Should I block it?
Yes, 98% block recommendation.
Possible reasons:
Multiple malware detections
Performance resource utilization
Additional versions
| 2, 0, 0, 4 |
11.11% |
|
| 2, 0, 0, 4 |
16.67% |
|
| 2, 0, 0, 4 |
27.78% |
|
| 2, 0, 0, 4 |
5.56% |
|
| 2,0,0,0 |
5.56% |
|
| 2,0,0,0 |
5.56% |
|
| 2,0,0,0 |
22.22% |
|
| 2,0,0,0 |
5.56% |
|
Relationships
 PE file structure
|
Show functions |
Import table
advapi32.dll
RegisterEventSourceA, ReportEventA
htmlayout.dll
HTMLayoutLoadHtml, HTMLayoutSetElementInnerText16, HTMLayoutSetAttributeByName
kernel32.dll
GetVersionExA, GetVersion, GetVersionExW, InterlockedDecrement, GetModuleFileNameW, GetModuleHandleA, LoadLibraryA, LocalAlloc, LocalFree, GetModuleFileNameA, ExitProcess, CreateThread, RtlUnwind
mswsock.dll
GetAcceptExSockaddrs, AcceptEx
ole32.dll
OleInitialize
shell32.dll
ShellExecuteW, SHGetSpecialFolderPathA, SHGetMalloc
shlwapi.dll
PathFindFileNameW, SHSetValueA, StrStrIA
user32.dll
DefWindowProcW, CreateWindowExW, FindWindowExA
Export table
6?vë�±²áì�E�1¦�Ö�U뫬?�ªm�Z>4$@z?Þ ��²ã�z\?[½°�Ã.Þ���÷åféR�Å)W.q�Ú?Åc*wQËÍÓÃmÌ]#é?x�?ð=��{?�p°Ñ5v¬k¬¦7Ä(�?c?'�??³F]x?GA?è�?%?S?¯YY"?J�?w�Wû?A(_Úîï?h=??Ö×��l9ß3^ú?oOBb�@ba"m#1?×aýjvèlæFº³¨·1àg>?·¨ëQ±Oba�P?A��+7??�`ò?e?ßîô
�µA�·¬)å%î*¦N?4¤gÊ
asio_signal_handler
õ?�Ñl%�ÝWwºÙ�ü²â ×ÚK<Æû�?ù�o?!ò!¥=.Åc�£?ââMMé��w)»¼S?ȬºÎy?ÕU5"�5Cã°Æ?W.ê?ãêA??ý( E'?¸�.lÝä�5�Høx# Z�¢æy�ü?Í·5??½?à?«$|?æ>c?ª,?�Z_hg'S´y.ÙOT{ä'{¤1½%âsb?ÒØ*�Rõ)o�?½E�êú«yú|CD+^?ÍÈÚü-D�¶°,ê~i¾ q²v��±�î<�,?|±ÍíÁ¸BU�ܸ7
?-+4�Lº?Ö=SXô7?ªaM"FHå¸Çz½Ú0�k
ExpressDL.exe
ExpressDL Application by Faglaro Enterprises Limited (Signed)
| Version: | 2, 0, 0, 4 |
| MD5: | d00fae89be24c6a42566b1d81b922b30 |
| SHA1: | 8adf08323c73f4a1d2f93308d5e150424330996d |
| SHA256: | c25b242f4ac3b70ba1a3d31120ddb0ce14a32706231d82dd1fbeda8fbcd6f62d |
Warning 3 antivirus scanners has detected malware.
Overview
expressdl.exe is malware that executes as a process with the local user's privileges typically within the context of its parent
expressfiles.exe (ExpressFiles Application by Faglaro Enterprises Limited). It has been configured with a firewall exception which allows both inbound and outbound network communication without being blocked. It is installed with a couple of know programs including ExpressFiles published by Express Solutions, ExpressFiles from Express Solutions and ExpressFiles by Express Solutions.
Details
| File name: | expressdl.exe |
| Publisher: | http://www.express-files.com/ |
| Product name: | ExpressDL Application |
| Typical file path: | C:\Program Files\expressfiles\expressdl.exe |
| File version: | 2, 0, 0, 4 |
| Product version: | 2,0,0,0 |
| Size: | 1.65 MB (1,735,264 bytes) |
| Build date: | 5/8/2013 7:52 AM |
| Certificate |
| Issued to: | Faglaro Enterprises Limited |
| Authority (CA): | COMODO CA Limited |
| Digital DNA |
| PE subsystem: | Windows GUI |
| File packed: | No |
| .NET CLR: | No |
More details
Programs
The following programs will install this file
“No settings, no complications, unimaginable speed, with minimum effort and maximum simplicity! User-friendly interface anyone can manage. Built-in instant search tool with an amazingly intelligent algorithm! It's absolutely free. And, we are con- stantly working to make our product better. Ask why? It's simple! We like to make the Internet better, and staying there pleasant. It's totally unique. Very simple inter- face is specifically d...”
Behaviors
Windows firewall allowed program
Exceptions allow programs to access to the Internet through an outbound connections
- Firewall exception for 'C:\Program Files\ExpressFiles\expressdl.exe'
Network connections
Access through an approved Windows firewall exception
[TCP] cpc9-salf5-2-0-cust71.10-2.cable.virginmedia.com (86.31.59.72:37249)
[TCP] host-92-27-248-188.as13285.net (92.27.248.188:50538)
[TCP] ip5455817d.adsl-surfen.hetnet.nl (84.85.129.125:10645)
[UDP] listens on port 62790
[UDP] listens on port 61218
[UDP] listens on port 55120
[UDP] listens on port 51454
[UDP] listens on port 54324
[UDP] listens on port 52185
[UDP] listens on port 49884
Malware detections
Based on 40+ industry antivirus scanners, 3 of them detected the following malware.
| Antivirus engine | Engine version | Detection |
| avast! |
8.0.1489.320 |
Win32:Downloader-TSH [PUP] |
| Bkav Security |
1.3.0.4246 |
HW32.CDB.8be2 |
| VIPRE Antivirus |
21832 |
ExpressFiles Installer (fs) |
Resource utilization
(Note: statistics below are averages based on a minimum sample size of 200 unique participants)
Averages
| CPU |
| Total CPU: | 0.00259900% | |
| Kernel CPU: | 0.00116652% | |
| User CPU: | 0.00143249% | |
| Kernel CPU time: | 12,686 ms/min | |
| CPU cycles: | 12,725,294/sec | |
| Memory |
| Private memory: | 25.42 MB | |
| Private (maximum): | 31.17 MB | |
| Private (minimum): | 8.12 MB | |
| Non-paged memory: | 25.42 MB | |
| Virtual memory: | 141.81 MB | |
| Virtual memory (peak): | 186.42 MB | |
| Working set: | 15.18 MB | |
| Working set (peak): | 31.2 MB | |
| Page faults: | 86,622/min | |
| I/O |
| I/O read transfer: | 1.09 MB/sec | |
| I/O read operations: | 70/sec | |
| I/O write transfer: | 106.87 KB/sec | |
| I/O write operations: | 50/sec | |
| I/O other transfer: | 40 KB/sec | |
| I/O other operations: | 1,449/sec | |
| Resource allocations |
| Threads: | 9 | |
| Handles: | 307 | |
| GUI GDI count: | 67 | |
| GUI GDI peak: | 74 | |
| GUI USER count: | 11 | |
| GUI USER peak: | 42 | |
Process properties
| Integrety level: | Medium |
| Platform: | 64-bit |
| Command lines: |
- "C:\Program Files\expressfiles\expressdl.exe" 4092681750 0 magneC:?xt=urC:btiC:e2fc77cd29ddaf2c9439a262c836e73dfc0edc0e&dn=windows 7 ultimate fully activated genuine x86 x64 team ! m j r !&tr=udC://tracker.istole.iC:80/announce&tr=udC://tracker.openbittorrent.coC:80/announce&tr=httC://www.h33t.coC:3310/announce&tr=httC://9.rarbg.coC:2710/announce&tr=httC://bt.rutor.orC:2710/announce
- "C:\Program Files\expressfiles\expressdl.exe" 2251253982 0 magneC:?xt=urC:btiC:9f783f251fe0b9b88833d058e1c33d9ee38b40b1&dn=cumfiesta annie whorehall serious sucking 01 15 2013&tr=udC://tracker.istole.iC:80/announce&tr=udC://tracker.openbittorrent.coC:80/announce&tr=httC://www.h33t.coC:3310/announce&tr=httC://9.rarbg.coC:2710/announce&tr=httC://bt.rutor.orC:2710/announce
- "C:\Program Files\expressfiles\expressdl.exe" 1949815428 4 magneC:?xt=urC:btiC:b09067acff2f2075078f64220e514ed53b57cac5&dn=bob ross the joy of painting season 23&tr=udC://tracker.istole.iC:80/announce&tr=udC://tracker.openbittorrent.coC:80/announce&tr=httC://www.h33t.coC:3310/announce&tr=httC://9.rarbg.coC:2710/announce&tr=httC://bt.rutor.orC:2710/announce
- "C:\Program Files\expressfiles\expressdl.exe" 3703203353 1 magneC:?xt=urC:btiC:6dcb91d396885b96c76ba180aed13642626f3c35&dn=bob ross the joy of painting season 31&tr=udC://tracker.istole.iC:80/announce&tr=udC://tracker.openbittorrent.coC:80/announce&tr=httC://www.h33t.coC:3310/announce&tr=httC://9.rarbg.coC:2710/announce&tr=httC://bt.rutor.orC:2710/announce
- "C:\Program Files\expressfiles\expressdl.exe" 2826357532 1 magneC:?xt=urC:btiC:524c9c312f4723a9ae1b38e20b8bc1e5b0fd8dd2&dn=bob ross the joy of painting season 30&tr=udC://tracker.istole.iC:80/announce&tr=udC://tracker.openbittorrent.coC:80/announce&tr=httC://www.h33t.coC:3310/announce&tr=httC://9.rarbg.coC:2710/announce&tr=httC://bt.rutor.orC:2710/announce
- "C:\Program Files\expressfiles\expressdl.exe" 1456486504 3 magneC:?xt=urC:btiC:a741e62093a5fd7b4fa709df483abbcfa8233eb1&dn=bob ross joy of painting season 27&tr=udC://tracker.istole.iC:80/announce&tr=udC://tracker.openbittorrent.coC:80/announce&tr=httC://www.h33t.coC:3310/announce&tr=httC://9.rarbg.coC:2710/announce&tr=httC://bt.rutor.orC:2710/announce
- "C:\Program Files\expressfiles\expressdl.exe" 4290270910 0 magneC:?xt=urC:btiC:d43457462148749dbf377a0bdef7f3535a55268e&dn=bob ross the joy of painting season 25&tr=udC://tracker.istole.iC:80/announce&tr=udC://tracker.openbittorrent.coC:80/announce&tr=httC://www.h33t.coC:3310/announce&tr=httC://9.rarbg.coC:2710/announce&tr=httC://bt.rutor.orC:2710/announce
- (7 more)
|
| Owner: | User |
| Parent process: | expressfiles.exe (ExpressFiles Application by Faglaro Enterprises Limited) |
Threads
Averages
| expressdl.exe (main module) |
| Total CPU: | 0.06932668% | |
| Kernel CPU: | 0.02295912% | |
| User CPU: | 0.04636756% | |
| CPU cycles: | 4,399,679/sec | |
| Context switches: | 22/sec | |
| Memory: | 4.64 MB | |
| MSWSOCK.dll |
| Total CPU: | 0.00048273% | |
| Kernel CPU: | 0.00024136% | |
| User CPU: | 0.00024136% | |
| CPU cycles: | 26,966/sec | |
| Memory: | 240 KB | |
Common loaded modules
These are modules that are typiclaly loaded within the context of this process.
Distribution by Windows OS
| OS version | distribution |
| Microsoft Windows XP |
25.00% |
|
| Windows 7 Ultimate |
25.00% |
|
| Windows 7 Home Premium |
25.00% |
|
| Windows 8 |
18.75% |
|
| Windows 8.1 Pro Preview |
6.25% |
|
Distribution by country
United States installs about 31.25% of ExpressDL Application.
Distribution by PC manufacturer
| PC Manufacturer | distribution |
| Acer |
28.57% |
|
| Hewlett-Packard |
28.57% |
|
| Compaq |
14.29% |
|
| Dell |
14.29% |
|
| Samsung |
7.14% |
|
| GIGABYTE |
7.14% |
|
