blackmoon | bbb9cd4a21c8a1a6d51033f05a3fe0511c9d119a57d40ead39ddcd1a8628f451

Analysis

max time kernel
157s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20230824-en
resource tags

arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system
submitted
31-08-2023 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

So-gou-X-6.4.8.9.exe
Size

132.9MB
MD5

c6dbbbc39eaf8300593c44ba1fff3500
SHA1

6037cbfd7bf39464658240f05f9a708d7f722bab
SHA256

bbb9cd4a21c8a1a6d51033f05a3fe0511c9d119a57d40ead39ddcd1a8628f451
SHA512

6d7c8af2e7269ec192a949fc9eed0f251d07e1a7e1712e56a464b6fa2723d991aa3a08f8b1db7bfc1a427acef513e8d3414b71b9baf044e71e3fb591a9d9705f
SSDEEP

3145728:JjIU7Jf4Jh0h8eYIjjmwmTxP3er9o/Zs4WUwG6FZ:d7Sj0WeYI3m5TxP3eS/ZQX

Score

10^/10

blackmoon gh0strat banker evasion rat trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
behavioral3/memory/4816-751-0x0000000010000000-0x0000000010036000-memory.dmp	family_blackmoon

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral3/memory/3252-769-0x0000000002110000-0x0000000002125000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

MsiExec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	MsiExec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

So-gou-X-6.4.8.9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\Control Panel\International\Geo\Nation	So-gou-X-6.4.8.9.exe

Executes dropped EXE 3 IoCs

Processes:

Upda.exeHaloonoroff.exeLnnloader.exe

pid process

3784 Upda.exe
4816 Haloonoroff.exe
3252 Lnnloader.exe

pid	process
3784	Upda.exe
4816	Haloonoroff.exe
3252	Lnnloader.exe

Loads dropped DLL 30 IoCs

Processes:

So-gou-X-6.4.8.9.exeMsiExec.exeMsiExec.exeMsiExec.exeUpda.exeHaloonoroff.exeLnnloader.exe

pid	process
2092	So-gou-X-6.4.8.9.exe
2092	So-gou-X-6.4.8.9.exe
2816	MsiExec.exe
2816	MsiExec.exe
2816	MsiExec.exe
2816	MsiExec.exe
2816	MsiExec.exe
2816	MsiExec.exe
2816	MsiExec.exe
4568	MsiExec.exe
4568	MsiExec.exe
4568	MsiExec.exe
2092	So-gou-X-6.4.8.9.exe
4568	MsiExec.exe
4516	MsiExec.exe
4516	MsiExec.exe
3784	Upda.exe
2816	MsiExec.exe
2816	MsiExec.exe
4816	Haloonoroff.exe
4816	Haloonoroff.exe
4816	Haloonoroff.exe
4816	Haloonoroff.exe
4816	Haloonoroff.exe
4816	Haloonoroff.exe
4816	Haloonoroff.exe
4816	Haloonoroff.exe
4816	Haloonoroff.exe
3252	Lnnloader.exe
3252	Lnnloader.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

So-gou-X-6.4.8.9.exeSo-gou-X-6.4.8.9.exeLnnloader.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\O:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\R:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\Z:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\G:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\H:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\P:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\E:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\U:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\E:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\I:	Lnnloader.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\M:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\Q:	Lnnloader.exe
File opened (read-only)	\??\X:	Lnnloader.exe
File opened (read-only)	\??\K:	Lnnloader.exe
File opened (read-only)	\??\R:	Lnnloader.exe
File opened (read-only)	\??\W:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\R:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\X:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\W:	Lnnloader.exe
File opened (read-only)	\??\B:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\J:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\N:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\P:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\M:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\T:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\U:	Lnnloader.exe
File opened (read-only)	\??\N:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\A:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\V:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\J:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\Y:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\T:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\O:	Lnnloader.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\Q:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\B:	Lnnloader.exe
File opened (read-only)	\??\N:	Lnnloader.exe
File opened (read-only)	\??\Y:	Lnnloader.exe
File opened (read-only)	\??\Q:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\G:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\I:	So-gou-X-6.4.8.9.exe
File opened (read-only)	\??\H:	Lnnloader.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI993C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA3ED.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8524.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI868C.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI87F5.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{594A4F8D-3A22-41DA-9C1A-E0590A8070DB}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9B40.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA081.tmp	msiexec.exe
File created	C:\Windows\Installer\e598301.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e598301.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000002082e74d5af305200000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800002082e74d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809002082e74d000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d2082e74d000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000002082e74d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Lnnloader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Lnnloader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Lnnloader.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2748 taskkill.exe

pid	process
2748	taskkill.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

msiexec.exeMsiExec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\XML Config\{594A4F8D-3A22-41DA-9C1A-E0590A8070DB}\C:\ProgramData\regid.1995-09.com.example\regid.1995-09.com.example_0fe99ee2-752a-44f4-9fc9-5a358edb4425.swidtag = "*"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\XML Config\{594A4F8D-3A22-41DA-9C1A-E0590A8070DB}\C:\Users\Default\Desktop\regid.1995-09.com.example_0fe99ee2-752a-44f4-9fc9-5a358edb4425.swidtag = "*"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\XML Config\{594A4F8D-3A22-41DA-9C1A-E0590A8070DB}	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Caphyon	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\XML Config	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exeLnnloader.exe

pid process

896 msiexec.exe
896 msiexec.exe
3252 Lnnloader.exe
3252 Lnnloader.exe

pid	process
896	msiexec.exe
896	msiexec.exe
3252	Lnnloader.exe
3252	Lnnloader.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exeSo-gou-X-6.4.8.9.exe

description	pid	process
Token: SeSecurityPrivilege	896	msiexec.exe
Token: SeCreateTokenPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeAssignPrimaryTokenPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeLockMemoryPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeIncreaseQuotaPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeMachineAccountPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeTcbPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeSecurityPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeTakeOwnershipPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeLoadDriverPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeSystemProfilePrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeSystemtimePrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeProfSingleProcessPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeIncBasePriorityPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeCreatePagefilePrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeCreatePermanentPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeBackupPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeRestorePrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeShutdownPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeDebugPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeAuditPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeSystemEnvironmentPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeChangeNotifyPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeRemoteShutdownPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeUndockPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeSyncAgentPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeEnableDelegationPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeManageVolumePrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeImpersonatePrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeCreateGlobalPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeCreateTokenPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeAssignPrimaryTokenPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeLockMemoryPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeIncreaseQuotaPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeMachineAccountPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeTcbPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeSecurityPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeTakeOwnershipPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeLoadDriverPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeSystemProfilePrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeSystemtimePrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeProfSingleProcessPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeIncBasePriorityPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeCreatePagefilePrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeCreatePermanentPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeBackupPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeRestorePrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeShutdownPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeDebugPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeAuditPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeSystemEnvironmentPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeChangeNotifyPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeRemoteShutdownPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeUndockPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeSyncAgentPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeEnableDelegationPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeManageVolumePrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeImpersonatePrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeCreateGlobalPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeCreateTokenPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeAssignPrimaryTokenPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeLockMemoryPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeIncreaseQuotaPrivilege	2092	So-gou-X-6.4.8.9.exe
Token: SeMachineAccountPrivilege	2092	So-gou-X-6.4.8.9.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

So-gou-X-6.4.8.9.exe

pid process

2092 So-gou-X-6.4.8.9.exe
2092 So-gou-X-6.4.8.9.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

Haloonoroff.exeLnnloader.exe

pid process

4816 Haloonoroff.exe
4816 Haloonoroff.exe
4816 Haloonoroff.exe
3252 Lnnloader.exe
3252 Lnnloader.exe
3252 Lnnloader.exe
3252 Lnnloader.exe

pid	process
4816	Haloonoroff.exe
4816	Haloonoroff.exe
4816	Haloonoroff.exe
3252	Lnnloader.exe
3252	Lnnloader.exe
3252	Lnnloader.exe
3252	Lnnloader.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

msiexec.exeSo-gou-X-6.4.8.9.exeMsiExec.exeHaloonoroff.exeLnnloader.exe

description	pid	process	target process
PID 896 wrote to memory of 2816	896	msiexec.exe	MsiExec.exe
PID 896 wrote to memory of 2816	896	msiexec.exe	MsiExec.exe
PID 896 wrote to memory of 2816	896	msiexec.exe	MsiExec.exe
PID 2092 wrote to memory of 4760	2092	So-gou-X-6.4.8.9.exe	So-gou-X-6.4.8.9.exe
PID 2092 wrote to memory of 4760	2092	So-gou-X-6.4.8.9.exe	So-gou-X-6.4.8.9.exe
PID 2092 wrote to memory of 4760	2092	So-gou-X-6.4.8.9.exe	So-gou-X-6.4.8.9.exe
PID 896 wrote to memory of 2096	896	msiexec.exe	srtasks.exe
PID 896 wrote to memory of 2096	896	msiexec.exe	srtasks.exe
PID 896 wrote to memory of 4568	896	msiexec.exe	MsiExec.exe
PID 896 wrote to memory of 4568	896	msiexec.exe	MsiExec.exe
PID 896 wrote to memory of 4568	896	msiexec.exe	MsiExec.exe
PID 896 wrote to memory of 4516	896	msiexec.exe	MsiExec.exe
PID 896 wrote to memory of 4516	896	msiexec.exe	MsiExec.exe
PID 896 wrote to memory of 4516	896	msiexec.exe	MsiExec.exe
PID 4568 wrote to memory of 3784	4568	MsiExec.exe	Upda.exe
PID 4568 wrote to memory of 3784	4568	MsiExec.exe	Upda.exe
PID 4568 wrote to memory of 3784	4568	MsiExec.exe	Upda.exe
PID 4816 wrote to memory of 3252	4816	Haloonoroff.exe	Lnnloader.exe
PID 4816 wrote to memory of 3252	4816	Haloonoroff.exe	Lnnloader.exe
PID 4816 wrote to memory of 3252	4816	Haloonoroff.exe	Lnnloader.exe
PID 3252 wrote to memory of 2748	3252	Lnnloader.exe	taskkill.exe
PID 3252 wrote to memory of 2748	3252	Lnnloader.exe	taskkill.exe
PID 3252 wrote to memory of 2748	3252	Lnnloader.exe	taskkill.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\So-gou-X-6.4.8.9.exe
"C:\Users\Admin\AppData\Local\Temp\So-gou-X-6.4.8.9.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2092

C:\Users\Admin\AppData\Local\Temp\So-gou-X-6.4.8.9.exe
"C:\Users\Admin\AppData\Local\Temp\So-gou-X-6.4.8.9.exe" /i "C:\Users\Admin\AppData\Roaming\sogou_pinyin_137\搜狗输入法 13.7.799\installBandicam\A8070DB\SSSGGGGG.msi" AI_EUIMSI=1 APPDIR="C:\Users\Default\Desktop" SECONDSEQUENCE="1" CLIENTPROCESSID="2092" CHAINERUIPROCESSID="2092Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="F:\" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\So-gou-X-6.4.8.9.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1693258290 " TARGETDIR="F:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\So-gou-X-6.4.8.9.exe" AI_INSTALL="1"
2⤵
- Enumerates connected drives
PID:4760

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 12196916785032E0A2BE0C4F77BA3942 C
2⤵
- Loads dropped DLL
PID:2816

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:2096

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding AE7BBD4B49F4A72F999B177E420C55C4
2⤵
- UAC bypass
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4568

C:\Users\Default\Desktop\Upda.exe
"C:\Users\Default\Desktop\Upda.exe" x C:\Users\Default\Desktop\Wow32.bbo -oC:\Users\Admin\AppData\Roaming\ -peb30xcwbbk0d96fA8Y -aot
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3784

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding CDD995CF78A0373DAAF20B644FF48B64 E Global\MSI0000
2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:4516

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2652

C:\Users\Admin\AppData\Roaming\WorkRoaming\emoji\Haloonoroff.exe
"C:\Users\Admin\AppData\Roaming\WorkRoaming\emoji\Haloonoroff.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4816

C:\Users\Admin\AppData\Roaming\WorkRoaming\emoji\sytem\ARM64Himes\Lnnloader.exe
C:\Users\Admin\AppData\Roaming\WorkRoaming\emoji\sytem\ARM64Himes\Lnnloader.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im ipaip2.exe
3⤵
- Kills process with taskkill
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e598302.rbs

Filesize
1.2MB

MD5
842e6f15721cb4339772be0262e2a819

SHA1
72d9473f96393b3911f542f73a9b3bd813d56884

SHA256
7dc086ab654bfa380f83a584ca09c056731a8324dd7cf32982e4748ce2f36c50

SHA512
d4a840a270605c8c7db8f8050616fcc789679bfe69f05942fc41fcf8ee43ecc12001882e1213228e71c5a59ddf8cd771d4fe0c1206f971a3fe0635ffdbb524de

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2092\PrepareDlgProgress.gif

Filesize
27KB

MD5
ec1cedb4691c438162ac62e58ddc6b76

SHA1
fb35e429bad1577f51391abe13fd402e8251a968

SHA256
fd488abbdc8fee0339b679324332a3af29db00f782d635e2a6593a4140a60ec6

SHA512
1cfe104262958f48ef677251ed3704d22ca6a7f8230119a789492867ba762720ae7023c9cbb194de9c6305bab92c1d511311dd251cca37147cb1b4b3376e25a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2092\ProgressImage.png

Filesize
174B

MD5
0c18af08390365ed36c605f34273c4a5

SHA1
bbbb19bc789dba1ad031c1d4e9ff644096ac11f6

SHA256
1ae6b5eccea17a126b5edeb49b8469013b4bcb022110dbd9e35b365be088fa1e

SHA512
1b69db94dfa3929d4651ea98e65d0495fbe7b72da15364e88ba13bd1c4547aa81673dd9dec34e5ed7915805a8c938b1bc8bde55dcef2f8fffa4b5dfb0241cc35

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2092\applogoicon.bmp

Filesize
3KB

MD5
2d701ba950b9ea2097eafa15b331c208

SHA1
51a7c00fa58e0a5d0d633ace0f8c6a509cd4024b

SHA256
729efca2d8e6963a8bf56b28f1c3235107ffde8485dbace799684d3b06f92143

SHA512
daa833845c98c2abc49295e2bdf0315a0fb3e82428e010839a3f39f8aed8fb436c477351a290deed60e352be54d712273a4dd7b842ccde2f805cbe743d9104a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2092\backbutton

Filesize
405B

MD5
76e5bdd88ceeb272820cd597f7556fc6

SHA1
9089831330d067ade6d8ee6a4c7c4728ed1ac558

SHA256
52d4ecf8625c8e606c31370544f7a31f126581350628fd7caefe51bccaac1626

SHA512
bdf4236e57dc53f81cf20be5194de4b45337dbec50a1c54ef5710b384404bd4f33e7d200605bdd4a9a21dc5c7ab8f1a2889c8352e7f8f023aae9617ab1e79481

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2092\backgroundprepare

Filesize
154B

MD5
8fd875cdc559ad66e0a94c64fdb762c3

SHA1
79111743f1ef8da31688f1644f9568a42fbd3ed5

SHA256
fe7c2d4c244139591b0b716a410a1d8af38084cdc560a2beb265bdb8578e4eb3

SHA512
0985a7456bd94e21d62428368c8e52ef7021fe78966dd967b96ecbbf05542abba4f8c85ef3d56bc0f5f9500e0d0828d4b54feaeef9768f85ff754ca8a1b5af3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2092\browsebutton

Filesize
254B

MD5
1894f43a854b0f3466870e25601d2b3c

SHA1
48140dd46be41e079cdba4b4d9795fe3bcc1991c

SHA256
04885afdfcf1c5e5dbeab7e827be79d34f46e403061c87c98572edc3247aec6e

SHA512
bb53c8a51a54b32a676d820df577ec24e26a08cb9b7c7ff52cc9d8a5becf78bb63df89e510dd99468b67c7e52077f4ee5b9a8a4e88f071a622df4d68eb57af34

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2092\checkbox

Filesize
1KB

MD5
3e3e58663f11bb7c462334a4de8edb28

SHA1
131243a1a515cccd7410c18135b8d9c2da476c3e

SHA256
4d2750f090da3101849ae21e4c49f50bb4a46fc4d355a9327d49c31a0a128369

SHA512
3b4a5f9a3480d95e25af6e5e3c02a2a179de6200615d1ba8779407ce7d85fad70eda9f4a065ae1550a621720c422a4a393d3b965a9380394b00ebd299851d147

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2092\frame_bottom_right_inactive.bmp

Filesize
66B

MD5
0e1ab770f8d8f8768b66e7de087087c9

SHA1
36ad69f719f035d0c040db6d611611552a387b41

SHA256
3e57878d7e1c0d2fe4db1dd47b803a363188114520ff5d7a4f50fab47c0ee992

SHA512
2c5a627fba9ce1b35397d1dc4ae7b6954bd7b39a402689f3c12f2dc314ca5133f553da0411cad0a6d556f1787f2b2fce585f76d4b73bb2cff98732aaf808fdc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2092\frame_caption.bmp

Filesize
206B

MD5
d4a94f93002037ca552d4478c8c701ed

SHA1
3b3974bcd813a88eae8d24bb3ba7b30c08ca26bb

SHA256
6328e3b060d86158d6a22085013c97cc8857b284a65673c4a367b9190a876a6a

SHA512
06bccb7066ba3b9f09fdfe1b23ceab28e169c664d5d462044f57103214f2b72ed49feab41311c2960501924d26dc0ba74d9a79b52de91666a36a639195916ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2092\frame_top_left.bmp

Filesize
154B

MD5
c07e50413d643b1119eb4ff5f9f8a6cf

SHA1
4dcbf7bb589cf2d34c0faa112728412cae9755eb

SHA256
a7d431d251af68b816cb7e94e05b2201f24ebce1ccc01a39fcd5c0efcc0d03c4

SHA512
50cd65afe7d5820f301855a283223949c62e4aae0d9fce6feb53af5f90a1e547bae4f6400f7b25391b53b8c3621b15175ea1a462d813475d2551983db0af124d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2092\frame_top_mid.bmp

Filesize
66B

MD5
f623cb070f63adadf31212d6564805b9

SHA1
d1c283eeba4b784cd731ce5179b0b44d9d8874cb

SHA256
e4ab79b964317d20d8e15d8723cadca3691878520cfe498eb62674fd8e4a3dc2

SHA512
1836786f6a5eb61dc179135b136ec014c7ea0fb3c87e1c96349b31b91884a55044b12c292623a52b7b20346cf6ee21fef06cff28411bb3c4fe76e14ee1580e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2092\metrobuttonimage

Filesize
405B

MD5
5fbc69a793959afb968d1b5292be3b09

SHA1
375889283a20c675a844e5a9a38e4feb55f55d05

SHA256
53a1486b8a86c60fbdcb74057d2f9606749cdaf3c845ede40f48d869ac553d23

SHA512
1451ce6ce864821b6f3d6072c6b557a04c802c5c1d715ec3723f4cc3958ea35306b8a9bed8b025cce5f2f62bb7cd1d2070c43f2a63aaccdee29061dfb753cfd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2092\metroinstallbutton

Filesize
557B

MD5
2d014fefb6a22313e7e14a8daf31ce28

SHA1
fe1b72bbe1daa3a0d7874de20e8290d34015dcec

SHA256
f47ac424ed22efeb451214cd21b5096563bcbc4356ba0060278082410bb6d149

SHA512
73254f3a3b46d1bb0c4b29066dd3c35dad4fcf79e4a62e503ea22ebb69adbbee7263cb92fdb3445dedfe7d1fd51faf8f57ef55acee7b086b1fb40ab073a4d3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2092\nextcancelbuttons

Filesize
405B

MD5
69ae8e816a1cc20d5ae0021cf3539399

SHA1
998b8394109a0bb59c2ee216548bd56bff5f66c5

SHA256
8d9aa1ddf1b98a6fac56d878fc1bee87bf6eeefd291fc849e3efc5242bc19016

SHA512
3a38e28aedc2dd99b6ecb0784f67077b6ed8502060bb57e841263c3510d87cc106596c1d809c2edc75b4e00105c98408aa64f41c871de0e8cffb30b56864609f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2092\png_1

Filesize
11KB

MD5
ec319aedc76ede09192a24e3d13b9bda

SHA1
51438793972831650c0c9ea045793527572520f1

SHA256
c672be01267aab50f93a443e3cb65c32164d11ddd68eaef635882551433f5ef3

SHA512
7ec08316d56d524b35927652d938b0389718d2aabe7ade4d36fb673d1adaaaa422186a1f5cbcb0c60f42f01b13bdef99381ebcf8c950f4e7eccb05786ec190f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2092\sys_close_down.png

Filesize
254B

MD5
e0040a9dbb89f5a5a1b2c2c34bd52a52

SHA1
e85d76a72041c8775f3e810273ef4f7e85035d32

SHA256
d817ae7a97229df819521483ce4018a05b1eab6930a877cb30f4e2bc79a4d42a

SHA512
dbb2a6ee6a51d8b3cc327bf5624410471dfedc9ee4e9a53963881c7af2326ce1bf036d3c4d6ed35f226e654fce905a1ae982a5e79a4921cfd553e427eddf4197

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2092\sys_close_hot.png

Filesize
290B

MD5
089ed99675e574a5cebba2c5e395ab1e

SHA1
b4bb865a7ecffd8f6f2551d7d5c23ac6f9f3345f

SHA256
c1ec4222cf1b3afaf5a160914c6ddb82794236d350683d9a282c9bc4541d1315

SHA512
f579bd9598f5616d20f9d6cc74d7d900415127fe5629574d76d24badfa65104dfb5ea57574d584d8b9d10a93f4d76c5dd29b0803535cf6b5bc54a1ee1cc694dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2092\sys_close_normal.png

Filesize
225B

MD5
8ba33e929eb0c016036968b6f137c5fa

SHA1
b563d786bddd6f1c30924da25b71891696346e15

SHA256
bbcac1632131b21d40c80ff9e14156d36366d2e7bb05eed584e9d448497152d5

SHA512
ba3a70757bd0db308e689a56e2f359c4356c5a7dd9e2831f4162ea04381d4bbdbef6335d97a2c55f588c7172e1c2ebf7a3bd481d30871f05e61eea17246a958e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2092\sys_min_down.png

Filesize
219B

MD5
38375b1dd82d4ba1a3a8c12eef4aded6

SHA1
db968d4a666c0401acbd2cf0535f8ef80316ecc9

SHA256
eaed9874836dae7ea6c5d6bf914ebd34263880d745ad61d24d215767a4e355cf

SHA512
bb27752d979afc1e6ee835dbd1a952800cb5a013c14ec70abf213021a3532865f29888a95832a716fc557f9807f04504da16d17d44b16a38eb513a020e079b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2092\sys_min_hot.png

Filesize
181B

MD5
9f400ca36f8629670facd21639cddc0d

SHA1
00cc682a8332269b01db832db29cbed20e932558

SHA256
6d13e15f83b06a9758833e2cf47310479f7ab834ea06b310fefb3ba859f1fccc

SHA512
a84e4bad25e401331a5b90f0d31c30e62a43b064289e89d3946b2dc06669c7543b6a9b49d8e28208a3644b684529aea765078fb281f4ef1ffb6ca4254446fca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2092\sys_min_inactive.png

Filesize
175B

MD5
a2c4802002bb61994faabda60334a695

SHA1
0a2b6b0ceb09425080c5ba4b9cbdef533cf69eba

SHA256
a3b59dbc5a39d551455ff838e71b5820560ca3484c6411b9d69df33d8113619c

SHA512
34e130edc650c3de6020f2d2b5dc1404b7aee0105eb7e315c15c5aa61398d174377e9b6a2aecc55f79f54c04812b8745c6739a201539e291538979e6b024da31

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2092\sys_min_normal.png

Filesize
238B

MD5
516172d0ebf941237cef32fcee8cdf43

SHA1
6bee117996c16c7413be876dfc15978d14813091

SHA256
56e64eaf6349ece08005e6f7299de413ed00112d53518215d90690be2b2a4f1a

SHA512
46477a58aa7e9eeae29e1c1d826bf045422709b7c8f428985c617b366012c58121d4404523a75efe77fc6d8e061a6bb209743d0a2af81545898f51c8855728ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8038.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8038.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8375.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8375.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8403.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8403.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8403.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8491.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8491.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI84FF.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI84FF.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8B0B.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8B0B.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8BC7.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8BC7.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB564.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB564.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB5A3.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB5A3.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\shiA350.tmp

Filesize
4.8MB

MD5
77d6c08c6448071b47f02b41fa18ed37

SHA1
e7fdb62abdb6d4131c00398f92bc72a3b9b34668

SHA256
047e2df9ccf0ce298508ee7f0db0abcb2ff9cff9916b6e8a1fbd806b7a9d064b

SHA512
e1aeb8e8b441d755a119f45a465ca5660678f4131984322252bfb6d2cec52e7ee54d65a64b98429b23915eb5707b04b5cd62a85446c60de8842314130a926dbd

Download Submit
C:\Users\Admin\AppData\Roaming\WorkRoaming\emoji\Haloonoroff.exe

Filesize
665KB

MD5
ff1799df96e1250fa7c27e4e533a0885

SHA1
ac3f2e816535b463f35efae79018f65991d8834c

SHA256
7cfd01d80cac85f2853afff5af5319b8eef677dd754917a2961861e48b88f366

SHA512
1202e1d521a7e977f54df84aaffb44ec5d253161421fb329c6c6f4051a667fb4618b611bd9e025e3052fe765c4d803d30c474491c8a2d393cd233f7b8655f346

Download Submit
C:\Users\Admin\AppData\Roaming\WorkRoaming\emoji\Haloonoroff.exe

Filesize
665KB

MD5
ff1799df96e1250fa7c27e4e533a0885

SHA1
ac3f2e816535b463f35efae79018f65991d8834c

SHA256
7cfd01d80cac85f2853afff5af5319b8eef677dd754917a2961861e48b88f366

SHA512
1202e1d521a7e977f54df84aaffb44ec5d253161421fb329c6c6f4051a667fb4618b611bd9e025e3052fe765c4d803d30c474491c8a2d393cd233f7b8655f346

Download Submit
C:\Users\Admin\AppData\Roaming\WorkRoaming\emoji\TDPCONTROL.DLL

Filesize
863KB

MD5
d91bbf9230c0df41676fb48d23dba2c6

SHA1
04a590ab866d2ec16df056a9a5ad9819033f2ab8

SHA256
fbdc6b6bfd7d373889d42a2027897092b715e20066a473eaface7fb4c97513e7

SHA512
dbca1e04a1bf2f702f73d6ed78c432326bc383438b0506f5aeaae1ce9d2bbcd7a56d81fb71cbcf6d3eed77b772cd47e0e0529b5e6130adc57c38f66202a9b8f1

Download Submit
C:\Users\Admin\AppData\Roaming\WorkRoaming\emoji\TDPCONTROL.dll

Filesize
863KB

MD5
d91bbf9230c0df41676fb48d23dba2c6

SHA1
04a590ab866d2ec16df056a9a5ad9819033f2ab8

SHA256
fbdc6b6bfd7d373889d42a2027897092b715e20066a473eaface7fb4c97513e7

SHA512
dbca1e04a1bf2f702f73d6ed78c432326bc383438b0506f5aeaae1ce9d2bbcd7a56d81fb71cbcf6d3eed77b772cd47e0e0529b5e6130adc57c38f66202a9b8f1

Download Submit
C:\Users\Admin\AppData\Roaming\WorkRoaming\emoji\TDPINFO.DLL

Filesize
372KB

MD5
37ef7a107e922bb681febe04761350b7

SHA1
583da754cadc721ddc78cdb5bc917b834e0d4b43

SHA256
19a3e88e9daa3e661f6fb347ea94a46989d5c2fa66b8f80d1b6ff981b4fc07f4

SHA512
082ce9f396947b8f4b11000d4bcccf0252736ce2334c29c72aa6095b05fc05978e1beabb925786946788de181f45aa3282d8f3eac5e524f1976c3178b3990ce7

Download Submit
C:\Users\Admin\AppData\Roaming\WorkRoaming\emoji\TDPINFO.dll

Filesize
372KB

MD5
37ef7a107e922bb681febe04761350b7

SHA1
583da754cadc721ddc78cdb5bc917b834e0d4b43

SHA256
19a3e88e9daa3e661f6fb347ea94a46989d5c2fa66b8f80d1b6ff981b4fc07f4

SHA512
082ce9f396947b8f4b11000d4bcccf0252736ce2334c29c72aa6095b05fc05978e1beabb925786946788de181f45aa3282d8f3eac5e524f1976c3178b3990ce7

Download Submit
C:\Users\Admin\AppData\Roaming\WorkRoaming\emoji\TDPINFO.dll

Filesize
372KB

MD5
37ef7a107e922bb681febe04761350b7

SHA1
583da754cadc721ddc78cdb5bc917b834e0d4b43

SHA256
19a3e88e9daa3e661f6fb347ea94a46989d5c2fa66b8f80d1b6ff981b4fc07f4

SHA512
082ce9f396947b8f4b11000d4bcccf0252736ce2334c29c72aa6095b05fc05978e1beabb925786946788de181f45aa3282d8f3eac5e524f1976c3178b3990ce7

Download Submit
C:\Users\Admin\AppData\Roaming\WorkRoaming\emoji\TDPSTAT.DLL

Filesize
379KB

MD5
b8253f0dd523bc1e2480f11a9702411d

SHA1
61a4c65eb5d4176b00a1ff73621521c1e60d28ea

SHA256
01cee5c4a2e80cb3fdad50e2009f51ca18c787bf486ce31321899cccedc72e0c

SHA512
4c578003e31f08e403f4290970bc900d9f42caa57c5b4c0aca035d92edc9921bf4034fc216c9860da69054b05f98dade5f6e218ac4bee991bc37a3ef572fe9a0

Download Submit
C:\Users\Admin\AppData\Roaming\WorkRoaming\emoji\TDPSTAT.dll

Filesize
379KB

MD5
b8253f0dd523bc1e2480f11a9702411d

SHA1
61a4c65eb5d4176b00a1ff73621521c1e60d28ea

SHA256
01cee5c4a2e80cb3fdad50e2009f51ca18c787bf486ce31321899cccedc72e0c

SHA512
4c578003e31f08e403f4290970bc900d9f42caa57c5b4c0aca035d92edc9921bf4034fc216c9860da69054b05f98dade5f6e218ac4bee991bc37a3ef572fe9a0

Download Submit
C:\Users\Admin\AppData\Roaming\WorkRoaming\emoji\TDPSTAT.dll

Filesize
379KB

MD5
b8253f0dd523bc1e2480f11a9702411d

SHA1
61a4c65eb5d4176b00a1ff73621521c1e60d28ea

SHA256
01cee5c4a2e80cb3fdad50e2009f51ca18c787bf486ce31321899cccedc72e0c

SHA512
4c578003e31f08e403f4290970bc900d9f42caa57c5b4c0aca035d92edc9921bf4034fc216c9860da69054b05f98dade5f6e218ac4bee991bc37a3ef572fe9a0

Download Submit
C:\Users\Admin\AppData\Roaming\WorkRoaming\emoji\UPSDK.DLL

Filesize
1.1MB

MD5
4b57f53faaacc8052d76628c061e9d58

SHA1
893fa64f39983d0ad5fa925c19e423ab1c68e555

SHA256
f9f13914c19413f6f02aaf01caff71fe8305ca2a1c2635f0215f8faca6452e5d

SHA512
a04a3cedd990c70757e5ab5aa272989c6d38d0c241588e32c45fa9429bd2d7038f20b85829d1739a75163217290524bac448d5aeb7b704f53b17a96d9590bb0a

Download Submit
C:\Users\Admin\AppData\Roaming\WorkRoaming\emoji\UPSDK.dll

Filesize
1.1MB

MD5
4b57f53faaacc8052d76628c061e9d58

SHA1
893fa64f39983d0ad5fa925c19e423ab1c68e555

SHA256
f9f13914c19413f6f02aaf01caff71fe8305ca2a1c2635f0215f8faca6452e5d

SHA512
a04a3cedd990c70757e5ab5aa272989c6d38d0c241588e32c45fa9429bd2d7038f20b85829d1739a75163217290524bac448d5aeb7b704f53b17a96d9590bb0a

Download Submit
C:\Users\Admin\AppData\Roaming\WorkRoaming\emoji\UPSDK.dll

Filesize
1.1MB

MD5
4b57f53faaacc8052d76628c061e9d58

SHA1
893fa64f39983d0ad5fa925c19e423ab1c68e555

SHA256
f9f13914c19413f6f02aaf01caff71fe8305ca2a1c2635f0215f8faca6452e5d

SHA512
a04a3cedd990c70757e5ab5aa272989c6d38d0c241588e32c45fa9429bd2d7038f20b85829d1739a75163217290524bac448d5aeb7b704f53b17a96d9590bb0a

Download Submit
C:\Users\Admin\AppData\Roaming\WorkRoaming\emoji\libcurl.dll

Filesize
326KB

MD5
ec9483f4b8c3910b09caab0f6cb7cd1b

SHA1
9931aaa8e626df273ee42f98e2fc91c2078fdc07

SHA256
4d9cae6e2e52270150542084af949d7b68300e378868165ff601378a38f7048f

SHA512
84b60fe3cd0ede19933b37ae0eaeba1f87174a21bc8086857e57c8729cec88f9fef4b50a2b870f55c858dd43b070fd22ffec5cb6f4fd5b950d6451b05eb65565

Download Submit
C:\Users\Admin\AppData\Roaming\WorkRoaming\emoji\libcurl.dll

Filesize
326KB

MD5
ec9483f4b8c3910b09caab0f6cb7cd1b

SHA1
9931aaa8e626df273ee42f98e2fc91c2078fdc07

SHA256
4d9cae6e2e52270150542084af949d7b68300e378868165ff601378a38f7048f

SHA512
84b60fe3cd0ede19933b37ae0eaeba1f87174a21bc8086857e57c8729cec88f9fef4b50a2b870f55c858dd43b070fd22ffec5cb6f4fd5b950d6451b05eb65565

Download Submit
C:\Users\Admin\AppData\Roaming\WorkRoaming\emoji\peb.dll

Filesize
738KB

MD5
6b6e67a35126866cdd9344924e62b680

SHA1
068ed96503dd85cd43c4fb05d0914e40d2013de0

SHA256
3001806794b7382bc8d36def59b3199d6c2f04ba905aeb7a0d5461ddbb9dd633

SHA512
031a419d3fd8c67378a0091a5eba387b113628c06ded51a9ec0317bb0e2dd67a4c71ba210278056c03f8b93a25d2f7d452d672b05bfd804e106f3a44b5817d04

Download Submit
C:\Users\Admin\AppData\Roaming\WorkRoaming\emoji\sytem\ARM64Himes\RunHours\Microsoft.VC80.ATL.manifest

Filesize
376B

MD5
0bc6649277383985213ae31dbf1f031c

SHA1
7095f33dd568291d75284f1f8e48c45c14974588

SHA256
c06fa0f404df8b4bb365d864e613a151d0f86deef03e86019a068ed89fd05158

SHA512
6cb2008b46efef5af8dd2b2efcf203917a6738354a9a925b9593406192e635c84c6d0bea5d68bde324c421d2eba79b891538f6f2f2514846b9db70c312421d06

Download Submit
C:\Users\Admin\AppData\Roaming\WorkRoaming\emoji\sytem\ARM64Himes\RunHours\version

Filesize
4B

MD5
f1d3ff8443297732862df21dc4e57262

SHA1
9069ca78e7450a285173431b3e52c5c25299e473

SHA256
df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119

SHA512
ec2d57691d9b2d40182ac565032054b7d784ba96b18bcb5be0bb4e70e3fb041eff582c8af66ee50256539f2181d7f9e53627c0189da7e75a4d5ef10ea93b20b3

Download Submit
C:\Users\Admin\AppData\Roaming\WorkRoaming\emoji\sytem\ARM64Himes\resources\plugins\Microsoft.VC80.CRT.manifest

Filesize
314B

MD5
710c54c37d7ec902a5d3cdd5a4cf6ab5

SHA1
9e291d80a8707c81e644354a1e378aeca295d4c7

SHA256
ef893cb48c0ebe25465fbc05c055a42554452139b4ec78e25ec43237d0b53f80

SHA512
4d2ec03ff54a3bf129fb762fc64a910d0e104cd826acd4ab84ed191e6cc6a0fec3627e494c44d91b09feba5539ad7725f18158755d6b0016a50de9d29891c7e5

Download Submit
C:\Users\Admin\AppData\Roaming\sogou_pinyin_137\搜狗输入法 13.7.799\installBandicam\A8070DB\7z.dll

Filesize
1.1MB

MD5
e7ae42ea24cff97bdead0c560ef2add1

SHA1
866f380a62622ab1b6c7705ddc116635e6e3cc86

SHA256
db2897eeea65401ee1bd8feeebd0dbae8867a27ff4575f12b0b8a613444a5ef7

SHA512
a4a27b2be70e9102d95ee319ec365b0dc434d4e8cd25589ce8a75b73bbe4f06b071caa907c7a61387b2ce6a35a70873593564499b88598f77a7c25c47448fb0a

Download Submit
C:\Users\Admin\AppData\Roaming\sogou_pinyin_137\搜狗输入法 13.7.799\installBandicam\A8070DB\SSSGGGGG.msi

Filesize
2.2MB

MD5
4a7ecc446557b8d9b019276cc9f31246

SHA1
c5fc9d2d38021c7a38018ed4cecaae028246862d

SHA256
bc717db7ab2dadf945ebccaddc4c43637edd9ae4d80aa20b370dad3f0078aab2

SHA512
535f226a4f1cc40e6297649dff82498d88c6cb254563b3aa4f8c1c033f7a6e27fd387d797e0de53a4adb0d21bffe0cc83687481ba8e32a6203a555bc3028f7cc

Download Submit
C:\Users\Admin\AppData\Roaming\sogou_pinyin_137\搜狗输入法 13.7.799\installBandicam\A8070DB\SSSGGGGG.msi

Filesize
2.2MB

MD5
4a7ecc446557b8d9b019276cc9f31246

SHA1
c5fc9d2d38021c7a38018ed4cecaae028246862d

SHA256
bc717db7ab2dadf945ebccaddc4c43637edd9ae4d80aa20b370dad3f0078aab2

SHA512
535f226a4f1cc40e6297649dff82498d88c6cb254563b3aa4f8c1c033f7a6e27fd387d797e0de53a4adb0d21bffe0cc83687481ba8e32a6203a555bc3028f7cc

Download Submit
C:\Users\Admin\AppData\Roaming\sogou_pinyin_137\搜狗输入法 13.7.799\installBandicam\A8070DB\Upda.exe

Filesize
286KB

MD5
afc08ce359e79887e45b8460e124d63e

SHA1
e8dcddb302f01d51da3bcbfa6707d025a896aa57

SHA256
a20d93e7dc3711e8b8a8f63bd148ddc70de8c952de882c5495ac121bfedb749f

SHA512
32d3b8d964711a5706f8cf9f87bc6e33670bba2cb3ab88603dec399652ac7fe297a4692f0865a0bdcbd06515d6b0a84e5a96d1b7fda48f556543536889ba387a

Download Submit
C:\Users\Admin\AppData\Roaming\sogou_pinyin_137\搜狗输入法 13.7.799\installBandicam\A8070DB\Wow32.bbo

Filesize
13.5MB

MD5
d50279b418e899564b9d79550c1c1738

SHA1
33bd6bab323295ba28cdc94f65dc4625ceccc33d

SHA256
b0740199a2e33ed1e25cda5ef36e0b04de0ee0729d8314001c1ad4326f4dcd38

SHA512
fb535957c3da1abd49b10508e50fe58e70d6e1b6584d51551570110e792ff092913506c7d03e08eff3dc5bbe0546c443016edb62b4664f16b563b7e796305adb

Download Submit
C:\Users\Admin\AppData\Roaming\sogou_pinyin_137\搜狗输入法 13.7.799\installBandicam\A8070DB\hjr.sig

Filesize
1KB

MD5
ce17a4ed2b862a523625b330e9941538

SHA1
cb0b949296e237c9085c68a4618fc38522a36b2d

SHA256
a75763f6ffa565dd14dbdd6ddb86e10338f7237796d46cde2d371ca197692d5f

SHA512
e124996632dd102b15de300522f2c853d7184d20961297517b10a63bb25e55b4154ef6d91e8b6449423623e68734bf172b2901a0a0e9895a76a375b83e26bade

Download Submit
C:\Users\Admin\AppData\Roaming\sogou_pinyin_137\搜狗输入法 13.7.799\installBandicam\A8070DB\jhtreg.sig

Filesize
1KB

MD5
0816c9e5e20dff71b986bb60539d960f

SHA1
1f46d602ab78c04785746ecb8bd80705bf234181

SHA256
f83c61a60eea601373d50021f94e6d353f83fdcb110d3b37aa80fce3fd0ca6f5

SHA512
2c763f36d75a0f34deefd9a200922b227cf09d1677e21d385c562fe290de9cc78d967433a8839bf65c0bc4cbaba39cf115b369c3a7dd00a9a0873aaf3fa6878c

Download Submit
C:\Users\Admin\AppData\Roaming\sogou_pinyin_137\搜狗输入法 13.7.799\installBandicam\A8070DB\sogou_pinyin_137.exe

Filesize
114.9MB

MD5
a2c1146ba09a84b1036842d07611ae1e

SHA1
cc1e4d29bde82d6b036c2d97416433c76da311e9

SHA256
a7506bddc3c67065309501892c0120f77c1743b52d69128a2dc8e2ab3f404fd1

SHA512
bb8f5f09357c5bbd1f11d82ee8a27f0899c837236c14b0f9d3109991a624cbab1adbeb06b3c23ed856396d0e5878de8e37d72f09410ef6df23fa383920c2d496

Download Submit
C:\Users\Admin\AppData\Roaming\sogou_pinyin_137\搜狗输入法 13.7.799\installBandicam\A8070DB\whr.sig

Filesize
1KB

MD5
b8cdaa0fd8d9f4960cb88b4f76c681db

SHA1
b1fa9c43e288d2e04fcebb31f32f8fa7d08a1f99

SHA256
94c1532ccd7b3f7f452d4ac935188db42050ad44ddc8724bf3170ecd29c21527

SHA512
1988962397d7963c544adc90e31abd160c71f5680700568a6975946c99219e2d50ba03fc1f893be140bccb7d35011e18052ff6d887b30136bfd1c3f3f3094819

Download Submit
C:\Users\Admin\AppData\Roaming\sogou_pinyin_137\搜狗输入法 13.7.799\installBandicam\decoder.dll

Filesize
215KB

MD5
bc00325b004cf04b852429f5b9e71ce0

SHA1
3584b23ae9f7e82be20a223afa15d7696449a60e

SHA256
23131f8af5f06ddf022cea7456430a41368f747f1eec276d93c872019b909456

SHA512
809a907a5633615cb142c3c003fd0dc713137aa86b167b5b2263cfd021f15ea7cdae5fa441e861b86559626b0b78e9225b833c6a9fb23651736b076afe906847

Download Submit
C:\Users\Admin\AppData\Roaming\sogou_pinyin_137\搜狗输入法 13.7.799\installBandicam\decoder.dll

Filesize
215KB

MD5
bc00325b004cf04b852429f5b9e71ce0

SHA1
3584b23ae9f7e82be20a223afa15d7696449a60e

SHA256
23131f8af5f06ddf022cea7456430a41368f747f1eec276d93c872019b909456

SHA512
809a907a5633615cb142c3c003fd0dc713137aa86b167b5b2263cfd021f15ea7cdae5fa441e861b86559626b0b78e9225b833c6a9fb23651736b076afe906847

Download Submit
C:\Users\Admin\AppData\Roaming\sogou_pinyin_137\搜狗输入法 13.7.799\installBandicam\decoder.dll

Filesize
215KB

MD5
bc00325b004cf04b852429f5b9e71ce0

SHA1
3584b23ae9f7e82be20a223afa15d7696449a60e

SHA256
23131f8af5f06ddf022cea7456430a41368f747f1eec276d93c872019b909456

SHA512
809a907a5633615cb142c3c003fd0dc713137aa86b167b5b2263cfd021f15ea7cdae5fa441e861b86559626b0b78e9225b833c6a9fb23651736b076afe906847

Download Submit
C:\Users\Admin\AppData\Roaming\sogou_pinyin_137\搜狗输入法 13.7.799\installBandicam\decoder.dll

Filesize
215KB

MD5
bc00325b004cf04b852429f5b9e71ce0

SHA1
3584b23ae9f7e82be20a223afa15d7696449a60e

SHA256
23131f8af5f06ddf022cea7456430a41368f747f1eec276d93c872019b909456

SHA512
809a907a5633615cb142c3c003fd0dc713137aa86b167b5b2263cfd021f15ea7cdae5fa441e861b86559626b0b78e9225b833c6a9fb23651736b076afe906847

Download Submit
C:\Users\Default\Desktop\7z.dll

Filesize
1.1MB

MD5
e7ae42ea24cff97bdead0c560ef2add1

SHA1
866f380a62622ab1b6c7705ddc116635e6e3cc86

SHA256
db2897eeea65401ee1bd8feeebd0dbae8867a27ff4575f12b0b8a613444a5ef7

SHA512
a4a27b2be70e9102d95ee319ec365b0dc434d4e8cd25589ce8a75b73bbe4f06b071caa907c7a61387b2ce6a35a70873593564499b88598f77a7c25c47448fb0a

Download Submit
C:\Users\Default\Desktop\7z.dll

Filesize
1.1MB

MD5
e7ae42ea24cff97bdead0c560ef2add1

SHA1
866f380a62622ab1b6c7705ddc116635e6e3cc86

SHA256
db2897eeea65401ee1bd8feeebd0dbae8867a27ff4575f12b0b8a613444a5ef7

SHA512
a4a27b2be70e9102d95ee319ec365b0dc434d4e8cd25589ce8a75b73bbe4f06b071caa907c7a61387b2ce6a35a70873593564499b88598f77a7c25c47448fb0a

Download Submit
C:\Users\Default\Desktop\Upda.exe

Filesize
286KB

MD5
afc08ce359e79887e45b8460e124d63e

SHA1
e8dcddb302f01d51da3bcbfa6707d025a896aa57

SHA256
a20d93e7dc3711e8b8a8f63bd148ddc70de8c952de882c5495ac121bfedb749f

SHA512
32d3b8d964711a5706f8cf9f87bc6e33670bba2cb3ab88603dec399652ac7fe297a4692f0865a0bdcbd06515d6b0a84e5a96d1b7fda48f556543536889ba387a

Download Submit
C:\Users\Default\Desktop\Upda.exe

Filesize
286KB

MD5
afc08ce359e79887e45b8460e124d63e

SHA1
e8dcddb302f01d51da3bcbfa6707d025a896aa57

SHA256
a20d93e7dc3711e8b8a8f63bd148ddc70de8c952de882c5495ac121bfedb749f

SHA512
32d3b8d964711a5706f8cf9f87bc6e33670bba2cb3ab88603dec399652ac7fe297a4692f0865a0bdcbd06515d6b0a84e5a96d1b7fda48f556543536889ba387a

Download Submit
C:\Users\Default\Desktop\Wow32.bbo

Filesize
13.5MB

MD5
d50279b418e899564b9d79550c1c1738

SHA1
33bd6bab323295ba28cdc94f65dc4625ceccc33d

SHA256
b0740199a2e33ed1e25cda5ef36e0b04de0ee0729d8314001c1ad4326f4dcd38

SHA512
fb535957c3da1abd49b10508e50fe58e70d6e1b6584d51551570110e792ff092913506c7d03e08eff3dc5bbe0546c443016edb62b4664f16b563b7e796305adb

Download Submit
C:\Windows\Installer\MSI8524.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Windows\Installer\MSI8524.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Windows\Installer\MSI868C.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Windows\Installer\MSI868C.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Windows\Installer\MSI87F5.tmp

Filesize
630KB

MD5
8ecff5e8777908818edd94721ddc349d

SHA1
a3ffcfcffae1b44261c1b1a64917ac898c40b9e2

SHA256
1c450659c7681df9df21b20412c9647e7e8e5bf0f2945c48b1ab51f330f2516b

SHA512
8418049fe52dcf6e294cf58d200b7a7d8e704ba592b3f59243c4c5a4d661c60f8db97540badd9a1718547a0047b39316ec7917c43ddcb8a71bebad49e7baaf08

Download Submit
C:\Windows\Installer\MSI87F5.tmp

Filesize
630KB

MD5
8ecff5e8777908818edd94721ddc349d

SHA1
a3ffcfcffae1b44261c1b1a64917ac898c40b9e2

SHA256
1c450659c7681df9df21b20412c9647e7e8e5bf0f2945c48b1ab51f330f2516b

SHA512
8418049fe52dcf6e294cf58d200b7a7d8e704ba592b3f59243c4c5a4d661c60f8db97540badd9a1718547a0047b39316ec7917c43ddcb8a71bebad49e7baaf08

Download Submit
C:\Windows\Installer\MSI9B40.tmp

Filesize
614KB

MD5
336283d0f1acfc7102a395db3e7e5869

SHA1
aa6954bdc6de191a2c1aa06344763048763e7b12

SHA256
9d8be5897fa6d001c45c8dcfb23ea2d689bd3653fb91bb46d302be58e8128b9b

SHA512
31ab382e751c12119cf39316712224441c9aef6c07ee549ae2fe4bdacfb2a39ec59944931ce46fbc95207ab1da5e89a0b67a97c4453421f88a5213b5d75dcc99

Download Submit
C:\Windows\Installer\MSI9B40.tmp

Filesize
614KB

MD5
336283d0f1acfc7102a395db3e7e5869

SHA1
aa6954bdc6de191a2c1aa06344763048763e7b12

SHA256
9d8be5897fa6d001c45c8dcfb23ea2d689bd3653fb91bb46d302be58e8128b9b

SHA512
31ab382e751c12119cf39316712224441c9aef6c07ee549ae2fe4bdacfb2a39ec59944931ce46fbc95207ab1da5e89a0b67a97c4453421f88a5213b5d75dcc99

Download Submit
C:\Windows\Installer\MSIA081.tmp

Filesize
614KB

MD5
336283d0f1acfc7102a395db3e7e5869

SHA1
aa6954bdc6de191a2c1aa06344763048763e7b12

SHA256
9d8be5897fa6d001c45c8dcfb23ea2d689bd3653fb91bb46d302be58e8128b9b

SHA512
31ab382e751c12119cf39316712224441c9aef6c07ee549ae2fe4bdacfb2a39ec59944931ce46fbc95207ab1da5e89a0b67a97c4453421f88a5213b5d75dcc99

Download Submit
C:\Windows\Installer\MSIA081.tmp

Filesize
614KB

MD5
336283d0f1acfc7102a395db3e7e5869

SHA1
aa6954bdc6de191a2c1aa06344763048763e7b12

SHA256
9d8be5897fa6d001c45c8dcfb23ea2d689bd3653fb91bb46d302be58e8128b9b

SHA512
31ab382e751c12119cf39316712224441c9aef6c07ee549ae2fe4bdacfb2a39ec59944931ce46fbc95207ab1da5e89a0b67a97c4453421f88a5213b5d75dcc99

Download Submit
C:\Windows\Installer\MSIA3ED.tmp

Filesize
614KB

MD5
336283d0f1acfc7102a395db3e7e5869

SHA1
aa6954bdc6de191a2c1aa06344763048763e7b12

SHA256
9d8be5897fa6d001c45c8dcfb23ea2d689bd3653fb91bb46d302be58e8128b9b

SHA512
31ab382e751c12119cf39316712224441c9aef6c07ee549ae2fe4bdacfb2a39ec59944931ce46fbc95207ab1da5e89a0b67a97c4453421f88a5213b5d75dcc99

Download Submit
C:\Windows\Installer\MSIA3ED.tmp

Filesize
614KB

MD5
336283d0f1acfc7102a395db3e7e5869

SHA1
aa6954bdc6de191a2c1aa06344763048763e7b12

SHA256
9d8be5897fa6d001c45c8dcfb23ea2d689bd3653fb91bb46d302be58e8128b9b

SHA512
31ab382e751c12119cf39316712224441c9aef6c07ee549ae2fe4bdacfb2a39ec59944931ce46fbc95207ab1da5e89a0b67a97c4453421f88a5213b5d75dcc99

Download Submit
C:\Windows\Installer\MSIA3ED.tmp

Filesize
614KB

MD5
336283d0f1acfc7102a395db3e7e5869

SHA1
aa6954bdc6de191a2c1aa06344763048763e7b12

SHA256
9d8be5897fa6d001c45c8dcfb23ea2d689bd3653fb91bb46d302be58e8128b9b

SHA512
31ab382e751c12119cf39316712224441c9aef6c07ee549ae2fe4bdacfb2a39ec59944931ce46fbc95207ab1da5e89a0b67a97c4453421f88a5213b5d75dcc99

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
4d6f76bd494f40c9a5fc1e655e8c8c83

SHA1
909016dd5b1f297a3bf8524cced09d078f9398a6

SHA256
98c0330b84a8baf738041b7162421a13104e044857410603c9cf57f6366bb33c

SHA512
9a2e9a0e53a0b566e5f41f8e0f3164fd51ae14c3611893c83e7b7f6b7d011c09b5f6d7ea77c21f47b24f20d971e4a9d553c315c6ca63331232722ec9c6a7cf68

Download Submit
\??\Volume{4de78220-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{30d0cf8e-b896-4fa1-87ce-466ba4cc803a}_OnDiskSnapshotProp

Filesize
5KB

MD5
628390383348d3fe1f3b93e5d3a2fea8

SHA1
9079ddc81b84a50c430bec42e02ccba8de498b11

SHA256
a3c1229a97d487edffaa0f2fe12b5b53af425a4727ab151adbe10d701536e533

SHA512
5ce90ad4dae5dea1e9bb1424e3dcaa4d23144708bfa8d2de16c87ce15478e511f7fee3714abd71fa0b08e5f28c828b50508b2a60dec77ce84322d3688ba8f601

Download Submit
memory/3252-769-0x0000000002110000-0x0000000002125000-memory.dmp

Filesize
84KB

Download
memory/3252-764-0x00000000020C0000-0x00000000020F1000-memory.dmp

Filesize
196KB

Download
memory/4816-756-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4816-659-0x0000000000B00000-0x0000000000C22000-memory.dmp

Filesize
1.1MB

Download
memory/4816-661-0x0000000000760000-0x00000000007C5000-memory.dmp

Filesize
404KB

Download
memory/4816-751-0x0000000010000000-0x0000000010036000-memory.dmp

Filesize
216KB

Download
memory/4816-757-0x000000006B240000-0x000000006B29A000-memory.dmp

Filesize
360KB

Download
memory/4816-759-0x0000000000B00000-0x0000000000C22000-memory.dmp

Filesize
1.1MB

Download
memory/4816-762-0x0000000000760000-0x00000000007C5000-memory.dmp

Filesize
404KB

Download
memory/4816-665-0x0000000000C30000-0x0000000000C93000-memory.dmp

Filesize
396KB

Download
memory/4816-763-0x0000000000C30000-0x0000000000C93000-memory.dmp

Filesize
396KB

Download
memory/4816-671-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download