Trojan-Downloader.Win32.Moure_f345268e8b

by malwarelabrobot on December 13th, 2015 in Malware Descriptions.

Trojan-Downloader.Win32.Moure.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: f345268e8b8acba188f2e1232a06ea39
SHA1: 35b5f878e23c01479a2edeae6d89b3db65c7fb5c
SHA256: 3c0e9255155d43910fdd43e0e7c74e0d084513dcae8cd47583b3d14a12b7721d
SSDeep: 24576:xXifyIZzp53wHMAXwpa1P 1kkui6uKVOlzQ:tifyIZzvwHngp2P 1kWU4U
Size: 927512 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Sogou.com Inc.
Created at: 2015-11-03 14:32:23
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan-Downloader creates the following process(es):

ExternalApp.exe:380
%original file name%.exe:308
DownLoadDlg.exe:580
minidownload.exe:928
regsvr32.exe:524
regsvr32.exe:652
regsvr32.exe:332
UpdateService.exe:868
UpdateService.exe:632
XLDownloadCom.exe:2044

The Trojan-Downloader injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process ExternalApp.exe:380 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Program Files%\SogouDownLoad\download\MiniTPFw.exe (1633 bytes)
%Program Files%\SogouDownLoad\download\MiniThunderPlatform.exe (7951 bytes)
%Program Files%\SogouDownLoad\npdownload.dll (8160 bytes)
%Program Files%\SogouDownLoad\download\id.dat (40 bytes)
%Program Files%\SogouDownLoad\XLDownloadCom.exe (3626 bytes)
%Program Files%\SogouDownLoad\DlgHandler.dll (7893 bytes)
%Program Files%\SogouDownLoad\download\zlib1.dll (3170 bytes)
%Program Files%\SogouDownLoad\IEHint64.dll (13023 bytes)
%Program Files%\SogouDownLoad\download\ThunderFW.exe (3053 bytes)
%Program Files%\SogouDownLoad\download\atl71.dll (2201 bytes)
%Program Files%\SogouDownLoad\download\msvcp71.dll (10930 bytes)
%Program Files%\SogouDownLoad\IEHint.dll (7872 bytes)
%Program Files%\SogouDownLoad\download\dl_peer_id.dll (2910 bytes)
%Program Files%\SogouDownLoad\XLDownloadComPS.dll (2017 bytes)
%Program Files%\SogouDownLoad\download\download_engine.dll (75696 bytes)
%Program Files%\SogouDownLoad\npdownload64.dll (10293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh3.tmp\System.dll (11 bytes)
%Program Files%\SogouDownLoad\update\UpdateService.exe (7197 bytes)
%Program Files%\SogouDownLoad\xldl.dll (9424 bytes)
%Program Files%\SogouDownLoad\CommonState.dll (1348 bytes)
%Program Files%\SogouDownLoad\download\msvcr71.dll (12773 bytes)
%Program Files%\SogouDownLoad\uninst.exe (794 bytes)

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsh3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh3.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa2.tmp (0 bytes)

The process %original file name%.exe:308 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\minidownload.exe (1792 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)

The process DownLoadDlg.exe:580 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Program Files%\SogouDownLoad\tmp\ExternalApp.exe (75500 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ExternalApp[1].exe (255698 bytes)

The process minidownload.exe:928 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Program Files%\SogouDownLoad\html\images\progressbar.png (285 bytes)
%Program Files%\SogouDownLoad\html\config.ini (116 bytes)
%Program Files%\SogouDownLoad\html\js\actions.js (8 bytes)
%Program Files%\SogouDownLoad\html\js\swfobject.js (10 bytes)
%Program Files%\SogouDownLoad\DownLoadDlg.exe (17625 bytes)
%Program Files%\SogouDownLoad\html\images\check.png (295 bytes)
%Program Files%\SogouDownLoad\html\images\btn_spr.gif (3 bytes)
%Program Files%\SogouDownLoad\crash\ExceptionReport.exe (3644 bytes)
%Program Files%\SogouDownLoad\html\css\down.css (2 bytes)
%Program Files%\SogouDownLoad\html\images\error2.png (738 bytes)
%Program Files%\SogouDownLoad\html\repair.html (1 bytes)
%Program Files%\SogouDownLoad\html\images\img_exe.gif (657 bytes)
%Program Files%\SogouDownLoad\html\images\dlico1.png (348 bytes)
%Program Files%\SogouDownLoad\html\images\error.png (1 bytes)
%Program Files%\SogouDownLoad\html\images\rocket2.swf (5 bytes)
%Program Files%\SogouDownLoad\html\settings.html (3 bytes)
%Program Files%\SogouDownLoad\html\images\ico_close.gif (1 bytes)
%Program Files%\SogouDownLoad\html\js\jquery-1.11.2.min.js (2644 bytes)
%Program Files%\SogouDownLoad\html\images\warning.png (263 bytes)
%Program Files%\SogouDownLoad\html\images\ico_t.gif (1 bytes)
%Program Files%\SogouDownLoad\html\images\ico_spr.gif (1 bytes)
%Program Files%\SogouDownLoad\html\images\btns.png (931 bytes)
%Program Files%\SogouDownLoad\html\images\errorbg1.png (1568 bytes)
%Program Files%\SogouDownLoad\html\images\rocket1.swf (5 bytes)
%Program Files%\SogouDownLoad\html\images\dlbg.png (26 bytes)
%Program Files%\SogouDownLoad\html\images\ico_min.gif (1 bytes)
%Program Files%\SogouDownLoad\html\images\dlico.png (646 bytes)
%Program Files%\SogouDownLoad\html\css\downloader.css (8 bytes)
%Program Files%\SogouDownLoad\html\download.html (7 bytes)
%Program Files%\SogouDownLoad\html\images\bg_line.gif (1 bytes)
%Program Files%\SogouDownLoad\html\images\attention.png (567 bytes)
%Program Files%\SogouDownLoad\html\images\errorbg2.png (20 bytes)
%Program Files%\SogouDownLoad\html\images\ico_set.gif (1 bytes)

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsp1.tmp (0 bytes)

The process regsvr32.exe:332 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%System%\GroupPolicy\gpt.ini (315 bytes)
%System%\GroupPolicy\Machine\Registry.pol (268 bytes)

Registry activity

The process ExternalApp.exe:380 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 AC 50 45 4B 63 37 2A BE 06 5D 42 0C 7E F7 F2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SogouDownload]
"DisplayVersion" = "2.0.7.17"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SogouDownload]
"Publisher" = "Sogou.com"
"DisplayIcon" = "%Program Files%\SogouDownLoad\DownLoadDlg.exe"
"DisplayName" = "Ëѹ·¸ßËÙÏÂÔØÖúÊÖ"
"UninstallString" = "%Program Files%\SogouDownLoad\uninst.exe"

The process %original file name%.exe:308 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\SogouDownLoad]
"DownLoadDlg.exe" = "搜狗高速下载"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "89 E6 87 E4 67 AC DC 42 C1 D4 EB 71 24 57 9D A2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\SogouComponents\DOWNLOAD]
"unc" = "x400443_18"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process DownLoadDlg.exe:580 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4A79E46E-5A01-4abb-BCC1-F96D06AEE085}]
"AppName" = "DownLoadDlg.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\CLSID\{4A79E46E-5A01-4abb-BCC1-F96D06AEE085}\LocalServer32]
"(Default)" = "%Program Files%\SogouDownLoad\DownLoadDlg.exe"

[HKLM\SOFTWARE\SogouComponents\DOWNLOAD]
"Version" = "2.0.7.17"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\SogouComponents\DOWNLOAD]
"HWID" = "43 9C 2B FF A1 3F 3A 49 4B 96 9E 2E F7 6D 66 0B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\SogouComponents\DOWNLOAD]
"InstallPath" = "%Program Files%\SogouDownLoad"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4A79E46E-5A01-4abb-BCC1-F96D06AEE085}]
"AppPath" = "%Program Files%\SogouDownLoad"
"Policy" = "3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\SogouComponents\DOWNLOAD]
"DownLoadDlgPath" = "%Program Files%\SogouDownLoad\DownLoadDlg.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\SogouComponents\DOWNLOAD]
"InstallTime" = "1449884347"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 C4 C7 00 03 15 15 69 F3 17 F1 75 0B 9C 0F F1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process minidownload.exe:928 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 42 85 B3 9D 7D A6 E8 81 94 51 1C 38 30 A3 02"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process regsvr32.exe:524 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 0B EA 43 3A 97 3E 6A 9F A6 8E 04 F7 D5 05 56"

[HKCR\Interface\{B411DAF2-77C4-4478-8477-5826A4147AE9}\ProxyStubClsid32]
"(Default)" = "{B411DAF2-77C4-4478-8477-5826A4147AE9}"

[HKCR\Interface\{B411DAF2-77C4-4478-8477-5826A4147AE9}]
"(Default)" = "IXLDownloadInterface"

[HKCR\CLSID\{B411DAF2-77C4-4478-8477-5826A4147AE9}\InProcServer32]
"(Default)" = "%Program Files%\SogouDownLoad\XLDownloadComPS.dll"

[HKCR\CLSID\{B411DAF2-77C4-4478-8477-5826A4147AE9}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{B411DAF2-77C4-4478-8477-5826A4147AE9}\NumMethods]
"(Default)" = "14"

[HKCR\CLSID\{B411DAF2-77C4-4478-8477-5826A4147AE9}\InProcServer32]
"ThreadingModel" = "Both"

The process regsvr32.exe:652 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 02 50 66 91 71 F7 C3 80 D8 62 64 63 4B C7 7F"

[HKCR\TypeLib\{459CB386-4301-448D-A1DA-8751857E980B}\1.0\0\win32]
"(Default)" = "%Program Files%\SogouDownLoad\IEHint.dll"

[HKCR\Interface\{548F20C0-F980-4912-9190-1127D22D883D}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{459CB386-4301-448D-A1DA-8751857E980B}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SogouDownLoad"

[HKCR\Interface\{548F20C0-F980-4912-9190-1127D22D883D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}\TypeLib]
"(Default)" = "{459CB386-4301-448D-A1DA-8751857E980B}"

[HKCR\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}]
"(Default)" = "IEHintBHO Class"

[HKCR\TypeLib\{459CB386-4301-448D-A1DA-8751857E980B}\1.0]
"(Default)" = "IEHintLib"

[HKCR\Interface\{548F20C0-F980-4912-9190-1127D22D883D}\TypeLib]
"(Default)" = "{459CB386-4301-448D-A1DA-8751857E980B}"

[HKCR\Interface\{548F20C0-F980-4912-9190-1127D22D883D}]
"(Default)" = "IIEHintBHO"

[HKCR\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}\InprocServer32]
"(Default)" = "%Program Files%\SogouDownLoad\IEHint.dll"

[HKCR\TypeLib\{459CB386-4301-448D-A1DA-8751857E980B}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{548F20C0-F980-4912-9190-1127D22D883D}\TypeLib]
"Version" = "1.0"

The process regsvr32.exe:332 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKCR\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SogouDownLoad"

[HKCR\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}]
"(Default)" = "IGameDownload"

[HKCR\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\MozillaPlugins\@sogou.com/SGDownloadPlugin]
"Descripton" = "搜狗高速下载控件"

[HKCR\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\TypeLib]
"(Default)" = "{13D91BAE-B37C-41C3-AE86-463E53990546}"

[HKCR\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\MozillaPlugins\@sogou.com/SGDownloadPlugin]
"Path" = "%Program Files%\SogouDownLoad\npdownload.dll"

[HKCR\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\TypeLib]
"(Default)" = "{13D91BAE-B37C-41C3-AE86-463E53990546}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{23E93FD9-91D3-4938-801C-CC7E42F71511}Machine\SOFTWARE\Policies\Google\Chrome\EnabledPlugins]
"1" = "搜狗高速下载助手"

[HKCR\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}]
"(Default)" = "DownLoadBHO Class"

[HKCR\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\MozillaPlugins\@sogou.com/SGDownloadPlugin]
"ProductName" = "搜狗高速下载助手"

[HKLM\SOFTWARE\Policies\Google\Chrome\EnabledPlugins]
"1" = "搜狗高速下载助手"

[HKCR\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}]
"(Default)" = "IDownLoadBHO"

[HKCR\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\TypeLib]
"(Default)" = "{13D91BAE-B37C-41C3-AE86-463E53990546}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC C4 75 EB AD 40 28 C5 98 EE 4F 64 22 E6 9D 15"

[HKLM\SOFTWARE\MozillaPlugins\@sogou.com/SGDownloadPlugin]
"Version" = "2.0.7.17"

[HKCR\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0]
"(Default)" = "SogouDownLoadLib"

[HKCR\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\0\win32]
"(Default)" = "%Program Files%\SogouDownLoad\npdownload.dll"

[HKLM\SOFTWARE\MozillaPlugins\@sogou.com/SGDownloadPlugin]
"vendor" = "Sogou.com Inc."

[HKCR\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32]
"(Default)" = "%Program Files%\SogouDownLoad\npdownload.dll"

The Trojan-Downloader deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{23E93FD9-91D3-4938-801C-CC7E42F71511}Machine\SOFTWARE\Policies\Google\Chrome]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{23E93FD9-91D3-4938-801C-CC7E42F71511}Machine\SOFTWARE\Policies]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{23E93FD9-91D3-4938-801C-CC7E42F71511}Machine\SOFTWARE]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{23E93FD9-91D3-4938-801C-CC7E42F71511}User]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{23E93FD9-91D3-4938-801C-CC7E42F71511}Machine\SOFTWARE\Policies\Google\Chrome\EnabledPlugins]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{23E93FD9-91D3-4938-801C-CC7E42F71511}Machine\SOFTWARE\Policies\Google]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{23E93FD9-91D3-4938-801C-CC7E42F71511}Machine]

The process UpdateService.exe:868 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B 97 59 8D FE 71 39 A2 CF 08 38 84 B4 41 7A 52"

The process UpdateService.exe:632 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 54 23 CA B1 D4 90 02 C3 79 05 75 10 C6 A6 26"

The process XLDownloadCom.exe:2044 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 50 E8 12 E1 86 F3 D7 76 9A 26 37 4A 34 01 BD"

[HKCR\TypeLib\{2D85F656-2970-437F-BA8A-C6F95B86EE0D}\1.0]
"(Default)" = "XLDownloadComLib"

[HKCR\CLSID\{35489C47-0C7C-48D8-8000-0FB159BAF406}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{35489C47-0C7C-48D8-8000-0FB159BAF406}\LocalServer32]
"(Default)" = "%Program Files%\SogouDownLoad\XLDownloadCom.exe"

[HKCR\TypeLib\{2D85F656-2970-437F-BA8A-C6F95B86EE0D}\1.0\0\win32]
"(Default)" = "%Program Files%\SogouDownLoad\XLDownloadCom.exe"

[HKCR\CLSID\{35489C47-0C7C-48D8-8000-0FB159BAF406}\LocalServer32]
"ServerExecutable" = "%Program Files%\SogouDownLoad\XLDownloadCom.exe"

[HKCR\Interface\{B411DAF2-77C4-4478-8477-5826A4147AE9}]
"(Default)" = "IXLDownloadInterface"

[HKCR\CLSID\{35489C47-0C7C-48D8-8000-0FB159BAF406}\TypeLib]
"(Default)" = "{2D85F656-2970-437F-BA8A-C6F95B86EE0D}"

[HKCR\Interface\{B411DAF2-77C4-4478-8477-5826A4147AE9}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{B411DAF2-77C4-4478-8477-5826A4147AE9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{2D85F656-2970-437F-BA8A-C6F95B86EE0D}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{35489C47-0C7C-48D8-8000-0FB159BAF406}]
"(Default)" = "XLDownloadInterface Class"

[HKCR\Interface\{B411DAF2-77C4-4478-8477-5826A4147AE9}\TypeLib]
"(Default)" = "{2D85F656-2970-437F-BA8A-C6F95B86EE0D}"

[HKCR\Interface\{B411DAF2-77C4-4478-8477-5826A4147AE9}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{2D85F656-2970-437F-BA8A-C6F95B86EE0D}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SogouDownLoad"

Dropped PE files

MD5 File path
6cbba6bbb04d0d4768303dd45dfe2b4b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\minidownload.exe
417ebf03104be280cf0ae2e2b203dc9f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ExternalApp[1].exe
26f9a20018601b6d14b4f1cc4bca34e4 c:\Program Files\SogouDownLoad\CommonState.dll
b049863244370b8fd391385c3234981a c:\Program Files\SogouDownLoad\DlgHandler.dll
e929bc10dec4f605d964afb6b27b7a49 c:\Program Files\SogouDownLoad\DownLoadDlg.exe
0d22d7c73d7d7593e8b729571b38facb c:\Program Files\SogouDownLoad\IEHint.dll
0b4a6d56e15f08edac96332f09489e73 c:\Program Files\SogouDownLoad\IEHint64.dll
bcd846642eb52e78ed3c360e848ce8a8 c:\Program Files\SogouDownLoad\XLDownloadCom.exe
3bc8251badd8e1db42f29cce71decebc c:\Program Files\SogouDownLoad\XLDownloadComPS.dll
ba7121a86dbffafc97e1b8c11c17e199 c:\Program Files\SogouDownLoad\crash\ExceptionReport.exe
58bb62e88687791ad2ea5d8d6e3fe18b c:\Program Files\SogouDownLoad\download\MiniTPFw.exe
e2e9483568dc53f68be0b80c34fe27fb c:\Program Files\SogouDownLoad\download\MiniThunderPlatform.exe
f0372ff8a6148498b19e04203dbb9e69 c:\Program Files\SogouDownLoad\download\ThunderFW.exe
79cb6457c81ada9eb7f2087ce799aaa7 c:\Program Files\SogouDownLoad\download\atl71.dll
dba9a19752b52943a0850a7e19ac600a c:\Program Files\SogouDownLoad\download\dl_peer_id.dll
1a87ff238df9ea26e76b56f34e18402c c:\Program Files\SogouDownLoad\download\download_engine.dll
a94dc60a90efd7a35c36d971e3ee7470 c:\Program Files\SogouDownLoad\download\msvcp71.dll
ca2f560921b7b8be1cf555a5a18d54c3 c:\Program Files\SogouDownLoad\download\msvcr71.dll
89f6488524eaa3e5a66c5f34f3b92405 c:\Program Files\SogouDownLoad\download\zlib1.dll
1e973c20ec29fb85193b471d8ea414c4 c:\Program Files\SogouDownLoad\npdownload.dll
f7fcb594f73e58e4e5dd0a61427a4b98 c:\Program Files\SogouDownLoad\npdownload64.dll
417ebf03104be280cf0ae2e2b203dc9f c:\Program Files\SogouDownLoad\tmp\ExternalApp.exe
ac7961994bf62dcf1399664c1bcdf180 c:\Program Files\SogouDownLoad\uninst.exe
aa276dd9a44a45003311cc891fb71d2e c:\Program Files\SogouDownLoad\update\UpdateService.exe
208662418974bca6faab5c0ca6f7debf c:\Program Files\SogouDownLoad\xldl.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Sogou.com Inc.
Product Name: ????????
Product Version: 2.0.7.15
Legal Copyright: (c) 2014 Sogou.com Inc. All rights reserved.
Legal Trademarks:
Original Filename: MiniDownLoad.exe
Internal Name: MiniDownLoad.exe
File Version: 2.0.7.15
File Description: ???????????
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 176648 177152 4.59917 a1197834f5edc49c1f8768314973d1c5
.rdata 184320 30250 30720 3.3603 7e9fdd92a3073141288e3384e1d143c6
.data 217088 16828 7168 2.70014 412c08ce393932c01b2515e7e1e6500b
.rsrc 237568 690196 690688 5.14722 96ad49f163b8480b7a3d475c06093354
.reloc 929792 14054 14336 3.27004 6e6a7754782fe1d765b28e6665cce063

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://ctc.ping.sogou.com/pingd?srctype=sogoudownload&gid=gVMH-W4-eABbBFUKZSRC2N0000o30f--&unc=x400443_18&t=52&keynum=9452&rand=1449884338
hxxp://sogou.dl.ourdvs.com/externalapp/ExternalApp.exe
hxxp://ping.t.sogou.com/pingd?srctype=sogoudownload&gid=gVMH-W4-eABbBFUKZSRC2N0000o30f--&unc=x400443_18&t=52&keynum=9452&rand=1449884338 106.120.188.191
hxxp://yze.t.sogou.com/externalapp/ExternalApp.exe 220.243.235.72
yz.app.sogou.com 36.110.147.36


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /externalapp/ExternalApp.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yze.t.sogou.com
Connection: Keep-Alive


HTTP/1.0 200 OK
Date: Tue, 24 Nov 2015 07:26:58 GMT
Content-Type: application/octet-stream
ETag: "-580955497"
Accept-Ranges: bytes
Last-Modified: Tue, 24 Nov 2015 04:28:51 GMT
Content-Length: 2554872
Server: WS CDN Server
Age: 1534313
Via: 1.0 jn241:88 (Cdn Cache Server V2.0), 1.0 shb72:8101 (Cdn Cache Server V2.0)
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................Z...........0.......p....@.........
.................@........'......................................s....
......(n............&.................................................
.............p...............................text....X.......Z........
.......... ..`.rdata.......p.......^..............@[email protected].......
[email protected][email protected].
..(n.......p...t..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
..>[email protected].>[email protected]
...Pr@..}[email protected]... M.......M....3.....FQ.....NU..
M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...
[email protected]}[email protected].}.j.W.E......E.......Pp@.
[email protected]@.W...E..E.h [email protected]...\r
@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.
......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[...U.
<<< skipped >>>


GET /pingd?srctype=sogoudownload&gid=gVMH-W4-eABbBFUKZSRC2N0000o30f--&unc=x400443_18&t=52&keynum=9452&rand=1449884338 HTTP/1.1
User-Agent: HttpRequest
Host: ping.t.sogou.com


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 12 Dec 2015 01:38:51 GMT
Content-Type: application/octet-stream
Content-Length: 0
Connection: keep-alive







The Trojan-Downloader connects to the servers at the folowing location(s):







DownLoadDlg.exe_580:




.text
`.rdata
@.data
.rsrc
@.reloc
8%u/P
SSSSh
xSSSh
FTPjKS
FtPj;S
C.PjRV
F%D,3
portuguese-brazilian
operator
GetProcessWindowStation
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
CCooperationDlg::~CCooperationDlg
[function], Call %s()
CCooperationDlg::Run
CCooperationDlg::CheckAndCreateUIDlg
CCooperationDlg::ShowAndForeground
CCooperationDlg::OnClose
CCooperationDlg::ExternalProc_OnLoad
CCooperationDlg::ExternalProc_InstallCooperation
CCooperationDlg::ExternalProc_CancelInstallCooperation
CWebBrowserDlg<class CCooperationDlg>::Init
Content-Type: application/x-www-form-urlencoded
CDowndLoadDlg::ExternalProc_OpenUrl
CWebBrowserDlg<class CDowndLoadDlg>::Init
CCooperation::Run
CCooperation::IsBind
CCooperation::Exit
CCooperation::Init
appcheckurl
appcheckreporturl
iconurl
CHttpDownload::Download
CHttpDownload::Start
CHttpDownload::Pause
CHttpDownload::ThreadProcForHttpDownload
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
CWebBrowserDlg<class CRePairDlg>::Init
CWebBrowserDlg<class CSettingDlg>::Init
&#xX;
</%s>
%s="%s"
%s='%s'
<!--%s-->
version="%s"
encoding="%s"
standalone="%s"
CThreadHttpRequest::HttpDownloadToBuffer
CThreadHttpRequest::HttpRequestRelocLocationUrl
CThreadHttpRequest::HttpRequestFileSize
CThreadHttpRequest::ThreadProc
CReport::~CReport
URLDownloadToFileW
DeleteUrlCacheEntryW
URLDownloadToCacheFileW
%%X
%s[%u], %s
System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
%s\Connection
D:\codes\VS2010\SogouDownLoad-trunk\Src\DownLoadDlg\Release\DownLoadDlg.pdb
KERNEL32.dll
USER32.dll
GDI32.dll
RegOpenKeyExW
RegCloseKey
RegDeleteKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegCreateKeyExW
ADVAPI32.dll
ShellExecuteExW
ShellExecuteW
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
dbghelp.dll
imagehlp.dll
GdiplusShutdown
gdiplus.dll
HttpQueryInfoW
HttpOpenRequestW
HttpSendRequestW
HttpAddRequestHeadersW
InternetCrackUrlW
WININET.dll
VERSION.dll
PSAPI.DLL
NetWkstaTransportEnum
NETAPI32.dll
GetProcessHeap
GetCPInfo
RegOpenKeyW
RegOpenKeyExA
SHEnumKeyExW
PeekNamedPipe
zcÁ
.?AV?$CDialogImpl@VCCooperationDlg@@VCWindow@ATL@@@ATL@@
.?AV?$CWebBrowserDlg@VCCooperationDlg@@@@
.?AVCCooperationDlg@@
.?AV?$CComObject@VCWebBrowserBase@@@ATL@@
.?AUIHTMLOMWindowServices@@
.?AV?$CComCoClass@VCWebBrowser@@$1?GUID_NULL@@3U_GUID@@B@ATL@@
.?AV?$CWindowImpl@VCWebBrowser@@VCWindow@ATL@@V?$CWinTraits@$0FGAAAAAA@$0A@@3@@ATL@@
.?AVCWebBrowser@@
.?AVCWebBrowserBase@@
.?AV?$CWebBrowserDlg@VCDowndLoadDlg@@@@
.?AVCCooperation@@
.?AVCHttpDownloadBindStatusCallback@@
.?AVCHttpDownload@@
.?AV?$CWebBrowserDlg@VCRePairDlg@@@@
.?AV?$CWebBrowserDlg@VCSettingDlg@@@@
.?AVCHttpRequest@@
.?AV?$CThreadQueue@UtagReportData@@@@
.?AVCReport@@
.?AVCDebugMsg@@
.?AVCUrlParser@@
%Program Files%\SogouDownLoad\DownLoadDlg.exe
%sogsc
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
;)<1<><|<
2,2
9#9'9-969;9@9
1$1(1,1014181<1@1
2(2/24282<2]2
2&3,3034383
?!?%?)?-?1?5?9?
<*=0=4=8=<=
= =$=(=,=0=4=8=<=
nKERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
1.0.0.0
Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class.
gSOFTWARE\SogouComponents\DOWNLOAD\COOPERATION\
bindtype=%s&bindname=%s&weight=%d&scheme=%s&uistatus=%u
bindtype=%s&bindname=%s&weight=%d&scheme=%s
cooperationsoft.exe
%s\%s
keyandfile
keyandpath
@HKEY_CURRENT_CONFIG
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
hXXp://ping.t.sogou.com/pingd?srctype=sogoudownload&t=%d&gid=%s&unc=%s&dbn=%s&dbv=%s&rand=%d
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
http\shell\open\command
hXXp://xiazai.sogou.com/hd/log.js?srctype=sogoudownload&t=%d&gid=%s&unc=%s
&rand=%d
{4A79E46E-5A01-4abb-BCC1-F96D06AEE085}
Cooperation
install_cooperation
cancel_install_cooperation
@download.html
DlgHandler.dll
\config.ini
report
openurl
%s\%s(%d)%s
%s\%s.td
cooperation
errortype=%d
/select, %s\%s
softurl
windowsname
mutex_cooperation
hXXp://xz.sogou.com/handleUserIdDb?userid=%s&downloadtype=%s&unc=%s&pcid=%s
%d/%d/%d d:d:d
Module %d
Image Base: 0xx Image Size: 0xx
Checksum: 0xx Time Stamp: 0xx
File Size: %-10d File Time: %s
Company: %s
Product: %s
FileDesc: %s
FileVer: %d.%d.%d.%d
ProdVer: %d.%d.%d.%d
IE Browser Version: %s.
SogouDownload Version: %s.
HWID: %s.
Error occurred at %s.
%s, run by %s.
Operating system: %s (%s).
%d processor(s), type %d.
%d%% memory in use.
%d MBytes physical memory.
%d MBytes physical memory free.
%d MBytes paging file.
%d MBytes paging file free.
%d MBytes user address space.
%d MBytes user address space free.
a Float Denormal Operand
a Float Invalid Operation
0xx:
EDI: 0xx ESI: 0xx EAX: 0xx
EBX: 0xx ECX: 0xx EDX: 0xx
EIP: 0xx EBP: 0xx SegCs: 0xx
EFlags: 0xx ESP: 0xx SegSs: 0xx
ERRORLOG.TXT
Error creating exception report
SogouDownload caused %s (0xx)
in module %s at x:x.
%s location x caused an access violation.
===== [end of %s] =====
CRASH.DMP
ExceptionReport.exe
%s\%s.url
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
ExternalApp.exe
hXXp://yze.t.sogou.com/externalapp/ExternalApp.exe
%s\uninst.exe
hXXp://t.sogou.com/update_platform/update.php?appname=sogoudownload_regioncontrol&v=1.0.0.0
hXXp://xz.sogou.com/handleUserIdDb256?userid=%s&downloadtype=%s&unc=%s&pcid=%s
showNewMsgTip%d
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
nparam=%s
Advapi32.dll
hXXp://yz.app.sogou.com/tuiguang?downloadtype=%s&pcid=%s
repair.html
\html\repair.html
\html\config.ini
Asettings.html
Web Host
HttpDownload
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; {D9D54F49-E51C-445e-92F2-1EE3C2313240})
image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, application/msword, application/vnd.ms-excel, application/vnd.ms-powerpoint, */*
"%s" %s
HttpRequest
HTTP/1.0
Content-Length: %d
hXXp://ping.t.sogou.com/pingd?srctype=sogoudownload&gid=%s&unc=%s
%s&t=%d&servicestate=%d&rand=%d
%s&t=%d&rand=%d
%s&t=%d&%s&rand=%d
BUrlMon.dll
Wininet.dll
CommonState.dll
%d.%d.%d.%d
\StringFileInfo\xx\%s
Mutex_DebugMsg2
IsSendDebugMsg
SOFTWARE\DebugMsg
Kernel32.dll
[sogou][%s]
Bunknown Windows version
%u.%u.%u
Windows 95
Windows 95 SP1
Windows 95 OSR2
Windows 98
Windows 98 SP1
Windows 98 SE
Windows ME
Windows NT 3.51
Windows NT 4
Windows 2000
Windows XP
Windows 2003 Server
Windows CE
\Global.db
C\\.\PhysicalDrive%d
\\.\Scsi%d:
\iphlpapi.dll
IProfile.ini
hXXp://t.sogou.com/update_platform/update.php?appname=sogoudownload_repair&unc=x400443_18&guid=%s&v=%s&t=%d
Setup.exe
hXXp://t.sogou.com/update_platform/done.php?v=%s&appname=sogoudownload_repair&state=1
TempExe.exe
Sogou.com Inc.
2.0.7.15
DownLoadDlg.exe
2014 Sogou.com Inc. All rights reserved.

UpdateService.exe_868:




.text
`.rdata
@.data
.rsrc
PSSSSSSh
PSSSSSSh!
8-H6}G6)67Z
JPi.lP
SHELL32.dll
KERNEL32.dll
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
SHDeleteKeyA
SHLWAPI.dll
VERSION.dll
WS2_32.dll
MSVCRT.dll
_acmdln
USER32.dll
ole32.dll
OLEAUT32.dll
GetWindowsDirectoryA
GetProcessHeap
RegOpenKeyExW
RegOpenKeyA
RegSetKeySecurity
RegCreateKeyA
RegCreateKeyExA
USBDT.dll
[%s Update Service]register success.
"%s" /Service
UpdateService.exe
[%s Update Service]register fail 3.
[%s Update Service]register fail 2.
[%s Update Service]register fail 1.
Mutex_{4A79E46E-5A01-4abb-BCC1-F96D06AEE085}
[%s Update Service]start register.
"%s" /Restart
[%s Update Service]wait %d minutes.
[%s Update Service]start service.
NUL=%s
wininit.ini
%s\Temp\
%s=%s
EXPLORER.EXE
IEXPLORE.EXE
%d%c%d
AllocateAndInitializeSid error %u
"%s" %s
Dbghelp.dll
Kernel32.dll
user32.dll
hXXp://ping.t.sogou.com/pingd?srctype=sogoudownload&t=%d&gid=%s&unc=%s&rand=%d
hXXp://ping.t.sogou.com/pingd?srctype=sogoudownload&t=%d&gid=%s&unc=%s&%s&rand=%d
dbn=%s&dbv=%s
hXXp://t.sogou.com/update_platform/done.php?v=%s&appname=sogoudownload&state=1
Mddddd
1.0.0.0
CommonState.dll
%d.%d.%d.%d
%s_Classes\%s\%s
%s\%s
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
%s_Classes\%s
http\shell\open\command
explorer.exe
%%X
%%x
Wininet.dll
UrlMon.dll
{4A79E46E-5A01-4abb-BCC1-F96D06AEE085}
[UpateDir:%s].
[%s Update Service]start update.
Setup.exe
[%s Update Service]update success.
[%s Update Service]new version: %s, local version: %s.
%s\%s%s
Profile.ini
hXXp://t.sogou.com/update_platform/update.php?appname=sogoudownload&unc=%s&guid=%s&v=%s&t=%d
[m_szLocalProfile:%s].
HotPatch.exe
Userenv.dll
iexplore.exe
\StringFileInfo\xx\%s
Update.ini
file%d
%s PID=%d
.bak.exe
wintrust.dll
2.5.4.3
CertCloseStore
CryptMsgClose
CertFreeCertificateContext
CertFindRDNAttr
CertRDNValueToStrA
CertCreateCertificateContext
CryptMsgGetParam
crypt32.dll
1.2.840.113549.1.9.5
CryptDecodeObject failed with %x
1.2.840.113549.1.9.6
rundll32.exe
%s,Rundll32
%s,Rundll32 E
%s,Rundll32 I
%s,Rundll32 R
Rundll32.exe %s,Rundll32 R
CLSID\%s\InprocServer32
CLSID\%s
DlgHandler.dll
%s\DownLoadDlg.exe
S%c%cR
%s*.sys
ATßT%d%d.dat
FT%uD
FT%uH
AT%uFT%u
%Program Files%\TENCENT\SSPlus\SData.dat
PendingFileRenameOperations
advapi32.dll
Sogou.com Inc.
2.0.7.17
UpdateServise.exe
(C) 2014 Sogou.com Inc. All rights reserved.

wuauclt.exe_1064:




.text
`.data
.rsrc
@.reloc
wuauclt.pdb
GetProcessHeap
KERNEL32.dll
_wcmdln
_amsg_exit
msvcrt.dll
ntdll.dll
ole32.dll
RegCloseKey
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
USER32.dll
OLEAUT32.dll
SHLWAPI.dll
zcÁ
version="6.0.0.0"
name="Microsoft.Windows.windowsupdate.wuauclt"
<windowsSettings>
<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
</windowsSettings>
name="Microsoft.Windows.Common-Controls"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel
wuaueng.dll
Error: 0xx. wuauclt handler: failed to spawn COM server
Error: 0xx. wuauclt handler: failed to load wuaueng
/ReportNow
/ShowWindowsUpdate
/CloseWindowsUpdate
wuauclt.exe failed to get proc address for UI export object with error %#lx
Failed to load %s with error %X
wucltui.dll
wucltux.dll
call RunAUClientUI on wucltui.dll/wucltux.dll
Ntdll.dll
WuSqm %ls session datapoint (id:%d) is incremented with dword %d.
wuauclt.exe is exiting with code 0xX
wuauclt.exe launched with command line %s
kernel32.dll
WUWeb
Report
7.6.7600.256
Global\WindowsUpdateTracingMutex
WindowsUpdate.log
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace
Windows
shell32.dll
%s: %s [
%s: %s
%s\%s
= Module: %s
= Module: <failed with %d>
= Process: %s
= Process: <failed with %d>
=========== Logging initialized (build: %s, tz: %s) ===========
wups2.dll
wups.dll
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\ServiceStartup\
%hs %ls page "%ls", hr=%X
Microsoft.WindowsUpdate
wupdmgr.exe
Failed to cocreate IShellWindows, error = 0xlX
Failed to obtain window doc for window %d, error = 0xlX
Failed to obtain folder view for window %d, error = 0xlX
Failed to obtain folder IPersist for window %d, error = 0xlX
Window %d is NOT a WU window
Done enumerating windows
Quit for window %d failed: 0xlX
Window %d is a WU window. Attempting to close
Failed to obtain class ID for window %d, error = 0xlX
Got NULL disp interface for window %d
Got %d instead of VT_DISPATCH for window %d
Failed to obtain IWebBrowserApp for window %d, error = 0xlX
Failed to enumerate window %d, error = 0xlX
Found %d explorer windows
Closing WU explorer windows
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\VolatileData
WUAppNotificationWindows
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired\Mandatory
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\PostRebootReporting
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\Pending\
%chdhd
hd-hd-hd%chd:hd:hd:hd
%WinDir%
Windows Update
7.6.7600.256 (winmain_wtr_wsus3sp2(oobla).120602-1459)
wuauclt.exe
Windows
Operating System






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    ExternalApp.exe:380
    %original file name%.exe:308
    DownLoadDlg.exe:580
    minidownload.exe:928
    regsvr32.exe:524
    regsvr32.exe:652
    regsvr32.exe:332
    UpdateService.exe:868
    UpdateService.exe:632
    XLDownloadCom.exe:2044
    

    2. 

  2. Delete the original Trojan-Downloader file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan-Downloader:
    

    %Program Files%\SogouDownLoad\download\MiniTPFw.exe (1633 bytes)
    %Program Files%\SogouDownLoad\download\MiniThunderPlatform.exe (7951 bytes)
    %Program Files%\SogouDownLoad\npdownload.dll (8160 bytes)
    %Program Files%\SogouDownLoad\download\id.dat (40 bytes)
    %Program Files%\SogouDownLoad\XLDownloadCom.exe (3626 bytes)
    %Program Files%\SogouDownLoad\DlgHandler.dll (7893 bytes)
    %Program Files%\SogouDownLoad\download\zlib1.dll (3170 bytes)
    %Program Files%\SogouDownLoad\IEHint64.dll (13023 bytes)
    %Program Files%\SogouDownLoad\download\ThunderFW.exe (3053 bytes)
    %Program Files%\SogouDownLoad\download\atl71.dll (2201 bytes)
    %Program Files%\SogouDownLoad\download\msvcp71.dll (10930 bytes)
    %Program Files%\SogouDownLoad\IEHint.dll (7872 bytes)
    %Program Files%\SogouDownLoad\download\dl_peer_id.dll (2910 bytes)
    %Program Files%\SogouDownLoad\XLDownloadComPS.dll (2017 bytes)
    %Program Files%\SogouDownLoad\download\download_engine.dll (75696 bytes)
    %Program Files%\SogouDownLoad\npdownload64.dll (10293 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh3.tmp\System.dll (11 bytes)
    %Program Files%\SogouDownLoad\update\UpdateService.exe (7197 bytes)
    %Program Files%\SogouDownLoad\xldl.dll (9424 bytes)
    %Program Files%\SogouDownLoad\CommonState.dll (1348 bytes)
    %Program Files%\SogouDownLoad\download\msvcr71.dll (12773 bytes)
    %Program Files%\SogouDownLoad\uninst.exe (794 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\minidownload.exe (1792 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Program Files%\SogouDownLoad\tmp\ExternalApp.exe (75500 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ExternalApp[1].exe (255698 bytes)
    %Program Files%\SogouDownLoad\html\images\progressbar.png (285 bytes)
    %Program Files%\SogouDownLoad\html\config.ini (116 bytes)
    %Program Files%\SogouDownLoad\html\js\actions.js (8 bytes)
    %Program Files%\SogouDownLoad\html\js\swfobject.js (10 bytes)
    %Program Files%\SogouDownLoad\DownLoadDlg.exe (17625 bytes)
    %Program Files%\SogouDownLoad\html\images\check.png (295 bytes)
    %Program Files%\SogouDownLoad\html\images\btn_spr.gif (3 bytes)
    %Program Files%\SogouDownLoad\crash\ExceptionReport.exe (3644 bytes)
    %Program Files%\SogouDownLoad\html\css\down.css (2 bytes)
    %Program Files%\SogouDownLoad\html\images\error2.png (738 bytes)
    %Program Files%\SogouDownLoad\html\repair.html (1 bytes)
    %Program Files%\SogouDownLoad\html\images\img_exe.gif (657 bytes)
    %Program Files%\SogouDownLoad\html\images\dlico1.png (348 bytes)
    %Program Files%\SogouDownLoad\html\images\error.png (1 bytes)
    %Program Files%\SogouDownLoad\html\images\rocket2.swf (5 bytes)
    %Program Files%\SogouDownLoad\html\settings.html (3 bytes)
    %Program Files%\SogouDownLoad\html\images\ico_close.gif (1 bytes)
    %Program Files%\SogouDownLoad\html\js\jquery-1.11.2.min.js (2644 bytes)
    %Program Files%\SogouDownLoad\html\images\warning.png (263 bytes)
    %Program Files%\SogouDownLoad\html\images\ico_t.gif (1 bytes)
    %Program Files%\SogouDownLoad\html\images\ico_spr.gif (1 bytes)
    %Program Files%\SogouDownLoad\html\images\btns.png (931 bytes)
    %Program Files%\SogouDownLoad\html\images\errorbg1.png (1568 bytes)
    %Program Files%\SogouDownLoad\html\images\rocket1.swf (5 bytes)
    %Program Files%\SogouDownLoad\html\images\dlbg.png (26 bytes)
    %Program Files%\SogouDownLoad\html\images\ico_min.gif (1 bytes)
    %Program Files%\SogouDownLoad\html\images\dlico.png (646 bytes)
    %Program Files%\SogouDownLoad\html\css\downloader.css (8 bytes)
    %Program Files%\SogouDownLoad\html\download.html (7 bytes)
    %Program Files%\SogouDownLoad\html\images\bg_line.gif (1 bytes)
    %Program Files%\SogouDownLoad\html\images\attention.png (567 bytes)
    %Program Files%\SogouDownLoad\html\images\errorbg2.png (20 bytes)
    %Program Files%\SogouDownLoad\html\images\ico_set.gif (1 bytes)
    %System%\GroupPolicy\gpt.ini (315 bytes)
    %System%\GroupPolicy\Machine\Registry.pol (268 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now