.517436386.0000000000BFD000.00000004.00000001.sdmpString found in binary or memory: https://manifestinglab.com:443/news/tmp/pakc.jpg
          Source: tS9P6wPz9x.exe, 00000000.00000003.533049801.0000000000BED000.00000004.00000001.sdmpString found in binary or memory: https://mediaacademy-iraq.org/wp-json/
          Source: tS9P6wPz9x.exe, 00000000.00000003.533049801.0000000000BED000.00000004.00000001.sdmpString found in binary or memory: https://menexa4papers.trade/
          Source: tS9P6wPz9x.exe, 00000000.00000003.463616465.0000000000C06000.00000004.00000001.sdmpString found in binary or memory: https://narcert.com
          Source: tS9P6wPz9x.exe, 00000000.00000003.463616465.0000000000C06000.00000004.00000001.sdmpString found in binary or memory: https://narcert.com/
          Source: tS9P6wPz9x.exe, 00000000.00000003.463616465.0000000000C06000.00000004.00000001.sdmpString found in binary or memory: https://narcert.com/#website
          Source: tS9P6wPz9x.exe, 00000000.00000003.463616465.0000000000C06000.00000004.00000001.sdmpString found in binary or memory: https://narcert.com/?s=
          Source: tS9P6wPz9x.exe, 00000000.00000003.463616465.0000000000C06000.00000004.00000001.sdmpString found in binary or memory: https://narcert.com/comments/feed/
          Source: tS9P6wPz9x.exe, 00000000.00000003.463616465.0000000000C06000.00000004.00000001.sdmpString found in binary or memory: https://narcert.com/feed/
          Source: tS9P6wPz9x.exe, 00000000.00000003.463616465.0000000000C06000.00000004.00000001.sdmpString found in binary or memory: https://narcert.com/uploads/image/burgajaobu.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.468434175.0000000000B89000.00000004.00000001.sdmpString found in binary or memory: https://narcert.com/uploads/image/burgajaobu.pngif
          Source: tS9P6wPz9x.exe, 00000000.00000003.468434175.0000000000B89000.00000004.00000001.sdmpString found in binary or memory: https://narcert.com/uploads/image/burgajaobu.pngifh
          Source: tS9P6wPz9x.exe, 00000000.00000003.463616465.0000000000C06000.00000004.00000001.sdmpString found in binary or memory: https://narcert.com/wp-json/
          Source: tS9P6wPz9x.exe, 00000000.00000003.463616465.0000000000C06000.00000004.00000001.sdmpString found in binary or memory: https://narcert.com/xmlrpc.php
          Source: tS9P6wPz9x.exe, 00000000.00000003.466766008.0000000000BFC000.00000004.00000001.sdmpString found in binary or memory: https://narcert.com:443/uploads/image/burgajaobu.png
          Source: tS9P6wPz9x.exe, 00000000.00000002.597646329.0000000000BC0000.00000004.00000020.sdmpString found in binary or memory: https://nsec.se/
          Source: tS9P6wPz9x.exe, 00000000.00000002.597646329.0000000000BC0000.00000004.00000020.sdmpString found in binary or memory: https://nsec.se/R
          Source: tS9P6wPz9x.exe, 00000000.00000002.597646329.0000000000BC0000.00000004.00000020.sdmpString found in binary or memory: https://nsec.se/data/image/od.png
          Source: tS9P6wPz9x.exe, 00000000.00000002.597646329.0000000000BC0000.00000004.00000020.sdmpString found in binary or memory: https://nsec.se:443/data/image/od.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.459057587.0000000000C10000.00000004.00000001.sdmpString found in binary or memory: https://ogp.me/ns#
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://open.spotify.com/episode/2z7qIfZlCzb04pemsS18kR
          Source: tS9P6wPz9x.exe, 00000000.00000003.536985973.00000000038ED000.00000004.00000001.sdmpString found in binary or memory: https://pierrehale.com/comments/feed/
          Source: tS9P6wPz9x.exe, 00000000.00000003.536985973.00000000038ED000.00000004.00000001.sdmpString found in binary or memory: https://pierrehale.com/feed/
          Source: tS9P6wPz9x.exe, 00000000.00000003.536985973.00000000038ED000.00000004.00000001.sdmpString found in binary or memory: https://pierrehale.com/wp-content/themes/neve/style.min.css?ver=2.5.4
          Source: tS9P6wPz9x.exe, 00000000.00000003.536985973.00000000038ED000.00000004.00000001.sdmpString found in binary or memory: https://pierrehale.com/wp-includes/css/dist/block-library/style.min.css?ver=5.5.3
          Source: tS9P6wPz9x.exe, 00000000.00000003.536985973.00000000038ED000.00000004.00000001.sdmpString found in binary or memory: https://pierrehale.com/wp-json/
          Source: tS9P6wPz9x.exe, 00000000.00000003.533049801.0000000000BED000.00000004.00000001.sdmpString found in binary or memory: https://pierrehale.com:443/data/images/zaqg.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.536985973.00000000038ED000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmp, tS9P6wPz9x.exe, 00000000.00000003.463616465.0000000000C06000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000003.487569474.0000000000BED000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000003.552769617.00000000038EA000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://schema.org
          Source: tS9P6wPz9x.exe, 00000000.00000003.475262020.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
          Source: tS9P6wPz9x.exe, 00000000.00000003.463616465.0000000000C06000.00000004.00000001.sdmpString found in binary or memory: https://secureservercdn.net
          Source: tS9P6wPz9x.exe, 00000000.00000003.463616465.0000000000C06000.00000004.00000001.sdmpString found in binary or memory: https://secureservercdn.net/166.62.110.232/c93.18f.myftpupload.com/wp-content/plugins/woocommerce/as
          Source: tS9P6wPz9x.exe, 00000000.00000003.463616465.0000000000C06000.00000004.00000001.sdmpString found in binary or memory: https://secureservercdn.net/166.62.110.232/c93.18f.myftpupload.com/wp-content/plugins/woocommerce/pa
          Source: tS9P6wPz9x.exe, 00000000.00000003.463616465.0000000000C06000.00000004.00000001.sdmpString found in binary or memory: https://secureservercdn.net/166.62.110.232/c93.18f.myftpupload.com/wp-content/plugins/wp-quiz-pro/as
          Source: tS9P6wPz9x.exe, 00000000.00000003.463616465.0000000000C06000.00000004.00000001.sdmpString found in binary or memory: https://secureservercdn.net/166.62.110.232/c93.18f.myftpupload.com/wp-includes/css/dist/block-librar
          Source: tS9P6wPz9x.exe, 00000000.00000003.533049801.0000000000BED000.00000004.00000001.sdmpString found in binary or memory: https://stacyloeb.com:443/admin/pictures/zaxbpsbj.jpg
          Source: tS9P6wPz9x.exe, 00000000.00000003.517413012.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: https://theduke.de/
          Source: tS9P6wPz9x.exe, 00000000.00000003.517436386.0000000000BFD000.00000004.00000001.sdmpString found in binary or memory: https://theduke.de:443/wp-content/game/ybtz.gif=Tue
          Source: tS9P6wPz9x.exe, 00000000.00000003.537157164.0000000000BEF000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000003.552472095.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: https://thewellnessmimi.com/content/images/oxvcjy.jpg
          Source: tS9P6wPz9x.exe, 00000000.00000003.537157164.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: https://thewellnessmimi.com:443/content/images/oxvcjy.jpg
          Source: tS9P6wPz9x.exe, 00000000.00000003.204300775.0000000002DF5000.00000004.00000040.sdmp, 4wfaj7427w-readme.txt.0.drString found in binary or memory: https://torproject.org/
          Source: tS9P6wPz9x.exe, 00000000.00000003.508481116.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: https://tr5questions.org/
          Source: tS9P6wPz9x.exe, 00000000.00000002.597178188.0000000000B7E000.00000004.00000020.sdmpString found in binary or memory: https://transportesycementoshidalgo.es/
          Source: tS9P6wPz9x.exe, 00000000.00000002.597178188.0000000000B7E000.00000004.00000020.sdmpString found in binary or memory: https://transportesycementoshidalgo.es/Y9R
          Source: tS9P6wPz9x.exe, 00000000.00000003.508481116.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: https://truenyc.co/
          Source: tS9P6wPz9x.exe, 00000000.00000003.515240536.00000000038F6000.00000004.00000001.sdmpString found in binary or memory: https://truenyc.co/?s=
          Source: tS9P6wPz9x.exe, 00000000.00000003.508481116.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: https://truenyc.co/CF
          Source: tS9P6wPz9x.exe, 00000000.00000003.508481116.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: https://truenyc.co/_F
          Source: tS9P6wPz9x.exe, 00000000.00000003.515240536.00000000038F6000.00000004.00000001.sdmpString found in binary or memory: https://truenyc.co/comments/feed/
          Source: tS9P6wPz9x.exe, 00000000.00000003.515240536.00000000038F6000.00000004.00000001.sdmpString found in binary or memory: https://truenyc.co/feed/
          Source: tS9P6wPz9x.exe, 00000000.00000003.508481116.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: https://truenyc.co/static/image/gtkbwaiygsdn.jpg
          Source: tS9P6wPz9x.exe, 00000000.00000003.508481116.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: https://truenyc.co/static/image/gtkbwaiygsdn.jpgg
          Source: tS9P6wPz9x.exe, 00000000.00000003.508481116.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: https://truenyc.co:443/static/image/gtkbwaiygsdn.jpg
          Source: tS9P6wPz9x.exe, 00000000.00000003.474321416.00000000038CA000.00000004.00000001.sdmpString found in binary or memory: https://trulynolen.ca/wp-content/uploads/2016/09/Mousecar-Canada.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.475105112.0000000000BDA000.00000004.00000001.sdmpString found in binary or memory: https://trulynolen.co.uk:443/static/pictures/xxidcvpd.gif
          Source: tS9P6wPz9x.exe, 00000000.00000003.487569474.0000000000BED000.00000004.00000001.sdmpString found in binary or memory: https://tulsawaterheaterinstallation.com/news/image/rf.jpg
          Source: tS9P6wPz9x.exe, 00000000.00000003.487651393.0000000000BD6000.00000004.00000001.sdmpString found in binary or memory: https://tulsawaterheaterinstallation.com/news/image/rf.jpgvqL
          Source: tS9P6wPz9x.exe, 00000000.00000003.487569474.0000000000BED000.00000004.00000001.sdmpString found in binary or memory: https://tulsawaterheaterinstallation.com:443/news/image/rf.jpgy
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/YouBySia
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://use.fontawesome.com/releases/v5.8.1/css/all.css
          Source: tS9P6wPz9x.exe, 00000000.00000003.494503060.0000000000C0F000.00000004.00000001.sdmpString found in binary or memory: https://withahmed.com/Z
          Source: tS9P6wPz9x.exe, 00000000.00000003.494503060.0000000000C0F000.00000004.00000001.sdmpString found in binary or memory: https://withahmed.com/uploads/game/snzazo.jpg
          Source: tS9P6wPz9x.exe, 00000000.00000003.494503060.0000000000C0F000.00000004.00000001.sdmpString found in binary or memory: https://withahmed.com/uploads/game/snzazo.jpgC
          Source: tS9P6wPz9x.exe, 00000000.00000003.494465726.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: https://withahmed.com:443/uploads/game/snzazo.jpg
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmpString found in binary or memory: https://wordpress.org/plugins/mailchimp-for-wp/
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/#website
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/?s=
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/category/emploi/
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/category/evasion/
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/category/sante/
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/category/tech/
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/category/vie-pratique/
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/feed/
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/les-10-meilleures-cremes-anti-cellulit
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/wp-content/plugins/cleantalk-spam-protect/js/apbct-public.min.js?ver=5.
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/wp-content/plugins/cleantalk-spam-protect/js/cleantalk_nocache.min.js?v
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.3.2
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/wp-content/plugins/cookie-notice/includes/../css/front.min.css?ver=5.6.
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/wp-content/plugins/cookie-notice/includes/../js/front.min.js?ver=2.0.2
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/wp-content/plugins/easy-table-of-contents/assets/css/screen.min.css?ver
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/wp-content/plugins/easy-table-of-contents/vendor/icomoon/style.min.css?
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/wp-content/themes/eximious-magazine/assets/lib/animate/animate.min.css?
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/wp-content/themes/eximious-magazine/assets/lib/bootstrap/css/bootstrap.
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/wp-content/themes/eximious-magazine/assets/lib/font-awesome-v5/css/all.
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/wp-content/themes/eximious-magazine/assets/lib/owl/owl.carousel.min.css
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/wp-content/themes/eximious-magazine/assets/lib/owl/owl.theme.default.mi
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/wp-content/themes/eximious-magazine/style.css?ver=5.6.1
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/wp-content/uploads/2019/06/cropped-365Questions-300x52.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/wp-content/uploads/2019/06/cropped-365Questions.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/wp-content/uploads/2019/06/cropped-favicon365-180x180.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/wp-content/uploads/2019/06/cropped-favicon365-192x192.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/wp-content/uploads/2019/06/cropped-favicon365-270x270.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/wp-content/uploads/2019/06/cropped-favicon365-32x32.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/wp-includes/js/jquery/jquery.min.js?ver=3.5.1
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/wp-includes/wlwmanifest.xml
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/wp-json/
          Source: tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.365questions.org/xmlrpc.php?rsd
          Source: tS9P6wPz9x.exe, 00000000.00000003.459057587.0000000000C10000.00000004.00000001.sdmpString found in binary or memory: https://www.asgestion.com
          Source: tS9P6wPz9x.exe, 00000000.00000003.459057587.0000000000C10000.00000004.00000001.sdmpString found in binary or memory: https://www.asgestion.com/comments/feed/
          Source: tS9P6wPz9x.exe, 00000000.00000003.459057587.0000000000C10000.00000004.00000001.sdmpString found in binary or memory: https://www.asgestion.com/feed/
          Source: tS9P6wPz9x.exe, 00000000.00000003.459057587.0000000000C10000.00000004.00000001.sdmpString found in binary or memory: https://www.asgestion.com/wp-content/pictures/eaqrimug.jpg/
          Source: tS9P6wPz9x.exe, 00000000.00000003.459057587.0000000000C10000.00000004.00000001.sdmpString found in binary or memory: https://www.asgestion.com/wp-json/
          Source: tS9P6wPz9x.exe, 00000000.00000003.459057587.0000000000C10000.00000004.00000001.sdmpString found in binary or memory: https://www.asgestion.com/xmlrpc.php
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://www.binder-buerotechnik.at/
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://www.binder-buerotechnik.at/#website
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://www.binder-buerotechnik.at/?s=
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://www.binder-buerotechnik.at/comments/feed/
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://www.binder-buerotechnik.at/feed/
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://www.binder-buerotechnik.at/wp-content/plugins/LayerSlider/static/css/layerslider.css?ver=5.6
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://www.binder-buerotechnik.at/wp-content/plugins/LayerSlider/static/js/greensock.js?ver=1.11.8
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://www.binder-buerotechnik.at/wp-content/plugins/LayerSlider/static/js/layerslider.kreaturamedi
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://www.binder-buerotechnik.at/wp-content/plugins/LayerSlider/static/js/layerslider.transitions.
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://www.binder-buerotechnik.at/wp-content/plugins/cookie-notice/css/front.min.css?ver=5.4.4
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://www.binder-buerotechnik.at/wp-content/plugins/cookie-notice/js/front.min.js?ver=1.3.2
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://www.binder-buerotechnik.at/wp-content/plugins/revslider/public/assets/css/settings.css?ver=5
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://www.binder-buerotechnik.at/wp-content/plugins/revslider/public/assets/js/jquery.themepunch.r
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://www.binder-buerotechnik.at/wp-content/plugins/revslider/public/assets/js/jquery.themepunch.t
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://www.binder-buerotechnik.at/wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://www.binder-buerotechnik.at/wp-content/themes/Avada/assets/css/ie.min.css?ver=6.2.3
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://www.binder-buerotechnik.at/wp-content/themes/Avada/assets/css/style.min.css?ver=6.2.3
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://www.binder-buerotechnik.at/wp-content/uploads/2016/01/cropped-logo-180x180.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://www.binder-buerotechnik.at/wp-content/uploads/2016/01/cropped-logo-192x192.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://www.binder-buerotechnik.at/wp-content/uploads/2016/01/cropped-logo-270x270.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://www.binder-buerotechnik.at/wp-content/uploads/2016/01/cropped-logo-32x32.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://www.binder-buerotechnik.at/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://www.binder-buerotechnik.at/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://www.binder-buerotechnik.at/wp-includes/wlwmanifest.xml
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://www.binder-buerotechnik.at/wp-json/
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://www.binder-buerotechnik.at/xmlrpc.php?rsd
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.boldgrid.com/w3-total-cache/
          Source: tS9P6wPz9x.exe, 00000000.00000003.474188206.0000000002DFB000.00000004.00000040.sdmpString found in binary or memory: https://www.caffeineinjection.com
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://www.cosbeauty.com.au/magazines/cosbeauty-magazine-88/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://www.cosbeauty.com.au/magazines/cosbeauty-magazine-90/
          Source: tS9P6wPz9x.exe, 00000000.00000003.508481116.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
          Source: tS9P6wPz9x.exe, 00000000.00000003.466766008.0000000000BFC000.00000004.00000001.sdmpString found in binary or memory: https://www.dontpassthepepper.com/wp-json/
          Source: tS9P6wPz9x.exe, 00000000.00000003.487569474.0000000000BED000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000003.552769617.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://www.exactmetrics.com/
          Source: tS9P6wPz9x.exe, 00000000.00000003.459057587.0000000000C10000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://www.google.com.au/search?rlz=1C5CHFA_enAU788AU788&q=You
          Source: tS9P6wPz9x.exe, 00000000.00000003.474321416.00000000038CA000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/maps/place//data=
          Source: tS9P6wPz9x.exe, 00000000.00000003.474321416.00000000038CA000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000003.474067342.0000000002DFB000.00000004.00000040.sdmpString found in binary or memory: https://www.google.com/maps/place/Truly
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmp, tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-KH5J6ZM
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-TMLMZCS
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/maratonadelisboa/
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/youbysia/
          Source: tS9P6wPz9x.exe, 00000000.00000002.597646329.0000000000BC0000.00000004.00000020.sdmpString found in binary or memory: https://www.kmbshipping.co.uk/
          Source: tS9P6wPz9x.exe, 00000000.00000002.597646329.0000000000BC0000.00000004.00000020.sdmpString found in binary or memory: https://www.kmbshipping.co.uk/admin/pics/xukxqlujcu.gif
          Source: tS9P6wPz9x.exe, 00000000.00000002.597646329.0000000000BC0000.00000004.00000020.sdmpString found in binary or memory: https://www.kmbshipping.co.uk/admin/pics/xukxqlujcu.gifk
          Source: tS9P6wPz9x.exe, 00000000.00000003.474321416.00000000038CA000.00000004.00000001.sdmpString found in binary or memory: https://www.linkedin.com/in/neilstranney/
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com/
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com/#logo
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com/#organization
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com/#website
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com/?s=
          Source: tS9P6wPz9x.exe, 00000000.00000003.494465726.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com/uploads/assets/kfuovfxzlu.gif
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com/wp-content/plugins/contact-form-7/includes/css/styles.css
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com/wp-content/plugins/js_composer/assets/css/vc_lte_ie9.min.css
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com/wp-content/plugins/sitepress-multilingual-cms/dist/js/browse
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com/wp-content/themes/maratonas/bootstrap/css/bootstrap.min.css
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com/wp-content/themes/maratonas/bootstrap/js/bootstrap.min.js
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com/wp-content/themes/maratonas/bootstrap/js/popper.min.js
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com/wp-content/themes/maratonas/css/owl.carousel.min.css
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com/wp-content/themes/maratonas/css/owl.theme.default.min.css
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com/wp-content/themes/maratonas/css/slider.css
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com/wp-content/themes/maratonas/css/special-slider.css
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com/wp-content/themes/maratonas/css/style.css
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com/wp-content/themes/maratonas/favicon/favicon.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com/wp-content/themes/maratonas/fonts/avenir/style.css
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com/wp-content/themes/maratonas/images/facebook.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com/wp-content/themes/maratonas/images/instagram.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com/wp-content/themes/maratonas/images/logo-maratona.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com/wp-content/themes/maratonas/js/owl.carousel.min.js
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com/wp-content/themes/maratonas/js/site.js
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com/wp-content/themes/maratonas/js/special-slider.js
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com/wp-content/uploads/2020/06/logo-maratona.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com/wp-includes/css/dist/block-library/style.min.css
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com/wp-includes/js/jquery/jquery-migrate.min.js
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com/wp-includes/js/jquery/jquery.min.js
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com/wp-includes/wlwmanifest.xml
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com/wp-json/
          Source: tS9P6wPz9x.exe, 00000000.00000003.492431696.00000000038CC000.00000004.00000001.sdmpString found in binary or memory: https://www.maratonaclubedeportugal.com/xmlrpc.php?rsd
          Source: tS9P6wPz9x.exe, 00000000.00000003.515240536.00000000038F6000.00000004.00000001.sdmpString found in binary or memory: https://www.monsterinsights.com/
          Source: tS9P6wPz9x.exe, 00000000.00000003.536985973.00000000038ED000.00000004.00000001.sdmpString found in binary or memory: https://www.theduke.de/comments/feed/
          Source: tS9P6wPz9x.exe, 00000000.00000003.536985973.00000000038ED000.00000004.00000001.sdmpString found in binary or memory: https://www.theduke.de/feed/
          Source: tS9P6wPz9x.exe, 00000000.00000003.533049801.0000000000BED000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000003.517359060.00000000038FC000.00000004.00000001.sdmpString found in binary or memory: https://www.theduke.de/wp-json/
          Source: tS9P6wPz9x.exe, 00000000.00000003.517359060.00000000038FC000.00000004.00000001.sdmpString found in binary or memory: https://www.theduke.de/xmlrpc.php
          Source: tS9P6wPz9x.exe, 00000000.00000003.474321416.00000000038CA000.00000004.00000001.sdmpString found in binary or memory: https://www.trulynolen.co.uk/
          Source: tS9P6wPz9x.exe, 00000000.00000003.474321416.00000000038CA000.00000004.00000001.sdmpString found in binary or memory: https://www.trulynolen.co.uk/index.php
          Source: tS9P6wPz9x.exe, 00000000.00000003.474321416.00000000038CA000.00000004.00000001.sdmpString found in binary or memory: https://www.trulynolen.co.uk/resources/favicon.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.474321416.00000000038CA000.00000004.00000001.sdmpString found in binary or memory: https://www.trulynolen.co.uk/resources/favicon.svg
          Source: tS9P6wPz9x.exe, 00000000.00000003.474321416.00000000038CA000.00000004.00000001.sdmpString found in binary or memory: https://www.trulynolen.co.uk/resources/favicon_large.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.474321416.00000000038CA000.00000004.00000001.sdmpString found in binary or memory: https://www.trulynolen.co.uk/resources/favicon_medium.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.474321416.00000000038CA000.00000004.00000001.sdmpString found in binary or memory: https://www.trulynolen.co.uk/resources/favicon_small.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.474321416.00000000038CA000.00000004.00000001.sdmpString found in binary or memory: https://www.trulynolen.co.uk/resources/medium.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.474321416.00000000038CA000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000003.475105112.0000000000BDA000.00000004.00000001.sdmpString found in binary or memory: https://www.trulynolen.co.uk/resources/small.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.474321416.00000000038CA000.00000004.00000001.sdmpString found in binary or memory: https://www.trulynolen.co.uk/resources/truly-nolen-og.jpg
          Source: tS9P6wPz9x.exe, 00000000.00000003.475105112.0000000000BDA000.00000004.00000001.sdmpString found in binary or memory: https://www.trulynolen.co.uk/static/pictures/xxidcvpd.gif
          Source: tS9P6wPz9x.exe, 00000000.00000003.475105112.0000000000BDA000.00000004.00000001.sdmpString found in binary or memory: https://www.trulynolen.co.uk:443/tatic/pictures/xxidcvpd.gif
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://www.youtube.com/embed/fxyo5CpHgqA
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmpString found in binary or memory: https://www.youtube.com/user/youbysia
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://www.youtube.com/watch?v=fxyo5CpHgqA&t=10s
          Source: tS9P6wPz9x.exe, 00000000.00000003.458962661.0000000000BCF000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000003.463616465.0000000000C06000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000003.508365201.00000000038EA000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000003.487569474.0000000000BED000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000002.601840354.0000000002A40000.00000004.00000040.sdmp, tS9P6wPz9x.exe, 00000000.00000003.536985973.00000000038ED000.00000004.00000001.sdmpString found in binary or memory: https://yoast.com/wordpress/plugins/seo/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://you-by-sia.myshopify.com/
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmpString found in binary or memory: https://you-by-sia.myshopify.com/collections/cleansers
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://you-by-sia.myshopify.com/collections/clinicals-skin-care-range
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmpString found in binary or memory: https://you-by-sia.myshopify.com/collections/normal-combination-skin-type
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmpString found in binary or memory: https://you-by-sia.myshopify.com/products/starter-pack
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://you-by-sia.myshopify.com/products/valentine-s-day-gift-pack
          Source: tS9P6wPz9x.exe, 00000000.00000002.597178188.0000000000B7E000.00000004.00000020.sdmpString found in binary or memory: https://you-bysia.com.au/uploads/graphic/femvpu.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.552472095.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: https://you-bysia.com.au/uploads/graphic/femvpu.pngg
          Source: tS9P6wPz9x.exe, 00000000.00000003.552472095.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: https://you-bysia.com.au:443/uploads/graphic/femvpu.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au
          Source: tS9P6wPz9x.exe, 00000000.00000003.552472095.0000000000BEF000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000002.602709705.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://youbysia.com.au/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/#webpage
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/#website
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/?s=
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/about-us/
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/about-us/#our-team
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/acne-blackheads-breakout/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/aging-skin/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/blogs
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/blogs/
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/body-toning/
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmpString found in binary or memory: https://youbysia.com.au/by-concern/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/by-concern/pigmentation/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/by-laser-treatment/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/by-laser-treatment/body-toning/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/by-laser-treatment/laser-treatment/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/by-laser-treatment/laser-treatment/laser-carbon-peel/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/by-laser-treatment/laser-treatment/laser-complexion-renewal/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/by-laser-treatment/laser-treatment/laser-hair-removal/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/by-laser-treatment/laser-treatment/laser-perfecting-lift/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/by-laser-treatment/skin-face-needling/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/by-laser-treatment/skin-treatments/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/by-laser-treatment/skin-treatments/acne-sonic-facial/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/by-laser-treatment/skin-treatments/facial-laser-treatment/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/by-laser-treatment/skin-treatments/inside-out-peel/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/by-laser-treatment/skin-treatments/moisture-intensive-led-facial/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/by-laser-treatment/skin-treatments/signature-sonic-facial/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/by-laser-treatment/skin-treatments/teen-deep-clean-facial/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/by-laser-treatment/thermique/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/by-skin-condition/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/by-skin-condition/acne-blackheads-breakout/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/by-skin-condition/aging-skin/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/by-skin-condition/dry-dehydrated-skin/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/by-skin-condition/enlarged-pores/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/by-skin-condition/loose-saggy-tummy/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/by-skin-condition/pigmentation-removal/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/by-skin-condition/rosacea-treatment/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/by-skin-condition/scar-removal-treatment/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/by-skin-condition/stretch-marks-removal/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/by-skin-condition/unwanted-hair/
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmpString found in binary or memory: https://youbysia.com.au/by-treatment/laser-treatment/
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmpString found in binary or memory: https://youbysia.com.au/by-treatment/skin-treatments/
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/by-treatment/thermique/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmp, tS9P6wPz9x.exe, 00000000.00000003.552385040.0000000000BE1000.00000004.00000001.sdmpString found in binary or memory: https://youbysia.com.au/comments/feed/
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/contact-us/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/contact-us/laser-skin-clinic-bondi-junction/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/contact-us/laser-skin-clinic-sydney-cbd/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/dry-dehydrated-skin/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmp, tS9P6wPz9x.exe, 00000000.00000003.552283944.00000000038F1000.00000004.00000001.sdmpString found in binary or memory: https://youbysia.com.au/enlarged-pores/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/facts-about-anti-aging-treatments-you-should-know/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/feed/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/laser-dry-skin-treatment-to-get-smooth-and-hydrated-skin/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/laser-hair-removal/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/laser-treatment/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/loose-saggy-tummy/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/membership/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/pigmentation/
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmpString found in binary or memory: https://youbysia.com.au/privacy-policy/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/promotion
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/promotion/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/rosacea-treatment/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/skin-treatments/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/stretch-marks/
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmpString found in binary or memory: https://youbysia.com.au/terms-conditions/
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmpString found in binary or memory: https://youbysia.com.au/testimonial/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/thermique/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmp, tS9P6wPz9x.exe, 00000000.00000003.552283944.00000000038F1000.00000004.00000001.sdmpString found in binary or memory: https://youbysia.com.au/this-is-why-we-recommend-lasers-for-rosacea-treatment/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/unwanted-hair/
          Source: tS9P6wPz9x.exe, 00000000.00000003.552472095.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: https://youbysia.com.au/uploads/graphic/femvpu.pngk
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.2.2
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=5.2.2
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/plugins/mailchimp-for-wp/assets/js/forms.min.js?ver=4.8
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/themes/youbysia/css/animate.css?ver=5.4.4
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/themes/youbysia/css/bootstrap.min.css?ver=5.4.4
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/themes/youbysia/css/button.hover.css?ver=5.4.4
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/themes/youbysia/css/custom.css?ver=5.4.4
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/themes/youbysia/css/owl.carousel.min.css?ver=5.4.4
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/themes/youbysia/css/owl.theme.default.min.css?ver=5.4.4
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/themes/youbysia/css/responsive.css?ver=5.4.4
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/themes/youbysia/css/youtubecss.css?ver=5.4.4
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/themes/youbysia/images/banner/mobile/3.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/themes/youbysia/images/banner/mobile/4.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/themes/youbysia/images/banner/mobile/banner-1-mobile.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/themes/youbysia/images/banner/mobile/luxe-vip-mobile.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/themes/youbysia/images/icons/book-consult.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/themes/youbysia/images/inner-background/testimonial-bg.jpg);
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/themes/youbysia/images/logo/favicon.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/themes/youbysia/js/bootstrap.min.js?ver=1
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/themes/youbysia/js/jquery.min.js?ver=1
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/themes/youbysia/js/owl.carousel.min.js?ver=1
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/themes/youbysia/js/wow.min.js?ver=1
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/themes/youbysia/js/youtubejs.js?ver=1
          Source: tS9P6wPz9x.exe, 00000000.00000002.602709705.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uplo
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/06/1.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/06/2.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/06/3.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/06/4.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/06/5.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/06/6.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/07/1.jpg
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/07/1.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/07/10.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/07/2.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/07/3.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/07/4.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/07/5.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/07/6.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/07/7.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/07/8.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/07/9.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/07/Sia-Logo
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/07/afterpay.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/08/1-1.jpg
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/08/EOFY-40-FB-Post-1.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/09/Press-release-on-Socail-101-YouBySia.jpg
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/09/Sia-Hendry-podcast-LAser-Facial-Treatments.jpg
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/10/tlc.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/11/Coz-beauty-magazine.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/11/Group-194-1.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/11/Sunrise-7-show.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/11/spa-clinic-magazine.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/12/Blog-Img_001.jpg
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/12/Group-156.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/12/Image-from-iOS.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/12/Img-01.jpg
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/12/LGBT_flag-_YBS.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/12/Youbysia_web-banner_v003-01.jpg
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/12/Youbysia_web-banner_v003-1.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/12/Youbysia_web-banner_v003-2.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/12/Youbysia_web-banner_v003.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmp, tS9P6wPz9x.exe, 00000000.00000002.602709705.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2020/12/phone.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmp, tS9P6wPz9x.exe, 00000000.00000003.552283944.00000000038F1000.00000004.00000001.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2021/01/rosacea-treatment.jpg
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2021/02/Laser-Treatment-for-Dry-skin-You-By-Sia-2.jpg
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-content/uploads/2021/02/Popup-Design_v001-1.png
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-includes/css/dist/block-library/style.min.css?ver=5.4.4
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmpString found in binary or memory: https://youbysia.com.au/wp-includes/js/wp-embed.min.js?ver=5.4.4
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-includes/wlwmanifest.xml
          Source: tS9P6wPz9x.exe, 00000000.00000003.552472095.0000000000BEF000.00000004.00000001.sdmp, tS9P6wPz9x.exe, 00000000.00000002.602709705.00000000038EA000.00000004.00000001.sdmpString found in binary or memory: https://youbysia.com.au/wp-json/
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fyoubysia.com.au%2F
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fyoubysia.com.au%2F&#038;format=xm
          Source: tS9P6wPz9x.exe, 00000000.00000003.554582389.0000000002A41000.00000004.00000040.sdmpString found in binary or memory: https://youbysia.com.au/xmlrpc.php?rsd
          Source: tS9P6wPz9x.exe, 00000000.00000003.552472095.0000000000BEF000.00000004.00000001.sdmpString found in binary or memory: https://youbysia.com.au:443/
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmpString found in binary or memory: https://youbysia.gettimely.com/book
          Source: tS9P6wPz9x.exe, 00000000.00000003.552336995.000000000391A000.00000004.00000001.sdmpString found in binary or memory: https://youbysia.gettimely.com/giftvouchers/mobile
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
          Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
          Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
          Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
          Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
          Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
          Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
          Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
          Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
          Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
          Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
          Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
          Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
          Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
          Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
          Source: unknownHTTPS traffic detected: 185.2.4.64:443 -> 192.168.2.3:49741 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 87.230.41.243:443 -> 192.168.2.3:49742 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 166.62.110.232:443 -> 192.168.2.3:49743 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 74.220.215.94:443 -> 192.168.2.3:49744 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 91.201.60.54:443 -> 192.168.2.3:49745 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 66.155.35.240:443 -> 192.168.2.3:49746 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 77.72.5.145:443 -> 192.168.2.3:49748 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 77.72.5.145:443 -> 192.168.2.3:49749 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 184.175.106.113:443 -> 192.168.2.3:49751 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 91.195.240.117:443 -> 192.168.2.3:49752 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 89.46.91.28:443 -> 192.168.2.3:49753 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 184.168.131.241:443 -> 192.168.2.3:49754 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 136.243.147.81:443 -> 192.168.2.3:49755 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.165.53.185:443 -> 192.168.2.3:49756 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 85.234.145.174:443 -> 192.168.2.3:49757 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 85.234.145.174:443 -> 192.168.2.3:49758 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.137.75.185:443 -> 192.168.2.3:49759 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 185.107.227.241:443 -> 192.168.2.3:49760 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.78.13:443 -> 192.168.2.3:49761 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.139.128.10:443 -> 192.168.2.3:49762 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 159.69.118.212:443 -> 192.168.2.3:49763 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 185.98.131.150:443 -> 192.168.2.3:49764 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 83.166.155.153:443 -> 192.168.2.3:49765 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 142.93.110.250:443 -> 192.168.2.3:49766 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 94.16.115.81:443 -> 192.168.2.3:49767 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 35.221.46.9:443 -> 192.168.2.3:49768 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 198.12.145.239:443 -> 192.168.2.3:49769 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 144.76.225.204:443 -> 192.168.2.3:49770 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 52.29.252.113:443 -> 192.168.2.3:49771 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 178.250.15.192:443 -> 192.168.2.3:49772 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 155.133.142.13:443 -> 192.168.2.3:49773 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.9.188:443 -> 192.168.2.3:49774 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.26.13.9:443 -> 192.168.2.3:49775 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 142.93.110.250:443 -> 192.168.2.3:49776 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 46.30.215.215:443 -> 192.168.2.3:49777 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 172.67.222.33:443 -> 192.168.2.3:49778 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 116.90.53.15:443 -> 192.168.2.3:49779 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 116.90.53.15:443 -> 192.168.2.3:49780 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 85.119.82.125:443 -> 192.168.2.3:49781 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 85.119.82.125:443 -> 192.168.2.3:49782 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 91.121.58.131:443 -> 192.168.2.3:49783 version: TLS 1.2
          Source: tS9P6wPz9x.exe, 00000000.00000002.596864356.0000000000B4A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: tS9P6wPz9x.exe, 00000000.00000003.391989730.0000000000BB5000.00000004.00000001.sdmpBinary or memory string: !F_WinAPI_RegisterRawInputDevices.au3a

          Spam, unwanted Advertisements and Ransom Demands:

          barindex
          Found ransom note / readmeShow sources
          Source: C:\4wfaj7427w-readme.txtDropped file: ---=== Welcome. Again. ===------=== Welcome. Again. ===---[+] Whats Happen? [+]Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 4wfaj7427w.By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).[+] Data leak [+]First of all we have uploaded more then 80 GB archived data from \\UDATA.Example of data:- Accounting- Finance- Personal Data- Banking data- Strategic sourcing- Management- projects, plans- Confidential filesAnd more other...Our blog:http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/Read what happens to those who do not pay.We are ready:- To provide you the evidence of stolen data- To give you universal decrypting tool for all encrypted files.- To delete all the stolen data.[+] What guarantees? [+]Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money.[+] HoJump to dropped file
          Yara detected Sodinokibi RansomwareShow sources
          Source: Yara matchFile source: 00000000.00000003.204386386.0000000002DB9000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.204547357.0000000002DB9000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.204201424.0000000002DB9000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.204266101.0000000002DB9000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.204328055.0000000002DB9000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.204654521.0000000002DB9000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.204504022.0000000002DB9000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.204445658.0000000002DB9000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: tS9P6wPz9x.exe PID: 2844, type: MEMORY
          Contains functionalty to change the wallpaperShow sources
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeCode function: 0_2_009C453E GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetDeviceCaps,MulDiv,CreateFontW,SelectObject,SetBkMode,SetTextColor,GetStockObject,FillRect,SetPixel,DrawTextW,SystemParametersInfoW,DeleteObject,DeleteObject,DeleteDC,ReleaseDC,0_2_009C453E
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeProcess Stats: CPU usage > 98%
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeCode function: 0_2_009C3B8E OpenSCManagerW,EnumServicesStatusExW,RtlGetLastWin32Error,CloseServiceHandle,CloseServiceHandle,EnumServicesStatusExW,OpenServiceW,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,0_2_009C3B8E
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeCode function: 0_2_009CB82A0_2_009CB82A
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeCode function: 0_2_009C865D0_2_009C865D
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeCode function: 0_2_009CAB950_2_009CAB95
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeCode function: 0_2_009C8B800_2_009C8B80
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeCode function: 0_2_009C83FF0_2_009C83FF
          Source: tS9P6wPz9x.exe, 00000000.00000002.596771888.0000000000B30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs tS9P6wPz9x.exe
          Source: tS9P6wPz9x.exe, 00000000.00000002.601804176.00000000029D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs tS9P6wPz9x.exe
          Source: tS9P6wPz9x.exe, 00000000.00000002.601788644.00000000029C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs tS9P6wPz9x.exe
          Source: tS9P6wPz9x.exe, 00000000.00000002.599731233.0000000002520000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs tS9P6wPz9x.exe
          Source: tS9P6wPz9x.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: tS9P6wPz9x.exe, type: SAMPLEMatched rule: MAL_RANSOM_REvil_Oct20_1 date = 2020-10-13, hash4 = fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501, hash3 = f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d, hash2 = f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5, hash1 = 5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4, author = Florian Roth, description = Detects REvil ransomware, reference = Internal Research
          Source: 00000000.00000000.203907016.00000000009C1000.00000020.00020000.sdmp, type: MEMORYMatched rule: MAL_RANSOM_REvil_Oct20_1 date = 2020-10-13, hash4 = fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501, hash3 = f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d, hash2 = f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5, hash1 = 5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4, author = Florian Roth, description = Detects REvil ransomware, reference = Internal Research
          Source: 00000000.00000002.596611084.00000000009C1000.00000020.00020000.sdmp, type: MEMORYMatched rule: MAL_RANSOM_REvil_Oct20_1 date = 2020-10-13, hash4 = fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501, hash3 = f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d, hash2 = f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5, hash1 = 5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4, author = Florian Roth, description = Detects REvil ransomware, reference = Internal Research
          Source: 0.2.tS9P6wPz9x.exe.9c0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_REvil_Oct20_1 date = 2020-10-13, hash4 = fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501, hash3 = f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d, hash2 = f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5, hash1 = 5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4, author = Florian Roth, description = Detects REvil ransomware, reference = Internal Research
          Source: 0.0.tS9P6wPz9x.exe.9c0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_REvil_Oct20_1 date = 2020-10-13, hash4 = fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501, hash3 = f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d, hash2 = f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5, hash1 = 5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4, author = Florian Roth, description = Detects REvil ransomware, reference = Internal Research
          Source: classification engineClassification label: mal100.rans.evad.winEXE@2/2@46/38
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeCode function: 0_2_009C4C0D GetDriveTypeW,GetDiskFreeSpaceExW,0_2_009C4C0D
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeCode function: 0_2_009C53A4 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,0_2_009C53A4
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeMutant created: \Sessions\1\BaseNamedObjects\Global\396F07EB-C2F1-6216-0EC9-D4DA87185DBF
          Source: tS9P6wPz9x.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\CIMV2 : SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA &apos;Win32_Process&apos;
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: tS9P6wPz9x.exe, 00000000.00000003.368921886.0000000000BBC000.00000004.00000001.sdmpBinary or memory string: SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'k;R
          Source: tS9P6wPz9x.exe, 00000000.00000003.430958851.0000000000BBC000.00000004.00000001.sdmpBinary or memory string: SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'b;S
          Source: tS9P6wPz9x.exeVirustotal: Detection: 75%
          Source: unknownProcess created: C:\Users\user\Desktop\tS9P6wPz9x.exe 'C:\Users\user\Desktop\tS9P6wPz9x.exe'
          Source: unknownProcess created: C:\Windows\System32\wbem\unsecapp.exe C:\Windows\system32\wbem\unsecapp.exe -Embedding
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
          Source: tS9P6wPz9x.exeStatic PE information: section name: .cfg
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile created: C:\4wfaj7427w-readme.txtJump to behavior

          Malware Analysis System Evasion:

          barindex
          Contains functionality to detect sleep reduction / modificationsShow sources
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeCode function: 0_2_009C59070_2_009C5907
          Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_0-5168
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeCode function: 0_2_009C585D rdtsc 0_2_009C585D
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeCode function: OpenSCManagerW,EnumServicesStatusExW,RtlGetLastWin32Error,CloseServiceHandle,CloseServiceHandle,EnumServicesStatusExW,OpenServiceW,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,0_2_009C3B8E
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeWindow / User API: threadDelayed 9999Jump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exe TID: 2592Thread sleep count: 9999 > 30Jump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeCode function: 0_2_009C761A FindFirstFileExW,FindFirstFileW,FindNextFileW,FindClose,0_2_009C761A
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeCode function: 0_2_009C5370 GetSystemInfo,0_2_009C5370
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: C:\Program Files\Google\Chrome\Application\85.0.4183.121\WidevineCdm\NULLJump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: C:\Program Files\Google\Chrome\Application\85.0.4183.121\WidevineCdm\manifest.jsonJump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: C:\Program Files\Google\Chrome\Application\85.0.4183.121\WidevineCdm\_platform_specificJump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: C:\Program Files\Google\Chrome\Application\85.0.4183.121\WidevineCdm\_platform_specific\win_x64Jump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: C:\Program Files\Google\Chrome\Application\85.0.4183.121\WidevineCdm\_platform_specific\NULLJump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeFile opened: C:\Program Files\Google\Chrome\Application\85.0.4183.121\WidevineCdm\LICENSEJump to behavior
          Source: tS9P6wPz9x.exe, 00000000.00000003.459057587.0000000000C10000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW1
          Source: tS9P6wPz9x.exe, 00000000.00000003.459057587.0000000000C10000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
          Source: tS9P6wPz9x.exe, 00000000.00000002.596864356.0000000000B4A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW0B
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeAPI call chain: ExitProcess graph end nodegraph_0-4252
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeCode function: 0_2_009C585D rdtsc 0_2_009C585D
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeCode function: 0_2_009C5387 mov ecx, dword ptr fs:[00000030h]0_2_009C5387
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeCode function: 0_2_009C4FB9 mov eax, dword ptr fs:[00000030h]0_2_009C4FB9
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeCode function: 0_2_009C47AB HeapCreate,GetProcessHeap,0_2_009C47AB
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeCode function: OpenProcess,QueryFullProcessImageNameW,PathFindFileNameW, svchost.exe0_2_009C4964
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeCode function: 0_2_009C4A20 AllocateAndInitializeSid,SetEntriesInAclW,SetNamedSecurityInfoW,0_2_009C4A20
          Source: tS9P6wPz9x.exe, 00000000.00000002.599162510.00000000010D0000.00000002.00000001.sdmp, unsecapp.exe, 00000015.00000002.597707060.0000025BF3250000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: tS9P6wPz9x.exe, 00000000.00000002.599162510.00000000010D0000.00000002.00000001.sdmp, unsecapp.exe, 00000015.00000002.597707060.0000025BF3250000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: tS9P6wPz9x.exe, 00000000.00000002.599162510.00000000010D0000.00000002.00000001.sdmp, unsecapp.exe, 00000015.00000002.597707060.0000025BF3250000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: tS9P6wPz9x.exe, 00000000.00000002.599162510.00000000010D0000.00000002.00000001.sdmp, unsecapp.exe, 00000015.00000002.597707060.0000025BF3250000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeCode function: 0_2_009C4B58 cpuid 0_2_009C4B58
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\tS9P6wPz9x.exeCode function: 0_2_009C505F GetUserNameW,0_2_009C505F

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Replication Through Removable Media1Windows Management Instrumentation1Windows Service1Windows Service1Virtualization/Sandbox Evasion1Input Capture21Security Software Discovery121Replication Through Removable Media1Input Capture21Exfiltration Over Other Network MediumEncrypted Channel22Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationDefacement1
          Default AccountsService Execution1Boot or Logon Initialization ScriptsProcess Injection12Process Injection12LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsNative API1Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerProcess Discovery3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProxy1SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsPeripheral Device Discovery11SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsAccount Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Service Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowFile and Directory Discovery2Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingSystem Information Discovery25Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.