036b971c031f1a90ddbf4e298d3f6491259bd1594fb9d9cc7f0025a8c68bc112

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6926861abc5e60e35309e6bd1f40ddd2_JaffaCakes118.exe
Size

2.3MB
MD5

6926861abc5e60e35309e6bd1f40ddd2
SHA1

68d78e10ce0d92f943725f4a20cde30336551765
SHA256

036b971c031f1a90ddbf4e298d3f6491259bd1594fb9d9cc7f0025a8c68bc112
SHA512

a3cf7bdcefaa2e2b4da50b3ebd5f35db2c6704d5f6a3d7bcb912cf90b014c42534ec0b97fb766c1b5ceb73d0228e0dbb51cac92e0ad28f60cb8ae0d5dce93db9
SSDEEP

49152:0uuE7AnqIxGrGYyZa/tgrYJUGfZC3wA6EylfwEaFWd:eE7AqrlyutLxC3sEwwMd

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6926861abc5e60e35309e6bd1f40ddd2_JaffaCakes118.exeSogouSoftware.exeExternalApp.exeMiniTPFw.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	6926861abc5e60e35309e6bd1f40ddd2_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	SogouSoftware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	ExternalApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	MiniTPFw.exe

Executes dropped EXE 9 IoCs

Processes:

minidownload.exeSogouSoftware.exeExternalApp.exeSogouSoftware.exeMiniTPFw.exeThunderFW.exeUpdateService.exeUpdateService.exeMiniThunderPlatform.exe

pid	process
1832	minidownload.exe
1200	SogouSoftware.exe
1604	ExternalApp.exe
2088	SogouSoftware.exe
4024	MiniTPFw.exe
1448	ThunderFW.exe
4168	UpdateService.exe
4772	UpdateService.exe
4908	MiniThunderPlatform.exe

Loads dropped DLL 27 IoCs

Processes:

SogouSoftware.exeExternalApp.exeregsvr32.exeregsvr32.exeregsvr32.exeSogouSoftware.exeMiniThunderPlatform.exe

pid	process
1200	SogouSoftware.exe
1604	ExternalApp.exe
1604	ExternalApp.exe
1604	ExternalApp.exe
1604	ExternalApp.exe
1604	ExternalApp.exe
3760	regsvr32.exe
5036	regsvr32.exe
2128	regsvr32.exe
2088	SogouSoftware.exe
2088	SogouSoftware.exe
2088	SogouSoftware.exe
2088	SogouSoftware.exe
1200	SogouSoftware.exe
1200	SogouSoftware.exe
1200	SogouSoftware.exe
1200	SogouSoftware.exe
1200	SogouSoftware.exe
1200	SogouSoftware.exe
4908	MiniThunderPlatform.exe
4908	MiniThunderPlatform.exe
4908	MiniThunderPlatform.exe
4908	MiniThunderPlatform.exe
4908	MiniThunderPlatform.exe
4908	MiniThunderPlatform.exe
4908	MiniThunderPlatform.exe
4908	MiniThunderPlatform.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32\ = "C:\\Program Files (x86)\\SogouSoftware\\3.2.2.58\\npdownload64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ExternalApp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SogouSoftwareAutoRun = "C:\\Program Files (x86)\\SogouSoftware\\SogouSoftware.exe /AutoRun"	ExternalApp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

6926861abc5e60e35309e6bd1f40ddd2_JaffaCakes118.exeSogouSoftware.exeExternalApp.exeSogouSoftware.exeMiniThunderPlatform.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	6926861abc5e60e35309e6bd1f40ddd2_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	SogouSoftware.exe
File opened for modification	\??\PhysicalDrive0	ExternalApp.exe
File opened for modification	\??\PhysicalDrive0	SogouSoftware.exe
File opened for modification	\??\PhysicalDrive0	MiniThunderPlatform.exe

Drops file in System32 directory 4 IoCs

Processes:

regsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	regsvr32.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	regsvr32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	regsvr32.exe

Drops file in Program Files directory 64 IoCs

Processes:

ExternalApp.exeminidownload.exe

description	ioc	process
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\confirm_dlg.xml	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\GIF\.svn\text-base\loading.gif.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\prop-base\apk.png.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\tooltip.png.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\APKlogo.ico	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\andorid_to_pc.png.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\.svn\prop-base\check_uncheck_disable.png.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\update\USBDT.dll	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\prop-base\menubtn.png.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\.svn\text-base\android_to_pc_dlg.xml.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\download_nor.png	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\gzipdll.dll	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\prop-base\soft_update_left_two.png.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\classify_btn_pushed.png.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\.svn\prop-base\bottom_shadow.png.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\.svn\text-base\driver_uninstall.gif.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\text-base\smallbtn_shadow.png.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\.svn\prop-base\WerelessNet.png.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\.svn\text-base\update_dlg_otherfont.xml.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\combo_hot.png	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\soft_essential_left_more.png.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\ScrollBar\.svn\entries	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\.svn\prop-base\CPU.png.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\ins_progress_bk.png	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\text-base\checkbox.png.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\DrvInst64\.svn\format	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\.svn\text-base\atl71.dll.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\SogouSoftwareLoader.dll	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\prop-base\setting_dwn.png.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\prop-base\ÕýÊ½°æÑ¡ÖÐ×´Ì¬.png.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\.svn\text-base\Mouse.png.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\.svn\text-base\ThunderFW.exe.svn-base	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver_restore_list_item.xml	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\.svn\text-base\dlg_feedback.xml.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\prop-base\logo3434.png.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\refresh_nor2.png.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\WerelessNet.png	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\.svn\prop-base\Unknown4848.png.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\prop-base\download_btn_icon.png.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\prop-base\menu_dwn.png.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\Net4848.png	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\.svn\prop-base\adbdll.dll.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\combo.png	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\scroll_bk.png	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\prop-base\btn3state_softupdate_more.png.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\feedback_nor.png.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\3.0.0.0\.svn\prop-base\SogouPDAInfo.sqlite3.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\prop-base\progress_bk.png.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\dtlapi_hw.dll	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\atl71.dll	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\.svn\text-base\msvcr71.dll.svn-base	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\.svn\text-base\dlg_settings.xml.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\prop-base\progress_fore.png.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\prop-base\continuebtn.png.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\drv64\drv64.exe	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\zlib1.dll	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\prop-base\btn_3state.png.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\dlgClose_act.png.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\item_unfold.png.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\.svn\prop-base\driver_backup.gif.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\prop-base\backward_normal.png.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\prop-base\shy.png.svn-base	ExternalApp.exe
File created	C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\WirelessNet4848.png	ExternalApp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\minidownload.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\minidownload.exe	nsis_installer_2
C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe	nsis_installer_1
C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

ExternalApp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D4D786E8-0535-41DB-91F8-B18ABBCCDE6C}\AppName	ExternalApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D4D786E8-0535-41DB-91F8-B18ABBCCDE6C}\AppPath	ExternalApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D4D786E8-0535-41DB-91F8-B18ABBCCDE6C}\Policy = "3"	ExternalApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D4D786E8-0535-41DB-91F8-B18ABBCCDE6C}	ExternalApp.exe

Modifies data under HKEY_USERS 37 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-20	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\*	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\*	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\*	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\*	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-19	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\*	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\*	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\*	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exeExternalApp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\TypeLib\ = "{13D91BAE-B37C-41C3-AE86-463E53990546}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\TypeLib\ = "{13D91BAE-B37C-41C3-AE86-463E53990546}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ExternalApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\TypeLib\ = "{13D91BAE-B37C-41C3-AE86-463E53990546}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\SOFTWARE\Microsoft	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SogouSoftware\URL Protocol	ExternalApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\ = "DownLoadBHO Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\TypeLib	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\SogouSoftware\\3.2.2.58"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ExternalApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\*	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SogouSoftware	ExternalApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\ = "DownLoadBHO Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4D786E8-0535-41DB-91F8-B18ABBCCDE6C}\LocalServer32\ = "C:\\Program Files (x86)\\SogouSoftware\\SogouSoftware.exe"	ExternalApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SogouSoftware\Shell\Open\command	ExternalApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\SOFTWARE	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\0\win32\ = "C:\\Program Files (x86)\\SogouSoftware\\3.2.2.58\\npdownload64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ExternalApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4D786E8-0535-41DB-91F8-B18ABBCCDE6C}\LocalServer32	ExternalApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\*	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SogouSoftware\ = "URL:SogouSoftware Protocol"	ExternalApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SogouSoftware\Shell	ExternalApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SogouSoftware\Shell\Open	ExternalApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\TypeLib	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4D786E8-0535-41DB-91F8-B18ABBCCDE6C}	ExternalApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\TypeLib\ = "{13D91BAE-B37C-41C3-AE86-463E53990546}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\ = "IGameDownload"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\TypeLib\ = "{13D91BAE-B37C-41C3-AE86-463E53990546}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\0\win32\ = "C:\\Program Files (x86)\\SogouSoftware\\3.2.2.58\\npdownload.dll"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

SogouSoftware.exeUpdateService.exeSogouSoftware.exe

pid	process
2088	SogouSoftware.exe
2088	SogouSoftware.exe
4772	UpdateService.exe
4772	UpdateService.exe
2088	SogouSoftware.exe
2088	SogouSoftware.exe
2088	SogouSoftware.exe
2088	SogouSoftware.exe
1200	SogouSoftware.exe
1200	SogouSoftware.exe
1200	SogouSoftware.exe
1200	SogouSoftware.exe
1200	SogouSoftware.exe
1200	SogouSoftware.exe
1200	SogouSoftware.exe
1200	SogouSoftware.exe
1200	SogouSoftware.exe
1200	SogouSoftware.exe
1200	SogouSoftware.exe
1200	SogouSoftware.exe
1200	SogouSoftware.exe
1200	SogouSoftware.exe
1200	SogouSoftware.exe
1200	SogouSoftware.exe
1200	SogouSoftware.exe
1200	SogouSoftware.exe
1200	SogouSoftware.exe
1200	SogouSoftware.exe
1200	SogouSoftware.exe
1200	SogouSoftware.exe
1200	SogouSoftware.exe
1200	SogouSoftware.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

SogouSoftware.exeSogouSoftware.exe

pid process

2088 SogouSoftware.exe
1200 SogouSoftware.exe
1200 SogouSoftware.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

SogouSoftware.exeSogouSoftware.exe

pid process

2088 SogouSoftware.exe
1200 SogouSoftware.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

SogouSoftware.exeSogouSoftware.exe

pid process

2088 SogouSoftware.exe
2088 SogouSoftware.exe
1200 SogouSoftware.exe
1200 SogouSoftware.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

6926861abc5e60e35309e6bd1f40ddd2_JaffaCakes118.exeSogouSoftware.exeExternalApp.exeregsvr32.exeMiniTPFw.exe

description	pid	process	target process
PID 4128 wrote to memory of 1832	4128	6926861abc5e60e35309e6bd1f40ddd2_JaffaCakes118.exe	minidownload.exe
PID 4128 wrote to memory of 1832	4128	6926861abc5e60e35309e6bd1f40ddd2_JaffaCakes118.exe	minidownload.exe
PID 4128 wrote to memory of 1832	4128	6926861abc5e60e35309e6bd1f40ddd2_JaffaCakes118.exe	minidownload.exe
PID 4128 wrote to memory of 1200	4128	6926861abc5e60e35309e6bd1f40ddd2_JaffaCakes118.exe	SogouSoftware.exe
PID 4128 wrote to memory of 1200	4128	6926861abc5e60e35309e6bd1f40ddd2_JaffaCakes118.exe	SogouSoftware.exe
PID 4128 wrote to memory of 1200	4128	6926861abc5e60e35309e6bd1f40ddd2_JaffaCakes118.exe	SogouSoftware.exe
PID 1200 wrote to memory of 1604	1200	SogouSoftware.exe	ExternalApp.exe
PID 1200 wrote to memory of 1604	1200	SogouSoftware.exe	ExternalApp.exe
PID 1200 wrote to memory of 1604	1200	SogouSoftware.exe	ExternalApp.exe
PID 1604 wrote to memory of 3760	1604	ExternalApp.exe	regsvr32.exe
PID 1604 wrote to memory of 3760	1604	ExternalApp.exe	regsvr32.exe
PID 1604 wrote to memory of 3760	1604	ExternalApp.exe	regsvr32.exe
PID 1604 wrote to memory of 5036	1604	ExternalApp.exe	regsvr32.exe
PID 1604 wrote to memory of 5036	1604	ExternalApp.exe	regsvr32.exe
PID 1604 wrote to memory of 5036	1604	ExternalApp.exe	regsvr32.exe
PID 5036 wrote to memory of 2128	5036	regsvr32.exe	regsvr32.exe
PID 5036 wrote to memory of 2128	5036	regsvr32.exe	regsvr32.exe
PID 1604 wrote to memory of 2088	1604	ExternalApp.exe	SogouSoftware.exe
PID 1604 wrote to memory of 2088	1604	ExternalApp.exe	SogouSoftware.exe
PID 1604 wrote to memory of 2088	1604	ExternalApp.exe	SogouSoftware.exe
PID 1604 wrote to memory of 4024	1604	ExternalApp.exe	MiniTPFw.exe
PID 1604 wrote to memory of 4024	1604	ExternalApp.exe	MiniTPFw.exe
PID 1604 wrote to memory of 4024	1604	ExternalApp.exe	MiniTPFw.exe
PID 4024 wrote to memory of 1448	4024	MiniTPFw.exe	ThunderFW.exe
PID 4024 wrote to memory of 1448	4024	MiniTPFw.exe	ThunderFW.exe
PID 4024 wrote to memory of 1448	4024	MiniTPFw.exe	ThunderFW.exe
PID 1604 wrote to memory of 4168	1604	ExternalApp.exe	UpdateService.exe
PID 1604 wrote to memory of 4168	1604	ExternalApp.exe	UpdateService.exe
PID 1604 wrote to memory of 4168	1604	ExternalApp.exe	UpdateService.exe
PID 1200 wrote to memory of 4908	1200	SogouSoftware.exe	MiniThunderPlatform.exe
PID 1200 wrote to memory of 4908	1200	SogouSoftware.exe	MiniThunderPlatform.exe
PID 1200 wrote to memory of 4908	1200	SogouSoftware.exe	MiniThunderPlatform.exe

C:\Users\Admin\AppData\Local\Temp\6926861abc5e60e35309e6bd1f40ddd2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6926861abc5e60e35309e6bd1f40ddd2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:4128

C:\Users\Admin\AppData\Local\Temp\minidownload.exe
"C:\Users\Admin\AppData\Local\Temp\minidownload.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1832

C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe
"C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe" /Loader /DownLoad?status=true&softurl=http%3A%2F%2Fxiazai.sogou.com%2Fcomm%2Fredir%3Fsoftdown%3D1%26u%3DYRyEVuHeM45mBjjEUSPVUEJm8GF_McJfVdEjKPrgnocp6RPTnPFSKls2-N19zn1VfMOrRMA_6qOhShbA1gDZ21gXJ8-dW6ZyJd2HMCZpOTvLIGNafI07QZpggfaFdLzRilLVZzhV53fF-ago-P3fECJIPRI-Fuc_AxfASetSfW-LPCjVth8Sku5Jp5e2TsHIa3kHHvOR8h0rNkC1O-u-OP-8wtI1ff_KDaem0Ixui-eXWHnXXzHlFg..%26pcid%3D-5387338580520352447%26filename%3Ddjyx_22_1412837413_djyx_22_2014-10-9_VIPDL_signed.exe&iconurl=http%3A%2F%2Fpc3.gtimg.com%2Fsoftmgr%2Flogo%2F48%2F15296_48_1398674358.png&softname=%E5%AE%9E%E5%86%B5%E8%B6%B3%E7%90%832014&softsize=3.39MB
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200

C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe
"C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe" /Update
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\SogouSoftware\3.2.2.58\npdownload.dll"
4⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:3760

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\SogouSoftware\3.2.2.58\npdownload64.dll"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5036

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\SogouSoftware\3.2.2.58\npdownload64.dll"
5⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies data under HKEY_USERS
- Modifies registry class
PID:2128

C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe
"C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2088

C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe
"C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024

C:\Program Files (x86)\SogouSoftware\download\download\ThunderFW.exe
"C:\Program Files (x86)\SogouSoftware\download\download\ThunderFW.exe" MiniThunderPlatform2024-05-2300:33:48 "C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe"
5⤵
- Executes dropped EXE
PID:1448

C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe
"C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe" /Install
4⤵
- Executes dropped EXE
PID:4168

C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe
"C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe" -StartTP
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:4908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:408

C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe
"C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe" /Service
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4772

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\SogouSoftware\3.2.2.58\CommonState.dll
Filesize
83KB

MD5
6e888d41691f655ab9ec752384e009eb

SHA1
6c54689dc6fe3070e2d24011a9f8e710f5444d66

SHA256
a5adc7b2757172c55834a3720731c0b3eb22ddd1766cc531c06de537bcef786d

SHA512
5995cb6a7bc4573d5593904fb518bef91401b4f44fef808ed915017a0b7f0589bb5b810fc183b196ea57de32ec4a0e63b54ce89dde3283e41ff706c6999c4977

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\DuiLib.dll
Filesize
827KB

MD5
28ba86c039552346dafff7e9363ce02e

SHA1
0c7848c17f84f7fae9f058ae49658dba4371975c

SHA256
49837458d579b16b25f81d0d477922c0d363867e120e0114577c2eb0506639a9

SHA512
60fa470134c5a9dfeacf2ebf615d656fd84d80f00ce0c3ff6d617e73f7942b5d48501b1073cd76fa717a0323d69b246170af5f8232ae7d4af3bc45b0325e7283

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\SogouSoftware.dll
Filesize
1.2MB

MD5
fb7a98797d8601196a79545775864de7

SHA1
0148ce7895eab4725b95a57e0fd3469a21de579f

SHA256
ffd9ab6a997659efee084a1493784c2755010a04f5a2ab03cd0ea74c637b3e96

SHA512
3afbef824abb40ccf128bdfa52cb7357b7340fe9a65139b6a2f42a17425548a96a7c95c3154728517aa784d8b00c0a5834a4af95f04bdc590eb8cfab9c24f75a

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\npdownload.dll
Filesize
272KB

MD5
c97af614b96b1d7adeed67261b3771c0

SHA1
f67f94dff7a78953d4a9a6af63d30fc7dfe40a8e

SHA256
98f283754465cae416af646c9c68e4c1a60eea088616bb5a265cfdd9c896b1b8

SHA512
972cee7e0fe258ec1d62cbe7b077380010a5ab4a02c24791d23e10047f5d2a16e847b2a33bde9f7b27e6a59483f61371d98186281ef40a3a370629f546f6d322

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\npdownload64.dll
Filesize
315KB

MD5
b256f88501223e358c03ea2a172e0f7f

SHA1
9ee8c5b3db6d7076742c488b001a76741fc3aefe

SHA256
2fc446c8fdb3ad5711e6e83c720379062accd40cf9203c6e484eea83faecb840

SHA512
10f9d2bcf55d2241cb92dea7b1f7833f7d2536e93c7906d3c483df25f8515f24bd3fa57659f8972b888cf57457ae5bd5a9f564e9326278ddc66ed7201e52d19e

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\GIF\loading.gif
Filesize
19KB

MD5
e063c8184a9e97620dbd79c0e24c97a7

SHA1
ce1d307184e4789e60616afab606fdffd99b0735

SHA256
3fe39e316a3cd05ff277100c85841d18db9d85080f80f35cb41e91cf1d513601

SHA512
e9aad74aae57de6e5f23407ca548cc1c29de8fd6441a91318e8d4fb8f6f096b3f2345d18a9e8a6b12e7154ed6a90f8026803c756321460db37108e94d8e0dfac

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\GIF\refreshing.gif
Filesize
4KB

MD5
a660c1df04d00ec5f1c27c882a5ad99b

SHA1
db5dd290a4afe1657a2524984d07d1631e680bd7

SHA256
a235a0e9c357de24a274e1db993dc0616fe656159bfeb3ca753dcf7e005d9e29

SHA512
3a87f7caaacab936d2698442382cea9bb6ab4476f8a001d8da8083cc9c9a92bd5936a835f2cc2655db42e8463fe71c473ed9f649d970f3c31e640f3eb7a4d12a

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\MySoftwareManager.xml
Filesize
23KB

MD5
f5f5698ee6b73535a7a55ffc9df6f38f

SHA1
76b4f170b339481149f72a7294218ad7ea5f9ecd

SHA256
613125461abb68bf1535c2b28d3cbf1efc3fe04484acdb89c0e961296837f1ec

SHA512
5c83a38a0a0639bada0666592bcd73754e3f161b52ffcb14f066ce11ddac2f818de39ac5a36ebe3d026c202d087fcd1284d6fd5b65d38a112c6c1647274a3bc1

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\format
Filesize
2B

MD5
c30f7472766d25af1dc80b3ffc9a58c7

SHA1
136571b41aa14adc10c5f3c987d43c02c8f5d498

SHA256
aa67a169b0bba217aa0aa88a65346920c84c42447c36ba5f7ea65f422c1fe5d8

SHA512
0354672b288ac5ccd92c7336f24c3b5a9e669d95bf3036241d3919bae5aadba2c312742d7b422cb04347d6ce98151019baf81a3390e12de140365f17a9cf9afc

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\all_updated.png
Filesize
8KB

MD5
54fa38a675e31cb61c4d684857401bfa

SHA1
548d9fae0de3f34a40c66400524a48a4d9295491

SHA256
5bee78015e52f35c0e604a38b4045d04d174950a26658201714a770e4176f02d

SHA512
61bb5f5cbc3cb5ff9e05984678e2d12b5914340ab2dbf812ad1a519aa4938b3f4b220234c5b33d198efc2d8a90e6a947f8a20b352bd2862a313e57c43aad8fda

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\download_btn_icon.png
Filesize
1003B

MD5
6e30b0f37668df11c09a638ec2901959

SHA1
62f3c4379d14c86261724942016e8b30777049cb

SHA256
bf08172a35630a61b905c438f4c7f33df2a57ad078e24125de41b77880ee7e53

SHA512
f82eb5a5efcb8994a89a30ec47fc43173964adc5913f5277ac30adfd5c7f7a5c8cddbb6dcdff6ae49dc5391bed38884633482600e1fca84ce9738e52ade08cc1

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\driver_fresh_progress_bk.png
Filesize
950B

MD5
a0151daa5f849bb6b22e20abbab78436

SHA1
0f8a2ae2f4982fd562221cf8567cd6a5e68bad1f

SHA256
4443ee00c111715fdfbcc9f221c44bef3333de7e887b70c39417c61ec7369728

SHA512
b9dfb5c784a762ea9ee6b0b3fa514dd3c96242019d79c1919f11f195984c9626b934e668480152ee56c8b88ac2ebd0e028cc6af0c33f25573bb5fd019781071e

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\driver_icon.png
Filesize
1KB

MD5
af5deb4ef4870c69e6a7edf2f38faef4

SHA1
16bc05409d7da0a8121da977607af958d10e96fb

SHA256
638a6fd479b267e2a2b349953604a149bd521fc3f9d8f1ccd4b53aaef0a78513

SHA512
153714ebf00226c67d2a6d2cd88c1226bd16b951704cde38df869d7c488e2c753d2bfcc9389f504558578af4819e4573fdcb1f0bf478fe227ccc9c3f31294054

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\grin.png
Filesize
23KB

MD5
0d5b69334bc73302a52bc3bab5a5ac27

SHA1
da23a6f5ce158774ca047f7761e834258d907f52

SHA256
42030cb3333c77d3019180f5aca1deb1345de55cd33a1816db5b1a276445ac84

SHA512
c2d54552b7a874d8189adfb15d35af852d5b5b4526b76e72b914ea2fc4b022e632f5e583ff6528ad9bde2f2639d976d7215d9e76c5bf9376b1e33c84be1a3fb5

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\hwinfo.png
Filesize
1KB

MD5
bd0f970f72b8b9064dfaab084fc55fea

SHA1
c792935e9f72bea9b4ecc555b28ebb5fdf03ddfb

SHA256
6234d5b195a6f28da3e7fff79c4a95262ce33a176e8e8355b94a36f61e96913e

SHA512
cfcc5608056bdaf647361416e5c51a58caaed58548c1d32942eb946d177f781f76e984e997f1326abd07395ec42fff6fe47b1553a83728e9b1c4bbb849fd13bf

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\logo3434.png
Filesize
1KB

MD5
4c74aab2bcf16cb617837aaeaa7cfa1b

SHA1
37925cfde22e94db3f4ad04df39d8fb20ca55c17

SHA256
8092dffbb4bc611d6f92786fbab70fddf7da5634f84d423c6fc20afd26172628

SHA512
62d96a3dc3001b396907855f12f91073a9d9e1d602e111a859c84a3207431c12564e46d0f052f293692cb130b56eb4b9e6fe7310ec2db0b401e4225f7afefc2f

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\logo3636.png
Filesize
1KB

MD5
fa6fd08affac19e21aa47df7a50eacd4

SHA1
fff56332d1d2e2386ca874c9bd8540b3306f59fc

SHA256
97f1d1b373351f9593227c67cb5e8dc073641a962d81df936920f33cb8d3c4cc

SHA512
9f4ce00d51450ef25e06dfe64587fcf8a5e9d65288ac9c44af733e10825e2173f40ea1e37d4dd1c39842b4b23b8a53cf9d0a0aeb609261ef0a3ee394c6f3ddd8

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\logo_text.png
Filesize
1KB

MD5
9876c5a2a2433a1d0d12dc272c2c226b

SHA1
508fbfb0a0164ce84a83c1f8fe257035e3b62929

SHA256
e182eb30de511bbc685548a771daa015a42299c207989c495bba0e8c9f5d0c1b

SHA512
5c89ba6180d0b22cf45db507b4d90e61e4d32b0753703f5735d36caf442e25d2ee4a617495ff022a6cedbb9fd0949912d5feb068afcb6aecc2451a7541edeeef

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\pcinfo.png
Filesize
1KB

MD5
ee3e7acb4e6cbd2bd2280af9f3b61805

SHA1
3173f5a908928a464ce97181e20b84bc67e7adc8

SHA256
7f721406c23540bef70c6f91abc63b98ca26bca59f13605f96005612e56e5e7a

SHA512
4adec1dbff9bf684f2637df46094f2e344b71c960775ebce7885b45fe71ac9f356cad868ee18b04d7cef54e52cb5d98756f1c2f3397a9fc3b30ac4f4ce6697dd

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\search_bar_nor.png
Filesize
17KB

MD5
6e0e5b09e6b0dbcd105c1dcfd13025bf

SHA1
421f47fb759a3b8a68dfd33e980ee01a3312677e

SHA256
d4bf4bf16ea64e57391cebd9d85d8cbbad866b7dfbb32882ecc7f8a29b19f5e0

SHA512
783070dc6a31297c942ca857a04c6d1c3542456b63987cf9ca54c7b7c22d6fc0b3bd78c7e7a7d0a8d898307a0c1740554096640991ffcf0d21baac96266a9f65

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\shy.png
Filesize
5KB

MD5
41e22dc53a45821cf4755dfd512097fa

SHA1
9009f852a32c89dc6a2a01c6a658579389f0907c

SHA256
81e89178822622014427ff3d3b11179d392ec4f222b331d6483214667e8e9749

SHA512
3770f8c789bc51b8d9354cd8de7e70072d4f4d09f66e37e6030e830f28a8f3b2f4aea90db53bf5e713d2a7b38b86f150e0f9b44ea4f56fe3362cc508feecabd4

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\software_icon.png
Filesize
995B

MD5
db61ef6be10662bde9e80c76e3b51854

SHA1
f48725f24dec25548d1a778dbc9fa95146a042b2

SHA256
478ce132c5472395f0ccfe3853a6b60dc727c2ee1c8d525c05e8717e264fd176

SHA512
dce39e93e47089104cc9fd1a73abcc506ccb4b29132e2b56adf8f052c9bc6dc6a05452bf7e44c60363705467af13a1cfefb87fede4f15aee6e73272a07e72f95

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\dlg_feedback.xml
Filesize
1KB

MD5
0a95dc62283f289fb8feb00fd107a331

SHA1
54e454742851cdf104c188f6ef0893e1317c5ce0

SHA256
6d120d20402014fac1815bb274b4eb852aec8a459a4f752e849b6cd67b964de2

SHA512
983531f33d9fb8509cc2ca504b2a7bcf1ee26c3bf923577e554a59d37a29f17873b51c8932af1fef27b071bd17767995a5bfa3127c1e1b6bb1519d2d30f47ffd

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\dlg_settings.xml
Filesize
6KB

MD5
c4a2e75b5e971eabb129a0ad55cace99

SHA1
fcb5884b88ce9236b5f84eb49593542daac132d2

SHA256
b90df94918f79633c5dbd2513523668f347f708c72bb5d7490cb3127c99b32c5

SHA512
6bb4a3fa8761bb9396868f8d6602f92cfecac39e5678f75a2ee37053ecd3752680ca07357521edae4fd87090a996acfb968b4f2b53b0b88d3ea1e1ebdebcedbc

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\bottom_shadow.png
Filesize
4KB

MD5
292cae7ef8a682ebc2fb855afcf54f2d

SHA1
2401ce33d598bf417859eee779127703fdaa4762

SHA256
9ccfd9c2c1a3b12aa881d6c4a52375595a50a7f3f2d8ba157dd12ffcdf1d75f7

SHA512
8f1b781676ba8dd945f9974282715be65f4b4302dc07196e7a1377b3fcbb73c209836be42e912a079879d5db0af9d411dd614a53fa5533d232b5dce5ea50055a

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\dash_line.png
Filesize
946B

MD5
1e8fb34ac9925d9bad14a75ec8ea5f56

SHA1
bb197cb5dc01c484788f958fcc4ada2b129fa5ef

SHA256
9f98ab7d58b34d7ce6bb84eac14edfb3ae263b315c1e8e6a3c161b31c19ed0a5

SHA512
9b9643a36bf239c78d77668e9b61bbb7247cc86ad03ff542fb2863c32775b1bd9f4ba964b23519e95c573cbae67389ea37697dd222dbca100cd3c2ea847b997b

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\driver_backup.gif
Filesize
3KB

MD5
2b5b82e25df6f7a29c85bc8936ad0372

SHA1
7974e774b772e55140a33ac38f30d648823ea0df

SHA256
a95dcb15124070565400eb6f6037d65c1941af8289ac4595d9d45bcbd35bf326

SHA512
dea76ec643fecb6edcca319bf51e7b42ea8db13f0a1a827b9467e6d2da92478081501c54b2030c7a1d103ce3bae9ed7f6b5dfdeedd13fffb677add2298bb098a

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\driver_freshed_waring.png
Filesize
1KB

MD5
e3e5a56632c8620a18044e695ba7cdb7

SHA1
bd2d52b5a6afcfc331117b6aa8e51b8c5db3e66e

SHA256
dfc05aa1d37f984f68db0303d2c4cf894b190659ebfc94486eda228d6b5fa95e

SHA512
c5808e1e035bce16e4599f0c0c7fcc54c007ea548c945a8c2bfff7c75efecfdc3a80da1b5fd9db70d60af05194b8b22842b501c76378af88a4f92f6e72bd2723

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\driver_scan.gif
Filesize
6KB

MD5
4816c26075e36885f8bb2425c45ef0fa

SHA1
26ba99e1abb5f2d521bbcf1200bf52d17c7cd619

SHA256
ada53503c33b6926f97032a4ebce51d831729ff1b76f74a2979be0f4dc8d8ee5

SHA512
a5b5ae94e3fa4347e06fc51becde42be56159d09c78a5c70ae9ad6f01ef57f064585c321541cbe8a56039f5a138dee13886d0ebc74f7736673a48f673b19e633

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\driver_uninstall.gif
Filesize
6KB

MD5
d16c01bbcfa1f9f0a0de089476a769c3

SHA1
222bab8900096282379f281e6ce8d0c5d1ae4264

SHA256
b5ae0f6777e4fb5923543135a918bebab7945bcb175d2eb293c590c791c9b7e9

SHA512
31335a7f62e698dd6cb67e811a82f5eb442df5b8d4ddde453528689ce2e61c9ece75652483ae58c45f4c269475d75125b111405380ff4aaf980e6918f1c0cf8a

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver_backup_page.xml
Filesize
8KB

MD5
99c91df6c81dadcd064743be25f50480

SHA1
da5af0368ada0b3ecb6eede6137a5a01ea388113

SHA256
f8e4a1dfa021ebea8f705739f0d1eeaa29824af0f7283eee268d72cc3b53a1f8

SHA512
b703ef1330337dca4499ae204e5e23aec8dff6b47f361257e56e6abc499650266f86133effd5843c0dfc076cde32b2d8b46ac67608366b815d0f2e8035abde10

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver_restore_page.xml
Filesize
3KB

MD5
0075ebe78309b52bd59fb132c31f912c

SHA1
dc931227e1f076abbce19c89245f38e303890665

SHA256
f7267655ec266625f19be5845a005da04da328cdd5ff91d239388a5ef21c0616

SHA512
fcfb1f872c5012db302f5330f12b2f6d5ee6ed86c3cd36f29ba4b57204f909f4be18692f4e2c887ef31cec009721191602f7c8d9647e3b293c168e674bb2563d

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver_scan_page.xml
Filesize
7KB

MD5
273805210c8d49fd526e45ba8caca3c9

SHA1
0a45b0d24a345dbbae8be8f157af3288cc73a29b

SHA256
69931a6debab54157d1b5c0bdb124f36a6831ed7ae110b98c8f00cd886215f87

SHA512
f14df0ad40667999cc45710f342978c981a89cebd27a726e7b02bebd6dc807985db2cf1a2df6227ce8834c15763ecb6b9f3f161071c1bc4d7103ef39471e566e

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver_uninstall_page.xml
Filesize
2KB

MD5
5add447f7599a9bacc6c870c6d9e8c3d

SHA1
429cefa6b79b2bc2abe0923e6e222b102eff3228

SHA256
0fc1ccdcb753da863531b1da84ffcc482ebd2ef9f9e5bc2c0c1c5c9674527a6b

SHA512
f9ee6ce2c7a0e2f7574b4730a9dd7824f0c1926332743ab00a9772aadd600cd668ccd76a0b07a3a901ebcedd43aeed3b6c4624b4a2d23396c0342be669dcc2e7

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\hardware_info_page.xml
Filesize
5KB

MD5
25eff46b9c07384eb6514c3056cf3edc

SHA1
a2703aa571978fd4405a548f9ca3c58924c5451d

SHA256
a31e6b90ae103837c49da3037458b843248b58ce4a6a79e551dd9b4f30129c33

SHA512
3ef4c686657683c0b23b138b025ed0f1318a07cbb4013d009d0d980c09c43088548aabbe34c95cc586838f130f9d76f2421311387f0bb5e5e69d966081b8d5d1

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\recommend_classify_table.xml
Filesize
5KB

MD5
74b9cc551416a9e012ad8d30d309e754

SHA1
22168c14cfeaff5d9ad1399fba131a3c5d4ee67c

SHA256
a004641143d10d28fb7302963e1afc77b16b4df41fb3df6b752944f3a190fff3

SHA512
989ce2b5520976a0c5cbc9d44149e5cb86444614557ddcaaffbad580ae1b38b8868fe6bca09768d2ce7b868c2335920e744cf530f24658bac78ed877875b83d8

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\soft_search_list.xml
Filesize
1KB

MD5
70d0733d91369221657da75972aa2996

SHA1
96f083da2839e79d1abfd48a59814184abaa32b3

SHA256
af03f14213c248c7fe7b670a7aa2d9dea1a1c724330c32f01352cf386ff5e57d

SHA512
3999d25b5d0cf7f94f60f20b78704161aed4a3871cbf508b9f575e93081cc7a23a8bd950d0eb3c9b08e0c86f8b7775f33efe047a1fa3f08c21390430b2b057a1

Download Submit
C:\Program Files (x86)\SogouSoftware\3.2.2.58\sqlite3.dll
Filesize
589KB

MD5
ae8a8778ac495b47070774f33089753a

SHA1
24b443630adbf79b12c920f8fa2586abdf8ba6d2

SHA256
bc35883beeb5da827d8eceb32d30bd07a838ad6c8ffa07f0dc7708a118ab4a39

SHA512
1bd8933a7ca742769bce5463190d774ecfb70b984e500ab8b0229330eb7c4aa5e7c8432385459f4cc8e528504d2d5382e8379f7d6c13daa7a7506184fef3b125

Download Submit
C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe
Filesize
232KB

MD5
0bc2d003fcfe3fa65f4c3ba7a015fa41

SHA1
72ed85bc1c57259b4f2ed36d16ce3fed4e30607c

SHA256
388069590fb9569b6c498f941d0565416cb52fc803648ee21b8c59917c63eb4b

SHA512
ae8d83e6ca21ee9b0d5e5845fac3a4dc01c6038243da36b4360b2f42763478265cdafc89072c47672b9738de1930e5e5191e2bf91715055cbd16a949d313ff24

Download Submit
C:\Program Files (x86)\SogouSoftware\SogouSoftwareLoader.dll
Filesize
450KB

MD5
b1ce2dba9515e144908aa34ac77f5a46

SHA1
0a3e601eeba273a16d815c5e59793eb73db9daad

SHA256
5a7349e46f16ec394af8575b666c132c010bacaa2c59da472b842ffeccc5623f

SHA512
d0a78b5de9126b8126b531fb8f72ae375aac898930dccd8a61f173c28470895daab56b368c34a5925020dfdc642785651445967904d8756bb1ce7c1d2f95525a

Download Submit
C:\Program Files (x86)\SogouSoftware\download\download\.svn\prop-base\atl71.dll.svn-base
Filesize
53B

MD5
113136892f2137aa0116093a524ade0b

SHA1
a0284943f8ddfe69ceec90833e66d96bdf4a97f0

SHA256
ebbf7e8800c3446bc3a195fa53573bde1073b0bf7581a614372f1391a9286d02

SHA512
d3201cc19ae702a9813aa8bc39612ebaa48138903e9ede64dcadff213691f6e711876aa4fa083887c545325d5d8bf70649523c528090542459f2b01697180e99

Download Submit
C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe
Filesize
58KB

MD5
58bb62e88687791ad2ea5d8d6e3fe18b

SHA1
0ffb029064741d10c9cf3f629202aa97167883de

SHA256
f02fa7ddab2593492b9b68e3f485e59eb755380a9235f6269705f6d219dff100

SHA512
cd36b28f87be9cf718f0c44bf7c500d53186edc08889bcfa5222041ff31c5cbee509b186004480efbd99c36b2233182ae0969447f4051510e1771a73ed209da5

Download Submit
C:\Program Files (x86)\SogouSoftware\download\download\ThunderFW.exe
Filesize
71KB

MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
C:\Program Files (x86)\SogouSoftware\manifest.cfg
Filesize
29B

MD5
dbdddb37dffafd829b9dddd86c8cbf57

SHA1
4fd1a652c7bfe2eb39e98a795cd77bc415b13d07

SHA256
e661aadd4b5793e960bebdb4862589720b757d7f2c9849c73a9490c162830466

SHA512
f1883accc58a7098f9b15a1a7225e7ef0e2ce3175dde6f5b2851c63654ee02919db734e41b45e74f998ba4c5e4f1fdc96abb5546a7fa1b02cc32ffe7d0c5fe36

Download Submit
C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe
Filesize
11.9MB

MD5
1ea611695a4d643cf4c63a60151b9387

SHA1
7210cc8750b0c8c4d5cf0c49ad5274f1aab2c724

SHA256
9c2f73221152802fd96b407477ee23b75f1ce9c9dc7de0c019e95f9d9b453ff2

SHA512
68b50b8facba55b416b4160849c8ef4d79cc2af3969de14f26b96aeb9ed610ecfc201202a3f542030e5f26fb021e85acbb8c0602f1ef285387bfbac4b39e1a87

Download Submit
C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe
Filesize
168KB

MD5
3d3e5a0455863ae5b4db90b07c974967

SHA1
d6316c15eeccb0942a2779636812be9b3da333d7

SHA256
8671d4570f9462ff5c4cca67094baaecefebea212b2c8f27ad29d38f76ff312b

SHA512
37178f6ce1bb692b3eb19767955089be56649a02b8eaa940522fcac29397030e2510a3c7419f3e72be0b595b2e8c8f13ce6d4ac723f22a52103d669e6490331e

Download Submit
C:\Program Files (x86)\SogouSoftware\Èí¼þÖúÊÖ.lnk
Filesize
1KB

MD5
07d4dbf4117006df3e840eafc881aa52

SHA1
8bc3fea434d3bc01a9898886f0443d17c6038961

SHA256
e43e5d1ed2f541bf9c4e6e5b74224a13f1c91e82ca9265bdf605a15bdf62a33c

SHA512
edc6d8e8664e847ad3605302d4af95f1064051e38475c0e486ab79acc003e79704e34cc86d80deaac8d1c0c9c6a80ecd9730abf1743fb3a201fbcd0cce32c2e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\minidownload.exe
Filesize
1.9MB

MD5
0618e9851ea4a522abeded8d40c2f19e

SHA1
c6772967fdf545e32d28f3b46e97aec5b9ff99f5

SHA256
506c374fbdf14420306e2da8d123c2138c2ceabd2046178317508a25949d3dc4

SHA512
b8c4816d81aa14646a3b690da76c0d33f59b7d419305638747503dba6bb84a63b906fe7d0ced59850ad25db37c1e0e6f3bd614a902f2f5ffb3d2bf74ec4e571f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuEAD.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/1200-56-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/1200-57-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/4908-1118-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download