Analysis Date2014-12-03 21:40:18
MD59f06e52c4d7cb42f552a7b3d944f7c6a
SHA18a4a9cca5c1e48e94945308ece2ca18c9ea28710

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2c1aef80ebd2dd0ba4b6162d2a789cca sha1: 4164fb03dc3e389ceb7077dcbb3905805d4bedfd size: 118784
Section.rdata md5: a164780da6f1c492c124764e5c6eef57 sha1: 9aa9b940d391915585252e9794c4e0071b65ff55 size: 20480
Section.data md5: 2cc73b7d2b264259ecc158636d3b5137 sha1: 923cccee70813c9437dd3ad1a3bd9d70304d93c1 size: 12288
Section.rsrc md5: 3a5db9265908933e56f70cc09f5285b8 sha1: c7b69c0a2f2fac8ffdc21fdd9f714b8b7056e4c0 size: 4096
Timestamp2014-10-19 02:10:06
VersionLegalCopyright: Copyright (C) 2011 深圳市迅雷网络技术有限公司
InternalName: ExeMiniDownload.exe
FileVersion: 1, 5, 3, 288
CompanyName: 深圳市迅雷网络技术有限公司
ProductName: 迅雷精简版
ProductVersion: 1, 5, 3, 288
FileDescription: 迅雷精简版
OriginalFilename: ExeMiniDownload.exe
PackerMicrosoft Visual C++ ?.?
PEhash20de265a031b26f55b67cc0415f626c70d68bb24
IMPhashd40ac93ecad3ea56dc2bc99f640772bb
AV360 SafeGen:Variant.Zusy.112642
AVAd-AwareGen:Variant.Zusy.112642
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Backdoor.ODBA-7783
AVAvira (antivir)TR/Graftor.159703.11
AVBullGuardGen:Variant.Zusy.112642
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Zusy.112642
AVEset (nod32)Win32/ServStart.IV
AVFortinetW32/Zegost.AEYN!tr.bdr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Zusy.112642
AVGrisoft (avg)DoS.EKQ
AVIkarusBackdoor.Win32.Zegost
AVK7Unwanted-Program ( 004a8e8a1 )
AVKasperskyBackdoor.Win32.Zegost.aeyn
AVMalwareBytesno_virus
AVMcafeeRDN/Generic BackDoor!b2j
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Zusy.112642
AVNormanGen:Variant.Zusy.112642
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)Backdoor.Zegost

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File\Device\Afd\Endpoint
Creates Mutex5OTkq9bV3ZWdq/Ds6s0=

Network Details:

DNSwww.yxp80.com
Type: A
216.99.157.164
Flows TCP192.168.1.1:1031 ➝ 216.99.157.164:2014
Flows TCP192.168.1.1:1032 ➝ 216.99.157.164:2014
Flows TCP192.168.1.1:1033 ➝ 216.99.157.164:2014
Flows TCP192.168.1.1:1034 ➝ 216.99.157.164:2014
Flows TCP192.168.1.1:1035 ➝ 216.99.157.164:2014
Flows TCP192.168.1.1:1036 ➝ 216.99.157.164:2014

Raw Pcap
0x00000000 (00000)   426c6163 6bbf                         Black.

0x00000000 (00000)   426c6163 6bbf                         Black.

0x00000000 (00000)   426c6163 6bbf                         Black.

0x00000000 (00000)   426c6163 6bbf                         Black.

0x00000000 (00000)   426c6163 6bbf                         Black.

0x00000000 (00000)   426c6163 6bbf                         Black.


Strings
krn32.d
Blac
Getasto
KRN32.d
AIoct
2_32.d
GeTickCounKRNL32.dGetLocaTime
KERNEL32.d
KERNEL32.d
GetTickCount
ProductNameWIIET.dll
IntrntClosHandl
IntrntOpnA
IntrntOpnUrlA
IntrntRadFil
WIIET.d
IrCosHad
IntrntOpnA
IntrntOpnUrlA
WIIET.d
IrCosHad
IntrntOpnA
IntrntOpnUrlA
GetTickCountKERNEL32.dll
E.
P
E
..
.E...
.GeNeworkParams
KERNEL32.d
GobaAoc
KERNEL32.d
GbaFree
KERNEL32.d
KRNL32.dCatPocAKRNL32.dCatPocAShe32.d
SheExecuteA
open
CoseEventLog
ADVAPI32.d
GtSstmDictoA
KERNEL32.dll
DltFilA
KERNEL32.dll
OpenMutexA
KERNEL32.d
GetLastError
KERNEL32.d
ReeaseMutex
KERNEL32.d
SetFeAttrbutesA
KERNEL32.d
RgCratKyEx
DVPI32.d
ProductNameGbMemrySusKRNL32.dCreateMutexAKERNEL32.dllGetLastErrorKERNEL32.dllSetErrorModeKERNEL32.dllGetTickCountKERNEL32.dll
CopyFileAKERNEL32.dllKERNEL32.dllDeleteFileAMoveFileAKERNEL32.dllOpenEventAKERNEL32.dllUSER32.d
CDktp
OpeIputDesktop
USER32.d
CoseDesktopUSER32.dWIIET.dIrOpAMzilla/4.0 (cmpatibl)
IntrntOpnUrlA
IntrntRadFil
CreateFieA
KERNEL32.d
WriteFieKERNEL32.dIteretCoseHade
.
-E-
-0
-0010+-0
0
-0
CC
00-+ 
\
. 
00
...........?- 
0
0
0
0
l
u
080404b0
1, 5, 3, 288
CompanyName
Copyright (C) 2011 
ExeMiniDownload.exe
FileDescription
FileVersion
                                 H
         (((((                  H
         h((((                  H
InternalName
jjjj
jjjjj
LegalCopyright
(null)
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
                          
								
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0A@@Ju
0SSSSS
1#QNAN
1#SNAN
2If90t
{4_^]3
5OTkq9bV3ZWdq/Ds6s0=
~(9~$u
AAAAAAAAAAAAAAAAA
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-cn
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Additional:%d
address Number = %d
Address:  %s
ADVAPI32.dll
An application has made an attempt to load the C runtime library incorrectly.
Answers:%d
Application
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
.?AVbad_alloc@std@@
.?AVbad_exception@std@@
.?AVCBuffer@@
.?AVCClientSocket@@
.?AVCKernelManager@@
.?AVCManager@@
.?AVexception@std@@
.?AVtype_info@@
BackGround switch 1.0
?bad Allocate
bad allocation
bad buffer
bad exception
 Base Class Array'
 Base Class Descriptor at (
__based(
b/g	gP
buffer error
Cache-Control: no-cache
CancelIo
__cdecl
C:\Documents and Settings\All Use
C:\Documents and Settings\All Users\
C:\Documents and Settings\All Users\S
 Class Hierarchy Descriptor'
ClearEventLogA
CloseHandle
__clrcall
 Complete Object Locator'
Connection: Keep-Alive
CONOUT$
`copy constructor closure'
CorExitProcess
C:\progra~1\Common Files\svcchost.exe
CreateEventA
CreateFileA
CreateThread
- CRT not initialized
C:\Users\Administrator\AppData\Roaming\Micros
D$(8D*
@.data
data error
%d.%d.%d.%d
dddd, MMMM dd, yyyy
December
DecodePointer
`default constructor closure'
 deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly 
 delete
 delete[]
Delete
DeleteCriticalSection
DeleteService
DOMAIN error
dows NT\CurrentVersion
D$ Phx
D$(PQW
;D$<s!
D$$SUV
D$,SUVW
D$$SVW
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
empty distance tree with lengths
EncodePointer
EnterCriticalSection
ExitProcess
ExitThread
__fastcall
Fdf+Fh
February
file error
- floating point not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
ForceRemove
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
Friday
GAIsProcessorFeaturePresent
GetACP
GetActiveWindow
GetCommandLineA
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GET %s HTTP/1.1
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemInfo
GetSystemTimeAsFileTime
GetThreadDesktop
GetTickCount
GetUserObjectInformationA
GetVersionExA
`h````
HARDWARE\DESCRIPTION\System\CentralProcessor\0
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
`h`hhh
HH:mm:ss
HHt@HHt
Host: %s
|$HPWS
_hypot
incompatible version
incomplete distance tree
incomplete dynamic bit lengths tree
incomplete literal/length tree
incorrect data check
incorrect header check
 inflate 1.1.4 Copyright 1995-2002 Mark Adler 
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
insufficient memory
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
invalid bit length repeat
invalid block type
invalid distance code
invalid literal/length code
invalid stored block lengths
invalid window size
IsDebuggerPresent
JanFebMarAprMayJunJulAugSepOctNovDec
January
j(j ^V
j"^SSSSS
KERNEL32
kernel32.dll
KERNEL32.dll
KERNEL32.DLL
L$0_^[3
L$<_^][3
LCMapStringA
LCMapStringW
LeaveCriticalSection
L$HQhx
L$L_^][3
L$LQVS
LoadLibraryA
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
L$ QSSSSSSh
L$ QSSSSSSVS
L$,QWV
L$ RUPj
lstrcatA
lstrcpyA
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
MessageBoxA
Microsoft Visual C++ Runtime Library
MM/dd/yy
Monday
Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)
mscoree.dll
MultiByteToWideChar
need dictionary
NetSubKey
 new[]
New Update
_nextafter
NoRemove
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
/*Now ptr points to Answers*/
(null)
October
oft\Windows\Start Menu\Programs\Startup\server.exe
`omni callsig'
OpenDesktopA
OpenEventA
OpenEventLogA
OpenSCManagerA
OpenServiceA
operator
oversubscribed distance tree
oversubscribed dynamic bit lengths tree
oversubscribed literal/length tree
__pascal
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
POST %s HTTP/1.1
PPPPPPPP
Pragma: no-cache
Program: 
<program name unknown>
__ptr64
- pure virtual function call
QQSVWd
QueryPerformanceCounter
Querys:%d
RaiseException
`.rdata
recv error
Referer: http://%s/
RegCloseKey
RegOpenKeyA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ResetEvent
__restrict
RichW>
RtlUnwind
runtime error 
Runtime Error!
Saturday
`scalar deleting destructor'
Security
September
\server.exe
SetEvent
SetFilePointer
SetHandleCount
SetLastError
SetStdHandle
SetThreadDesktop
SetUnhandledExceptionFilter
SING error
%s   internet address = %s
%s       nameserver = %s
SOFTWARE\Microsoft\Win
s[S;7|G;w
%s%s%s
^SSSSS
__stdcall
stream end
stream error
`string'
Sunday
SunMonTueWedThuFriSat
\syslog.dat
System
T+3x%A
t^9(uZ
tart Menu\Programs\Startup\server.exe
T$ +D$
tD9(u@
T$DPVS
TerminateProcess
TerminateThread
+t HHt
This application has requested the Runtime to terminate it in an unusual way.
__thiscall
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
Thursday
< tK<	tG
TLOSS error
T$LPQR
T$LRWS
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
tNIt?It0It 
too many length or distance symbols
T$,PQh
T$(PQR
tR99u2
T$,RWV
t#SSUP
T$,SVj
<+t(<-t$:
t$<"u	3
Tuesday
;t$,v-
t$$VSS
t+WWVPV
 Type Descriptor'
`typeof'
tZ9H tU9H$tP
`udt returning'
u&f!;f;
- unable to initialize heap
- unable to open console device
__unaligned
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
unknown compression method
Unknown exception
UQPXY]Y[
URPQQh
USER32.dll
USER32.DLL
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E)
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.2)
v$;5,WB
`vbase destructor'
`vbtable'
`vcall'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`vftable'
VirtualAlloc
`virtual displacement map'
VirtualFree
v	N+D$
_VVVVV
W(9W$u
WaitForSingleObject
Wednesday
WideCharToMultiByte
Windows 2000
Windows 2003
Windows 2008
Windows 7
Windows NT
Windows Vista
Windows XP
WinSta0\Default
WriteConsoleA
WriteConsoleW
WriteFile
WS2_32.dll
WSASocketA
wsprintfA
|$ WUSV
^WWWWW
	X 9} 
xppwpp
xpxxxx
>=Yt/j
_^][YY
YYu-9D$
YYuTVWhSgA