Malware Analysis Report

2025-01-18 22:15

Sample ID 240429-twkspafb22
Target 2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia
SHA256 a65c9ccabb00b7d75c54d16b09fe27dd9cdea8ec00921a423adcd2b23c9c2ff4
Tags
adware bootkit discovery persistence stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a65c9ccabb00b7d75c54d16b09fe27dd9cdea8ec00921a423adcd2b23c9c2ff4

Threat Level: Likely malicious

The file 2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia was found to be: Likely malicious.

Malicious Activity Summary

adware bootkit discovery persistence stealer

Downloads MZ/PE file

Registers COM server for autorun

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Checks installed software on the system

Installs/modifies Browser Helper Object

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

NSIS installer

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-29 16:24

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-29 16:24

Reported

2024-04-29 16:27

Platform

win7-20240220-en

Max time kernel

126s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe"

Signatures

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe N/A
N/A N/A C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe N/A
N/A N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe N/A
N/A N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe N/A
N/A N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe N/A
N/A N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe N/A
N/A N/A C:\Program Files (x86)\SogouDownLoad\update\UpdateService.exe N/A
N/A N/A C:\Program Files (x86)\SogouDownLoad\update\UpdateService.exe N/A
N/A N/A C:\Program Files (x86)\SogouDownLoad\update\UpdateService.exe N/A
N/A N/A C:\Program Files (x86)\SogouDownLoad\XLDownloadCom.exe N/A
N/A N/A C:\Program Files (x86)\SogouDownLoad\XLDownloadCom.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe N/A
N/A N/A C:\Program Files (x86)\SogouDownLoad\update\UpdateService.exe N/A
N/A N/A C:\Program Files (x86)\SogouDownLoad\update\UpdateService.exe N/A
N/A N/A C:\Program Files (x86)\SogouDownLoad\update\UpdateService.exe N/A
N/A N/A C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe N/A
N/A N/A C:\Program Files (x86)\SogouDownLoad\download\MiniTPFw.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}\InprocServer32\ = "C:\\Program Files (x86)\\SogouDownLoad\\IEHint64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32\ = "C:\\Program Files (x86)\\SogouDownLoad\\npdownload64.dll" C:\Windows\system32\regsvr32.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020} C:\Windows\SysWOW64\regsvr32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\SogouDownLoad\XLDownloadComPS.dll C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\xldl.dll C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\IEHint64.dll C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\html\css\down.css C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\html\images\btn_spr.gif C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\DlgHandler.dll C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\html\images\ico_min.gif C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\download\dl_peer_id.dll C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\download\msvcp71.dll C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\npdownload64.dll C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\download\MiniTPFw.exe C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\download\MiniThunderPlatform.exe C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\npdownload.dll C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\html\images\ico_t.gif C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\CommonState.dll C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\XLDownloadCom.exe C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\download\id.dat C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\html\images\bg_line.gif C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\html\images\img_sx.gif C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\download\ThunderFW.exe C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\html\download.html C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\html\images\ico_close.gif C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\download\atl71.dll C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\download\download_engine.dll C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\download\msvcr71.dll C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\download\zlib1.dll C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\uninst.exe C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\html\repair.html C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\html\images\ico_set.gif C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\html\images\img_exe.gif C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\html\images\ico_spr.gif C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\update\UpdateService.exe C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\IEHint.dll C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4A79E46E-5A01-4abb-BCC1-F96D06AEE085} C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4A79E46E-5A01-4abb-BCC1-F96D06AEE085}\AppName = "DownLoadDlg.exe" C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4A79E46E-5A01-4abb-BCC1-F96D06AEE085}\AppPath = "C:\\Program Files (x86)\\SogouDownLoad" C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4A79E46E-5A01-4abb-BCC1-F96D06AEE085}\Policy = "3" C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* C:\Windows\system32\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{459CB386-4301-448D-A1DA-8751857E980B}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\ = "DownLoadBHO Class" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35489C47-0C7C-48D8-8000-0FB159BAF406}\LocalServer32 C:\Program Files (x86)\SogouDownLoad\XLDownloadCom.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D85F656-2970-437F-BA8A-C6F95B86EE0D}\1.0\FLAGS C:\Program Files (x86)\SogouDownLoad\XLDownloadCom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B411DAF2-77C4-4478-8477-5826A4147AE9}\ = "IXLDownloadInterface" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{548F20C0-F980-4912-9190-1127D22D883D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{548F20C0-F980-4912-9190-1127D22D883D}\TypeLib\ = "{459CB386-4301-448D-A1DA-8751857E980B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32\ = "C:\\Program Files (x86)\\SogouDownLoad\\npdownload.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\SogouDownLoad" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35489C47-0C7C-48D8-8000-0FB159BAF406}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\SogouDownLoad\\XLDownloadCom.exe" C:\Program Files (x86)\SogouDownLoad\XLDownloadCom.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B411DAF2-77C4-4478-8477-5826A4147AE9}\TypeLib C:\Program Files (x86)\SogouDownLoad\XLDownloadCom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\TypeLib\ = "{13D91BAE-B37C-41C3-AE86-463E53990546}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{459CB386-4301-448D-A1DA-8751857E980B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D85F656-2970-437F-BA8A-C6F95B86EE0D}\1.0 C:\Program Files (x86)\SogouDownLoad\XLDownloadCom.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4A79E46E-5A01-4abb-BCC1-F96D06AEE085}\LocalServer32 C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{548F20C0-F980-4912-9190-1127D22D883D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B411DAF2-77C4-4478-8477-5826A4147AE9}\TypeLib\Version = "1.0" C:\Program Files (x86)\SogouDownLoad\XLDownloadCom.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}\InprocServer32\ = "C:\\Program Files (x86)\\SogouDownLoad\\IEHint.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{459CB386-4301-448D-A1DA-8751857E980B}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{459CB386-4301-448D-A1DA-8751857E980B}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D85F656-2970-437F-BA8A-C6F95B86EE0D}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\SogouDownLoad" C:\Program Files (x86)\SogouDownLoad\XLDownloadCom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B411DAF2-77C4-4478-8477-5826A4147AE9}\TypeLib\ = "{2D85F656-2970-437F-BA8A-C6F95B86EE0D}" C:\Program Files (x86)\SogouDownLoad\XLDownloadCom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4A79E46E-5A01-4abb-BCC1-F96D06AEE085}\LocalServer32\ = "C:\\Program Files (x86)\\SogouDownLoad\\DownLoadDlg.exe" C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{548F20C0-F980-4912-9190-1127D22D883D}\ = "IIEHintBHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}\ = "IEHintBHO Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B411DAF2-77C4-4478-8477-5826A4147AE9}\NumMethods\ = "14" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\SOFTWARE\Microsoft C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Programmable C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B411DAF2-77C4-4478-8477-5826A4147AE9} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\ = "SogouDownLoadLib" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{459CB386-4301-448D-A1DA-8751857E980B}\1.0\ = "IEHintLib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}\Version\ = "1.0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B411DAF2-77C4-4478-8477-5826A4147AE9}\ = "IXLDownloadInterface" C:\Program Files (x86)\SogouDownLoad\XLDownloadCom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}\ = "IEHintBHO Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{548F20C0-F980-4912-9190-1127D22D883D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D85F656-2970-437F-BA8A-C6F95B86EE0D} C:\Program Files (x86)\SogouDownLoad\XLDownloadCom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\TypeLib\ = "{13D91BAE-B37C-41C3-AE86-463E53990546}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{459CB386-4301-448D-A1DA-8751857E980B}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\SogouDownLoad" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B411DAF2-77C4-4478-8477-5826A4147AE9}\ProxyStubClsid32 C:\Program Files (x86)\SogouDownLoad\XLDownloadCom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B411DAF2-77C4-4478-8477-5826A4147AE9}\ProxyStubClsid32\ = "{B411DAF2-77C4-4478-8477-5826A4147AE9}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\ = "IGameDownload" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\SOFTWARE\Microsoft\Windows C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35489C47-0C7C-48D8-8000-0FB159BAF406}\LocalServer32\ = "\"C:\\Program Files (x86)\\SogouDownLoad\\XLDownloadCom.exe\"" C:\Program Files (x86)\SogouDownLoad\XLDownloadCom.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe N/A
N/A N/A C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe C:\Users\Admin\AppData\Local\Temp\minidownload.exe
PID 1984 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe C:\Users\Admin\AppData\Local\Temp\minidownload.exe
PID 1984 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe C:\Users\Admin\AppData\Local\Temp\minidownload.exe
PID 1984 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe C:\Users\Admin\AppData\Local\Temp\minidownload.exe
PID 1984 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe C:\Users\Admin\AppData\Local\Temp\minidownload.exe
PID 1984 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe C:\Users\Admin\AppData\Local\Temp\minidownload.exe
PID 1984 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe C:\Users\Admin\AppData\Local\Temp\minidownload.exe
PID 1984 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe
PID 1984 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe
PID 1984 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe
PID 1984 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe
PID 2660 wrote to memory of 2236 N/A C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe
PID 2660 wrote to memory of 2236 N/A C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe
PID 2660 wrote to memory of 2236 N/A C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe
PID 2660 wrote to memory of 2236 N/A C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe
PID 2660 wrote to memory of 2236 N/A C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe
PID 2660 wrote to memory of 2236 N/A C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe
PID 2660 wrote to memory of 2236 N/A C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe
PID 2236 wrote to memory of 2320 N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 2320 N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 2320 N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 2320 N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 2320 N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 2320 N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 2320 N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 2316 N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 2316 N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 2316 N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 2316 N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 2316 N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 2316 N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 2316 N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 1560 N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 1560 N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 1560 N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 1560 N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 1560 N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 1560 N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 1560 N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1560 wrote to memory of 1600 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1560 wrote to memory of 1600 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1560 wrote to memory of 1600 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1560 wrote to memory of 1600 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1560 wrote to memory of 1600 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1560 wrote to memory of 1600 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1560 wrote to memory of 1600 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2236 wrote to memory of 860 N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 860 N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 860 N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 860 N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 860 N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 860 N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 860 N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 860 wrote to memory of 2148 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 860 wrote to memory of 2148 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 860 wrote to memory of 2148 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 860 wrote to memory of 2148 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 860 wrote to memory of 2148 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 860 wrote to memory of 2148 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 860 wrote to memory of 2148 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2236 wrote to memory of 880 N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Program Files (x86)\SogouDownLoad\update\UpdateService.exe
PID 2236 wrote to memory of 880 N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Program Files (x86)\SogouDownLoad\update\UpdateService.exe
PID 2236 wrote to memory of 880 N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Program Files (x86)\SogouDownLoad\update\UpdateService.exe
PID 2236 wrote to memory of 880 N/A C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe C:\Program Files (x86)\SogouDownLoad\update\UpdateService.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe"

C:\Users\Admin\AppData\Local\Temp\minidownload.exe

C:\Users\Admin\AppData\Local\Temp\\minidownload.exe

C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe

"C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe" /Install?status=true&softurl=http%3A%2F%2Fxiazai.sogou.com%2Fcomm%2Fredir%3Fsoftdown%3D1%26u%3DYRyEVuHeM45mBjjEUSPVUEJm8GF_McJfVdEjKPrgnocp6RPTnPFSKls2-N19zn1VFn9n9_QE91hsipUd8ZPGCKrHmAlohI-Z5xWab8-hdzEZwANlQSdM_SG1O7Kkpbde98B6SY4clrbMXmmkh16MZMnFugp9LyMZymoJGOaTh0xmq_3hQETA5LFYnXbqILusGMRyn1oqoQ-_IhNtWMXWFw..%26pcid%3D3422649212502276885%26w%3D1950%26filename%3DFirefox-setup-39.0.0.5659.exe%26extra%3D8_tencent%26downloadtype%3Dsoftware&iconurl=http%3A%2F%2Fimgstore.cdn.sogou.com%2Fv2%2Fthumb%2Fretype%2Fext%2Fjpg%2Fcls%2Fimagick%3Fappid%3D200504%26url%3Dhttp%3A%2F%2Fdl.app.sogou.com%2Fpc_logo%2F3422649212502276885.png&softname=%E7%81%AB%E7%8B%90%E6%B5%8F%E8%A7%88%E5%99%A8&softsize=41.4+MB

C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe

"C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe" /Update

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\SogouDownLoad\npdownload.dll"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\SogouDownLoad\IEHint.dll"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\SogouDownLoad\npdownload64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\SogouDownLoad\npdownload64.dll"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\SogouDownLoad\IEHint64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\SogouDownLoad\IEHint64.dll"

C:\Program Files (x86)\SogouDownLoad\update\UpdateService.exe

"C:\Program Files (x86)\SogouDownLoad\update\UpdateService.exe" /Install

C:\Program Files (x86)\SogouDownLoad\XLDownloadCom.exe

"C:\Program Files (x86)\SogouDownLoad\XLDownloadCom.exe" /Regserver

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\SogouDownLoad\XLDownloadComPS.dll"

C:\Program Files (x86)\SogouDownLoad\update\UpdateService.exe

"C:\Program Files (x86)\SogouDownLoad\update\UpdateService.exe" /Service

C:\Program Files (x86)\SogouDownLoad\download\MiniTPFw.exe

"C:\Program Files (x86)\SogouDownLoad\download\MiniTPFw.exe"

C:\Program Files (x86)\SogouDownLoad\download\ThunderFW.exe

"C:\Program Files (x86)\SogouDownLoad\download\ThunderFW.exe" MiniThunderPlatform2024-04-2916:24:37 "C:\Program Files (x86)\SogouDownLoad\download\MiniThunderPlatform.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 yz.app.sogou.com udp
US 49.51.65.181:80 yz.app.sogou.com tcp
US 8.8.8.8:53 t.sogou.com udp
DE 49.51.130.237:80 t.sogou.com tcp
US 8.8.8.8:53 imgstore.cdn.sogou.com udp
US 8.8.8.8:53 yze.t.sogou.com udp
CN 49.7.115.206:80 imgstore.cdn.sogou.com tcp
AT 163.171.147.8:80 yze.t.sogou.com tcp
US 8.8.8.8:53 ping.t.sogou.com udp

Files

\Users\Admin\AppData\Local\Temp\minidownload.exe

MD5 8ee60bd9893bafd259db1189e6650bff
SHA1 d3be976a5a7519f0c608b3f542b9df622ad14a97
SHA256 a40a56b1dc70cb7347635f17a79f03aa71a048a0ebbdff4ad54bfdff8c3e9a6d
SHA512 78492aca8d2d7201d983eaa94637c80d6adcd915f12e5085aedfa7f186cfb98c20e53414fd8a3cc2f3477482a8dfba166c308f199a825d143af6c520d3db40a7

C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe

MD5 46339e5e0b54acec4be3b105ee123b36
SHA1 29963314f6b97d8511caadbf9b2b531ae9fd8344
SHA256 a6192d7b0b7bce4648feda82506bfbd25f6e35299f4ca38a2d0952dfbe669dbb
SHA512 72a07caf7ad0209400e6acba520594428560ebd81f4c7baa350392fb73b75a8907ce9b175088893d9de2bf0ad710ff2a5a3c0abb0add38fdf538ff6ce870a65c

memory/2660-28-0x0000000000130000-0x0000000000131000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HB04BWRE.txt

MD5 43e6c149f44996d17a2b792b51526564
SHA1 89c5d614ff2a2609e875b7f6f2993174e9eb24f5
SHA256 2d5bdea43c39aca9660c8b48dcee3aea545bba6412e8e200e8dd6f7eea9897b6
SHA512 13110b6da95525729916d94b6ad19d567b3ad08bf45456c66dd6521a5d4b08b0c16ca27f6790c6d1175efde07204c918a13ce2cd991dd1044deb9f7b7a0850f7

C:\Program Files (x86)\SogouDownLoad\html\download.html

MD5 e50275eb17164ac5d97624940ab96a6e
SHA1 13ee435c49a781db1bebccfa33a8b0c28446ec86
SHA256 afac1879d10be5235a4d074c9084e61aadff82aab839bacc96e39d103ba4f843
SHA512 4f2cb13394555cd34ad2219740d342f71186c33409c3a69cc454486341b8cbc924e2b5d3208a86b45343dc1fccc2217beb0126fba467f920f014d94516dd0fbb

C:\Program Files (x86)\SogouDownLoad\html\css\down.css

MD5 84db4fb862441444de44fc92f7872b28
SHA1 e84789926527cfc0f07000720799266e7337ce85
SHA256 2db706458c7b0b41021ef2f10549f4974f134f2d683f46ae4a78f49b97f981f1
SHA512 39e4b7ace01af64248afcbebd01a1fb550dbb441ca9d083e0ad33cd8a7b859af86baf91d1ddfeb5fe6aafb07cfcbcfee69eb1b4d8016ad974126dbbf31bb3d7c

C:\Program Files (x86)\SogouDownLoad\html\images\ico_t.gif

MD5 35cbcf30c37a40b66a7bdd9520907213
SHA1 f1d252908873ba61906535d7bf14ced37be2aabc
SHA256 4ae4ea3c7949bffc51a37c6219a9612594c2c48e2b92bff2c5991162b9ce9e41
SHA512 654a0edee6601c679780550a4d2c080f81acdaf19d470d26164d791f774f6b3efcbc294a9b3f481183f1cff2fe5c2542e4aa3307513ca3499dcd569d0fcb112d

C:\Program Files (x86)\SogouDownLoad\html\images\img_exe.gif

MD5 0e0ac8352cd69f396f271fa32f3ab554
SHA1 ed6d306a5033707f45477df3318a53d15b47cf43
SHA256 c2c34d6bf4e17b756954e409dc9b5663169d68997abd722ce1e86473b769f10c
SHA512 5d2528489c21600f16f04559500be3ebe9db5a1dc7bf9abc9c1312187b4b8b7bc5966f9eb2a38e26bff26c854a6d964fa156641fed9501cf0e7befedb60fd7e0

C:\Program Files (x86)\SogouDownLoad\html\images\btn_spr.gif

MD5 70d3c5cc5e7561ae74683b1ce4530392
SHA1 46c09ecdd29f1ef35de4b4b3aea3854099910597
SHA256 49c130fe7fd6e0d9b9e277383d7b977e2230a2986b311efa6c6e2152b46e26c4
SHA512 3b02311524984112da93c8bbd09898532870017dcc5c3da1915e31fdf90d22a5bbed2f7328cd938a55c2b296c6ba5edee7fed7fafa6397a8f959c657c1b3b533

C:\Program Files (x86)\SogouDownLoad\html\images\ico_spr.gif

MD5 49e7f208e1f652e42b9c46eaa3df8cdf
SHA1 7f24027e0069d4bc93655afd1a0bae4817b0a4bb
SHA256 65ec71c6bcf1a5de158c7b71b3c55a71848bc2a7c15f94f7bcdaac3effd4da0e
SHA512 b85f4be2a43bc1ee0ef19bfbd99d7c4d1d41a8a596748770c9c00e2456c6cfb02c7130dc3d24b88dba0d7f7c929bd5fa87905804c129052a9b70098f3cdb0b1e

\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe

MD5 b58d945d3d2b83eb5199d60fc27d0e6a
SHA1 3b70e368422bab5ff123d1ef6c5779adb540ef5a
SHA256 905de1f8ab574888fa9dbe7bb5a060ca1c09f710fed2c98e3c2699e595343b79
SHA512 027b6ab2197451dae5224c6f3417120d3b7e1ca5cb1801e4a952cac4b832deeacd16955bb3cb3c13553317685609eac6a2202ce8d2ab85837963a5a1478eacdd

C:\Program Files (x86)\SogouDownLoad\npdownload.dll

MD5 09c16c79a0093b38ef756c58c32d75e2
SHA1 d6721cc14a1dd1879a923b38fd046d6e8b0f40df
SHA256 a93cce637743104e4d418eca05f238405b3e97672163d8abd1ad429045f843b6
SHA512 eabb9237b5121e9755a01d4e9522513fbf5ea4594779d336fe373708933006b94d10a23a749efc623177296b1270337a63aab46d4990a0ee1f73df7ee8622f87

C:\Program Files (x86)\SogouDownLoad\IEHint.dll

MD5 6cffe36e5e3d9364a18eaf4a44ebfc23
SHA1 8a3bb3fa5f76a7eac5dfc4bd201a5e5203c10bcf
SHA256 cd57765f8cea6a4f422862c0b8a3e1945f17292e4c14b31333ec1525e05c6025
SHA512 7e145a0a79bd3d8caa89bae2ddb1187ff4de481426bb820cdf8f0206c96819d38af0ade5aad6c9e89da4e11dad6d5ab692f3d8bb25b90da2596bf49619fe325b

\Users\Admin\AppData\Local\Temp\nsd36CA.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Program Files (x86)\SogouDownLoad\npdownload64.dll

MD5 8523eee6d4c49b110e6c19ecfd7e5620
SHA1 434ddf9f77f904812ef4c3c2329ce057b30dfdfc
SHA256 a4917bf56e25576632e808c5199c3c43eb21c866e4e6eb6747c79168f6044c57
SHA512 bb916842beac0a605675dda9bf240b2f75437a61bbdd3d89fd464694167db7addb9fd6dd2fce482b9670c9c0e46eb9b3952cf538fb555ade10a9787f4081934a

\Program Files (x86)\SogouDownLoad\IEHint64.dll

MD5 30e7e39b49c8590aec85aca2664ff3e7
SHA1 8273c46fb4666e44ce3865012529aebb6aa95f1c
SHA256 3d3f8c1a05c2b5b5362b9ee0ddc1ce653a22abf0b559acceebcc82b73dbaf79a
SHA512 8d967605e4be98929cf6b508dccc217e60186da44dcb594d16e286f29b66c846dc1c4e676fab235de7f2326bcb4aae30528a535136de72f6a978a48d8a424245

\Program Files (x86)\SogouDownLoad\XLDownloadCom.exe

MD5 004dcd89684f7fc42d3c77edf80dfc92
SHA1 8a086552df8c17ad146518757689f9237e27b87d
SHA256 67510f7dd0476f12e07901ac0344d92186dd761a52398ee1e835421382094f1b
SHA512 3a60493e77a7e59147d2b75bed788062d7482d922062d63a40ba3a050013736ce28e1f6319ba3eb7faecc44de9332ff571c028ea8582270d614d9659bf2769ac

C:\Program Files (x86)\SogouDownLoad\download\MiniTPFw.exe

MD5 58bb62e88687791ad2ea5d8d6e3fe18b
SHA1 0ffb029064741d10c9cf3f629202aa97167883de
SHA256 f02fa7ddab2593492b9b68e3f485e59eb755380a9235f6269705f6d219dff100
SHA512 cd36b28f87be9cf718f0c44bf7c500d53186edc08889bcfa5222041ff31c5cbee509b186004480efbd99c36b2233182ae0969447f4051510e1771a73ed209da5

C:\Program Files (x86)\SogouDownLoad\download\ThunderFW.exe

MD5 f0372ff8a6148498b19e04203dbb9e69
SHA1 27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8
SHA256 298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf
SHA512 65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

\Program Files (x86)\SogouDownLoad\update\UpdateService.exe

MD5 44f5df9407679e7385a0a3a925fbc39b
SHA1 95681735e2b3e8d0296b39fb505a6e6644e2330b
SHA256 a1779be9ef6a3ec798578c0b79a279d34316872d8509eb37f62c98b2fe6af23f
SHA512 bf02965127b81da708e13b519b822903de9999b797bbd0ed6697a39e95279511c9e9044d793ef69d9a11f3d518fce1ba85250bbe58c6255f660a09bced35c63f

\Program Files (x86)\SogouDownLoad\DlgHandler.dll

MD5 87d4aa3496919af493c9365619c3fd53
SHA1 a883a0be2940811ef9232592c811b854f684f4b7
SHA256 d4a4eb61a6ffba806c3f34fa6bb5fca32489f53138dbaf324a8b2d210afa0771
SHA512 064637554b7e7e1c5699f4e4ced73dd4ca7bf87172009b121bedeb864f8e3d03a1352b6f6b9515b9a4020137e07b9981476a664eadbd27bd32acdd8a53003372

\Program Files (x86)\SogouDownLoad\XLDownloadComPS.dll

MD5 ef217dde650c290e6f15bdbd7f55f26d
SHA1 87ef4ca0ac1f7dd6c50bdaa0aeeebc3d1e132dcf
SHA256 a445ea86ffb20f9540d53aa12dc8f3737a9c87573241b9c5686109533b92e890
SHA512 d2ae2574d2fa5455b590513066bdee9d3765bffd6b82450a5e619d01d4378013cbdcb4f0d9cec47ba7f03125098945c07cb0c6274a9a1ad0346bddd10fe022b5

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-29 16:24

Reported

2024-04-29 16:27

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
N/A N/A C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\SogouDownLoad\html\css\down.css C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\html\images\btn_spr.gif C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\html\images\ico_set.gif C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\html\images\ico_spr.gif C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\html\images\ico_t.gif C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\html\repair.html C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\html\images\ico_min.gif C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\html\images\img_sx.gif C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\html\images\ico_close.gif C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\html\images\bg_line.gif C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\html\images\img_exe.gif C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
File created C:\Program Files (x86)\SogouDownLoad\html\download.html C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe N/A
N/A N/A C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe"

C:\Users\Admin\AppData\Local\Temp\minidownload.exe

C:\Users\Admin\AppData\Local\Temp\\minidownload.exe

C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe

"C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe" /Install?status=true&softurl=http%3A%2F%2Fxiazai.sogou.com%2Fcomm%2Fredir%3Fsoftdown%3D1%26u%3DYRyEVuHeM45mBjjEUSPVUEJm8GF_McJfVdEjKPrgnocp6RPTnPFSKls2-N19zn1VFn9n9_QE91hsipUd8ZPGCKrHmAlohI-Z5xWab8-hdzEZwANlQSdM_SG1O7Kkpbde98B6SY4clrbMXmmkh16MZMnFugp9LyMZymoJGOaTh0xmq_3hQETA5LFYnXbqILusGMRyn1oqoQ-_IhNtWMXWFw..%26pcid%3D3422649212502276885%26w%3D1950%26filename%3DFirefox-setup-39.0.0.5659.exe%26extra%3D8_tencent%26downloadtype%3Dsoftware&iconurl=http%3A%2F%2Fimgstore.cdn.sogou.com%2Fv2%2Fthumb%2Fretype%2Fext%2Fjpg%2Fcls%2Fimagick%3Fappid%3D200504%26url%3Dhttp%3A%2F%2Fdl.app.sogou.com%2Fpc_logo%2F3422649212502276885.png&softname=%E7%81%AB%E7%8B%90%E6%B5%8F%E8%A7%88%E5%99%A8&softsize=41.4+MB

Network

Country Destination Domain Proto
US 8.8.8.8:53 yz.app.sogou.com udp
US 49.51.65.181:80 yz.app.sogou.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 t.sogou.com udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 181.65.51.49.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
DE 49.51.130.237:80 t.sogou.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 237.130.51.49.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\minidownload.exe

MD5 8ee60bd9893bafd259db1189e6650bff
SHA1 d3be976a5a7519f0c608b3f542b9df622ad14a97
SHA256 a40a56b1dc70cb7347635f17a79f03aa71a048a0ebbdff4ad54bfdff8c3e9a6d
SHA512 78492aca8d2d7201d983eaa94637c80d6adcd915f12e5085aedfa7f186cfb98c20e53414fd8a3cc2f3477482a8dfba166c308f199a825d143af6c520d3db40a7

C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe

MD5 46339e5e0b54acec4be3b105ee123b36
SHA1 29963314f6b97d8511caadbf9b2b531ae9fd8344
SHA256 a6192d7b0b7bce4648feda82506bfbd25f6e35299f4ca38a2d0952dfbe669dbb
SHA512 72a07caf7ad0209400e6acba520594428560ebd81f4c7baa350392fb73b75a8907ce9b175088893d9de2bf0ad710ff2a5a3c0abb0add38fdf538ff6ce870a65c

memory/5924-19-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

C:\Program Files (x86)\SogouDownLoad\html\download.html

MD5 e50275eb17164ac5d97624940ab96a6e
SHA1 13ee435c49a781db1bebccfa33a8b0c28446ec86
SHA256 afac1879d10be5235a4d074c9084e61aadff82aab839bacc96e39d103ba4f843
SHA512 4f2cb13394555cd34ad2219740d342f71186c33409c3a69cc454486341b8cbc924e2b5d3208a86b45343dc1fccc2217beb0126fba467f920f014d94516dd0fbb

C:\Program Files (x86)\SogouDownLoad\html\css\down.css

MD5 84db4fb862441444de44fc92f7872b28
SHA1 e84789926527cfc0f07000720799266e7337ce85
SHA256 2db706458c7b0b41021ef2f10549f4974f134f2d683f46ae4a78f49b97f981f1
SHA512 39e4b7ace01af64248afcbebd01a1fb550dbb441ca9d083e0ad33cd8a7b859af86baf91d1ddfeb5fe6aafb07cfcbcfee69eb1b4d8016ad974126dbbf31bb3d7c

C:\Program Files (x86)\SogouDownLoad\html\images\ico_t.gif

MD5 35cbcf30c37a40b66a7bdd9520907213
SHA1 f1d252908873ba61906535d7bf14ced37be2aabc
SHA256 4ae4ea3c7949bffc51a37c6219a9612594c2c48e2b92bff2c5991162b9ce9e41
SHA512 654a0edee6601c679780550a4d2c080f81acdaf19d470d26164d791f774f6b3efcbc294a9b3f481183f1cff2fe5c2542e4aa3307513ca3499dcd569d0fcb112d

C:\Program Files (x86)\SogouDownLoad\html\images\img_exe.gif

MD5 0e0ac8352cd69f396f271fa32f3ab554
SHA1 ed6d306a5033707f45477df3318a53d15b47cf43
SHA256 c2c34d6bf4e17b756954e409dc9b5663169d68997abd722ce1e86473b769f10c
SHA512 5d2528489c21600f16f04559500be3ebe9db5a1dc7bf9abc9c1312187b4b8b7bc5966f9eb2a38e26bff26c854a6d964fa156641fed9501cf0e7befedb60fd7e0

C:\Program Files (x86)\SogouDownLoad\html\images\btn_spr.gif

MD5 70d3c5cc5e7561ae74683b1ce4530392
SHA1 46c09ecdd29f1ef35de4b4b3aea3854099910597
SHA256 49c130fe7fd6e0d9b9e277383d7b977e2230a2986b311efa6c6e2152b46e26c4
SHA512 3b02311524984112da93c8bbd09898532870017dcc5c3da1915e31fdf90d22a5bbed2f7328cd938a55c2b296c6ba5edee7fed7fafa6397a8f959c657c1b3b533

memory/5924-25-0x0000000000DB0000-0x0000000000DB1000-memory.dmp