Malware Analysis Report

2024-09-23 11:15

Sample ID 240614-3n1cva1cqd
Target ac0bf74c05127212f2800825bf73af08_JaffaCakes118
SHA256 860befc00c41c533fa7c9011a0f5d1df1120724188050b67b088b1d7e06349e3
Tags
bootkit discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

860befc00c41c533fa7c9011a0f5d1df1120724188050b67b088b1d7e06349e3

Threat Level: Likely malicious

The file ac0bf74c05127212f2800825bf73af08_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery persistence

Downloads MZ/PE file

Registers COM server for autorun

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Checks installed software on the system

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

NSIS installer

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 23:40

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 23:40

Reported

2024-06-14 23:42

Platform

win7-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe"

Signatures

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\download\download\ThunderFW.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\download\download\ThunderFW.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32\ = "C:\\Program Files (x86)\\SogouSoftware\\3.2.2.58\\npdownload64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\SogouSoftwareAutoRun = "C:\\Program Files (x86)\\SogouSoftware\\SogouSoftware.exe /AutoRun" C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\prop-base\1.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\prop-base\scroll_bk.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\.svn\text-base\WirelessNet.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\prop-base\dlgshadow.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\text-base\button140.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\text-base\ins_app2phone.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\download\download\.svn\prop-base\atl71.dll.svn-base C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\dlg_settings.xml C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\prop-base\search_bar_act_focus.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\Media4848.png C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\prop-base\item_unfold.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\text-base\item_icon_5.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\prop-base\scroll_thu.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\DrvInst64\.svn\all-wcprops C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\prop-base\default_pkgicon.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\prop-base\ins_banner.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\.svn\text-base\driver_backup_list_item.xml.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\allow_debug.png C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\dtlapi_hw.dll C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\soft_update_left_more.png C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\.svn\text-base\Unknown4848.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\pcinfo.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\setting_dwn.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\ScrollBar\.svn\prop-base\scrollH.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\icon_success.png C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\prop-base\follow_tip.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\prop-base\guide_smt.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\upgrade_stable_list_item.xml C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\hover̬.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\prop-base\soft_update_icon.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\btn_dropdown_expand.png C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\.svn\text-base\Display.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\DrvInst32\.svn\text-base\DrvInst_x86.exe.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\prop-base\ins_confirm.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\update_list_dlg_2item.xml C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\setting_nor.png C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\Printer4848.png C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\AdbWinApi.dll C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\.svn\text-base\adbdll.dll.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\button.png C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\ready_icon.png C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\prop-base\phone_normal.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\.svn\text-base\group_list_item.xml.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\update_hov.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\text-base\guide_smt.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\Èí¼þÖúÊÖ.lnk C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\.svn\text-base\update_dlg_list_item.xml.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\prop-base\check.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\download_bind_checkbox.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\search_bar_act_focus.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\prop-base\menu_item.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\msvcp71.dll C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\download\download\.svn\text-base\atl71.dll.svn-base C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\upgrade_ignore_list_item.xml C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\text-base\icon_success.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\.svn\text-base\id.dat.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\recommend_nor.png C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\.svn\prop-base\Keyboard.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\driver_fresh_progress_fore.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\refresh_nor2.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\.svn\text-base\aapt.exe.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\3.0.0.0\Temp\ApkIcons\.svn\entries C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A
File created C:\Program Files (x86)\SogouSoftware\download\download\.svn\text-base\MiniTPFw.exe.svn-base C:\Users\Admin\AppData\Local\Temp\minidownload.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D4D786E8-0535-41DB-91F8-B18ABBCCDE6C} C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D4D786E8-0535-41DB-91F8-B18ABBCCDE6C}\AppName C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D4D786E8-0535-41DB-91F8-B18ABBCCDE6C}\AppPath C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D4D786E8-0535-41DB-91F8-B18ABBCCDE6C}\Policy = "3" C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\APPDATALOW\SOFTWARE\SogouSoftware\Download C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\APPDATALOW\SOFTWARE\SogouSoftware\Download C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\APPDATALOW\SOFTWARE\SogouSoftware\DriverModule\AutoCheckInterval = "60" C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\APPDATALOW\SOFTWARE C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\APPDATALOW\SOFTWARE\SogouSoftware\DriverModule\Enable = "0" C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\APPDATALOW\SOFTWARE\SogouSoftware C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\APPDATALOW\SOFTWARE\SogouSoftware\DriverModule C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\APPDATALOW\SOFTWARE\SogouSoftware\DriverModule\AutoCheckInterval = "60" C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
Key created \REGISTRY\USER\S-1-5-19 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\APPDATALOW\SOFTWARE\SogouSoftware\Download\DownloadPath = "C:\\SogouDownload" C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\APPDATALOW\SOFTWARE\SogouSoftware\DriverModule C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\Software\APPDATALOW\SOFTWARE\SogouSoftware\Download\DownloadPath = "C:\\SogouDownload" C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\APPDATALOW\SOFTWARE\SogouSoftware C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\APPDATALOW\SOFTWARE\SogouSoftware\DriverModule\Enable = "0" C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
Key created \REGISTRY\USER\S-1-5-20 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\APPDATALOW\SOFTWARE C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\ = "SogouDownLoadLib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\ = "DownLoadBHO Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32\ = "C:\\Program Files (x86)\\SogouSoftware\\3.2.2.58\\npdownload64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\TypeLib\ = "{13D91BAE-B37C-41C3-AE86-463E53990546}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SogouSoftware\DefaultIcon C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\ = "IGameDownload" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SogouSoftware\Shell\Open\command C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4D786E8-0535-41DB-91F8-B18ABBCCDE6C} C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SogouSoftware\Shell\Open C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\SOFTWARE C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Version C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\ = "IDownLoadBHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SogouSoftware\DefaultIcon\ = "C:\\Program Files (x86)\\SogouSoftware\\SogouSoftware.exe" C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\TypeLib\ = "{13D91BAE-B37C-41C3-AE86-463E53990546}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SogouSoftware\Shell\Open\command\ = "\"C:\\Program Files (x86)\\SogouSoftware\\SogouSoftware.exe\" \"%1\"" C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\TypeLib\ = "{13D91BAE-B37C-41C3-AE86-463E53990546}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4D786E8-0535-41DB-91F8-B18ABBCCDE6C}\LocalServer32 C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Programmable C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Version\ = "1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Implemented Categories C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\0\win32\ = "C:\\Program Files (x86)\\SogouSoftware\\3.2.2.58\\npdownload64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\0\win32\ = "C:\\Program Files (x86)\\SogouSoftware\\3.2.2.58\\npdownload.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\TypeLib\ = "{13D91BAE-B37C-41C3-AE86-463E53990546}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\SOFTWARE\Microsoft C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\ = "IDownLoadBHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\TypeLib\ = "{13D91BAE-B37C-41C3-AE86-463E53990546}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2148 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\minidownload.exe
PID 2148 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\minidownload.exe
PID 2148 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\minidownload.exe
PID 2148 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\minidownload.exe
PID 2148 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\minidownload.exe
PID 2148 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\minidownload.exe
PID 2148 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\minidownload.exe
PID 2148 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe
PID 2148 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe
PID 2148 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe
PID 2148 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe
PID 1752 wrote to memory of 1836 N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe
PID 1752 wrote to memory of 1836 N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe
PID 1752 wrote to memory of 1836 N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe
PID 1752 wrote to memory of 1836 N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe
PID 1752 wrote to memory of 1836 N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe
PID 1752 wrote to memory of 1836 N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe
PID 1752 wrote to memory of 1836 N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe
PID 1836 wrote to memory of 1732 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1836 wrote to memory of 1732 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1836 wrote to memory of 1732 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1836 wrote to memory of 1732 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1836 wrote to memory of 1732 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1836 wrote to memory of 1732 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1836 wrote to memory of 1732 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1836 wrote to memory of 2684 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1836 wrote to memory of 2684 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1836 wrote to memory of 2684 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1836 wrote to memory of 2684 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1836 wrote to memory of 2684 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1836 wrote to memory of 2684 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1836 wrote to memory of 2684 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2684 wrote to memory of 2320 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2684 wrote to memory of 2320 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2684 wrote to memory of 2320 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2684 wrote to memory of 2320 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2684 wrote to memory of 2320 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2684 wrote to memory of 2320 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2684 wrote to memory of 2320 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1836 wrote to memory of 1888 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe
PID 1836 wrote to memory of 1888 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe
PID 1836 wrote to memory of 1888 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe
PID 1836 wrote to memory of 1888 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe
PID 1836 wrote to memory of 1888 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe
PID 1836 wrote to memory of 1888 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe
PID 1836 wrote to memory of 1888 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe
PID 1836 wrote to memory of 2356 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe
PID 1836 wrote to memory of 2356 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe
PID 1836 wrote to memory of 2356 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe
PID 1836 wrote to memory of 2356 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe
PID 1836 wrote to memory of 2356 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe
PID 1836 wrote to memory of 2356 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe
PID 1836 wrote to memory of 2356 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe
PID 1888 wrote to memory of 1776 N/A C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe C:\Program Files (x86)\SogouSoftware\download\download\ThunderFW.exe
PID 1888 wrote to memory of 1776 N/A C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe C:\Program Files (x86)\SogouSoftware\download\download\ThunderFW.exe
PID 1888 wrote to memory of 1776 N/A C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe C:\Program Files (x86)\SogouSoftware\download\download\ThunderFW.exe
PID 1888 wrote to memory of 1776 N/A C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe C:\Program Files (x86)\SogouSoftware\download\download\ThunderFW.exe
PID 1888 wrote to memory of 1776 N/A C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe C:\Program Files (x86)\SogouSoftware\download\download\ThunderFW.exe
PID 1888 wrote to memory of 1776 N/A C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe C:\Program Files (x86)\SogouSoftware\download\download\ThunderFW.exe
PID 1888 wrote to memory of 1776 N/A C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe C:\Program Files (x86)\SogouSoftware\download\download\ThunderFW.exe
PID 1752 wrote to memory of 1352 N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe
PID 1752 wrote to memory of 1352 N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe
PID 1752 wrote to memory of 1352 N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe
PID 1752 wrote to memory of 1352 N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\minidownload.exe

"C:\Users\Admin\AppData\Local\Temp\minidownload.exe"

C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe

"C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe" /Loader /DownLoad?status=true&softurl=https%3A%2F%2Fxiazai.sogou.com%2Fcomm%2Fredir%3Fsoftdown%3D1%26u%3D5M778mNuk-IR5IpbEw6j9YpS1Wc4Ved3WXa85rh1XgyheSu4KSc873XX-0eLlV_4175qK_X1cC089g3UvQT4HFgXJ8-dW6Zyh6i63LXZxGM0W2Wqaimckia18juZWspKniF5_tMpLpMTV9OOG3TDj5uSN8GNMfht-hhfyrotZuymqeXTs4DKsqrgKv2NitWRKqRFCy2Uw-s.%26pcid%3D-1577129102750396778%26fr%3Dxiazai%26source%3Dtencent%26filename%3DTHS_qqguanjia_9.10.20.exe&iconurl=http%3A%2F%2Fpc3.gtimg.com%2Fsoftmgr%2Flogo%2F48%2F1402_48_1626246961.png&softname=%E5%90%8C%E8%8A%B1%E9%A1%BA+%E5%85%8D%E8%B4%B9%E7%89%88&softsize=148.36MB

C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe

"C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe" /Update

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\SogouSoftware\3.2.2.58\npdownload.dll"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\SogouSoftware\3.2.2.58\npdownload64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\SogouSoftware\3.2.2.58\npdownload64.dll"

C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe

"C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe"

C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe

"C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe" /Install

C:\Program Files (x86)\SogouSoftware\download\download\ThunderFW.exe

"C:\Program Files (x86)\SogouSoftware\download\download\ThunderFW.exe" MiniThunderPlatform2024-06-1423:42:38 "C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe"

C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe

"C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe" /Service

C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe

"C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe" -StartTP

Network

Country Destination Domain Proto
US 8.8.8.8:53 yz.app.sogou.com udp
DE 49.51.130.237:80 yz.app.sogou.com tcp
DE 49.51.130.237:443 yz.app.sogou.com tcp
US 8.8.8.8:53 ocsp.digicert.cn udp
GB 163.181.57.244:80 ocsp.digicert.cn tcp
US 8.8.8.8:53 ping.t.sogou.com udp
US 8.8.8.8:53 pc3.gtimg.com udp
CN 61.54.91.250:80 pc3.gtimg.com tcp
CN 112.84.131.72:80 pc3.gtimg.com tcp
CN 112.84.131.76:80 pc3.gtimg.com tcp
CN 211.97.84.40:80 pc3.gtimg.com tcp
CN 211.97.84.24:80 pc3.gtimg.com tcp
CN 123.138.13.58:80 pc3.gtimg.com tcp
US 8.8.8.8:53 xz.sogou.com udp
CN 81.69.138.198:80 xz.sogou.com tcp
US 8.8.8.8:53 yze.t.sogou.com udp
GB 168.235.193.88:80 yze.t.sogou.com tcp
US 8.8.8.8:53 ping.t.sogou.com udp
CN 81.69.138.198:80 xz.sogou.com tcp
US 8.8.8.8:53 zs.xiazai.sogou.com udp
DE 49.51.130.237:80 zs.xiazai.sogou.com tcp
CN 211.97.92.160:80 pc3.gtimg.com tcp
CN 81.69.138.198:80 xz.sogou.com tcp
CN 211.97.92.160:80 pc3.gtimg.com tcp
CN 119.188.155.60:80 pc3.gtimg.com tcp
CN 119.188.155.60:80 pc3.gtimg.com tcp
CN 81.69.138.198:80 xz.sogou.com tcp
CN 81.69.138.198:80 xz.sogou.com tcp
CN 81.69.138.198:80 xz.sogou.com tcp
US 8.8.8.8:53 xiazai.sogou.com udp
CN 81.69.138.198:443 xiazai.sogou.com tcp
US 8.8.8.8:53 hub5pn.hz.sandai.net udp
US 8.8.8.8:53 hub5pnc.hz.sandai.net udp
US 8.8.8.8:53 hub5u.hz.sandai.net udp
CN 39.98.66.213:8000 hub5pnc.hz.sandai.net udp
US 8.8.8.8:53 hub5c.hz.sandai.net udp
US 8.8.8.8:53 relay.phub.hz.sandai.net udp
CN 47.97.7.140:80 pmap.hz.sandai.net tcp
CN 116.132.223.136:80 hub5c.hz.sandai.net tcp

Files

\Users\Admin\AppData\Local\Temp\minidownload.exe

MD5 0618e9851ea4a522abeded8d40c2f19e
SHA1 c6772967fdf545e32d28f3b46e97aec5b9ff99f5
SHA256 506c374fbdf14420306e2da8d123c2138c2ceabd2046178317508a25949d3dc4
SHA512 b8c4816d81aa14646a3b690da76c0d33f59b7d419305638747503dba6bb84a63b906fe7d0ced59850ad25db37c1e0e6f3bd614a902f2f5ffb3d2bf74ec4e571f

C:\Program Files (x86)\SogouSoftware\download\download\.svn\prop-base\atl71.dll.svn-base

MD5 113136892f2137aa0116093a524ade0b
SHA1 a0284943f8ddfe69ceec90833e66d96bdf4a97f0
SHA256 ebbf7e8800c3446bc3a195fa53573bde1073b0bf7581a614372f1391a9286d02
SHA512 d3201cc19ae702a9813aa8bc39612ebaa48138903e9ede64dcadff213691f6e711876aa4fa083887c545325d5d8bf70649523c528090542459f2b01697180e99

C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe

MD5 0bc2d003fcfe3fa65f4c3ba7a015fa41
SHA1 72ed85bc1c57259b4f2ed36d16ce3fed4e30607c
SHA256 388069590fb9569b6c498f941d0565416cb52fc803648ee21b8c59917c63eb4b
SHA512 ae8d83e6ca21ee9b0d5e5845fac3a4dc01c6038243da36b4360b2f42763478265cdafc89072c47672b9738de1930e5e5191e2bf91715055cbd16a949d313ff24

C:\Program Files (x86)\SogouSoftware\SogouSoftwareLoader.dll

MD5 b1ce2dba9515e144908aa34ac77f5a46
SHA1 0a3e601eeba273a16d815c5e59793eb73db9daad
SHA256 5a7349e46f16ec394af8575b666c132c010bacaa2c59da472b842ffeccc5623f
SHA512 d0a78b5de9126b8126b531fb8f72ae375aac898930dccd8a61f173c28470895daab56b368c34a5925020dfdc642785651445967904d8756bb1ce7c1d2f95525a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\I1XZEFUL.txt

MD5 e72016b8dfb3648ad3b775ec798ddd8e
SHA1 ee2ccf69f4a0c830039ab7a0780b559a34306ac5
SHA256 444d426623b29c7f166a2968d5e47bd5263890acc5a399c532bcda5859bb1298
SHA512 0b668596d77c4a0d62cd178413acc1b7827c42a48c5da5cf4ad011c0abf2e4d0e5cd0f6af6bb656ca994d7040502b48b869031a18b7dcde969690eb61a7333bb

C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe

MD5 1ea611695a4d643cf4c63a60151b9387
SHA1 7210cc8750b0c8c4d5cf0c49ad5274f1aab2c724
SHA256 9c2f73221152802fd96b407477ee23b75f1ce9c9dc7de0c019e95f9d9b453ff2
SHA512 68b50b8facba55b416b4160849c8ef4d79cc2af3969de14f26b96aeb9ed610ecfc201202a3f542030e5f26fb021e85acbb8c0602f1ef285387bfbac4b39e1a87

C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\format

MD5 c30f7472766d25af1dc80b3ffc9a58c7
SHA1 136571b41aa14adc10c5f3c987d43c02c8f5d498
SHA256 aa67a169b0bba217aa0aa88a65346920c84c42447c36ba5f7ea65f422c1fe5d8
SHA512 0354672b288ac5ccd92c7336f24c3b5a9e669d95bf3036241d3919bae5aadba2c312742d7b422cb04347d6ce98151019baf81a3390e12de140365f17a9cf9afc

\Users\Admin\AppData\Local\Temp\nsu16BD.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Program Files (x86)\SogouSoftware\3.2.2.58\SogouSoftware.dll

MD5 fb7a98797d8601196a79545775864de7
SHA1 0148ce7895eab4725b95a57e0fd3469a21de579f
SHA256 ffd9ab6a997659efee084a1493784c2755010a04f5a2ab03cd0ea74c637b3e96
SHA512 3afbef824abb40ccf128bdfa52cb7357b7340fe9a65139b6a2f42a17425548a96a7c95c3154728517aa784d8b00c0a5834a4af95f04bdc590eb8cfab9c24f75a

\Program Files (x86)\SogouSoftware\3.2.2.58\DuiLib.dll

MD5 28ba86c039552346dafff7e9363ce02e
SHA1 0c7848c17f84f7fae9f058ae49658dba4371975c
SHA256 49837458d579b16b25f81d0d477922c0d363867e120e0114577c2eb0506639a9
SHA512 60fa470134c5a9dfeacf2ebf615d656fd84d80f00ce0c3ff6d617e73f7942b5d48501b1073cd76fa717a0323d69b246170af5f8232ae7d4af3bc45b0325e7283

\Program Files (x86)\SogouSoftware\3.2.2.58\sqlite3.dll

MD5 ae8a8778ac495b47070774f33089753a
SHA1 24b443630adbf79b12c920f8fa2586abdf8ba6d2
SHA256 bc35883beeb5da827d8eceb32d30bd07a838ad6c8ffa07f0dc7708a118ab4a39
SHA512 1bd8933a7ca742769bce5463190d774ecfb70b984e500ab8b0229330eb7c4aa5e7c8432385459f4cc8e528504d2d5382e8379f7d6c13daa7a7506184fef3b125

\Program Files (x86)\SogouSoftware\3.2.2.58\CommonState.dll

MD5 6e888d41691f655ab9ec752384e009eb
SHA1 6c54689dc6fe3070e2d24011a9f8e710f5444d66
SHA256 a5adc7b2757172c55834a3720731c0b3eb22ddd1766cc531c06de537bcef786d
SHA512 5995cb6a7bc4573d5593904fb518bef91401b4f44fef808ed915017a0b7f0589bb5b810fc183b196ea57de32ec4a0e63b54ce89dde3283e41ff706c6999c4977

C:\Program Files (x86)\SogouSoftware\3.2.2.58\npdownload.dll

MD5 c97af614b96b1d7adeed67261b3771c0
SHA1 f67f94dff7a78953d4a9a6af63d30fc7dfe40a8e
SHA256 98f283754465cae416af646c9c68e4c1a60eea088616bb5a265cfdd9c896b1b8
SHA512 972cee7e0fe258ec1d62cbe7b077380010a5ab4a02c24791d23e10047f5d2a16e847b2a33bde9f7b27e6a59483f61371d98186281ef40a3a370629f546f6d322

C:\Program Files (x86)\SogouSoftware\3.2.2.58\npdownload64.dll

MD5 b256f88501223e358c03ea2a172e0f7f
SHA1 9ee8c5b3db6d7076742c488b001a76741fc3aefe
SHA256 2fc446c8fdb3ad5711e6e83c720379062accd40cf9203c6e484eea83faecb840
SHA512 10f9d2bcf55d2241cb92dea7b1f7833f7d2536e93c7906d3c483df25f8515f24bd3fa57659f8972b888cf57457ae5bd5a9f564e9326278ddc66ed7201e52d19e

C:\Program Files (x86)\SogouSoftware\Èí¼þÖúÊÖ.lnk

MD5 f59ebdd09a420b367710e2c2338ebd9e
SHA1 35e7fa4ebac44a234d068a7b6b834868bc5ab486
SHA256 0a5c57642e7a38fa5090d05e64ca6421b6702be1550bab104bcdcbe3dd306e4c
SHA512 924ca49081c58bf7820a6edf2dbe6780354232a90e5d3361dfd9cc2064aa1736c7aaa3a7179569f046771553a3ffa7d80baeadf4ba8c01da284d0f382d6eb127

C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe

MD5 58bb62e88687791ad2ea5d8d6e3fe18b
SHA1 0ffb029064741d10c9cf3f629202aa97167883de
SHA256 f02fa7ddab2593492b9b68e3f485e59eb755380a9235f6269705f6d219dff100
SHA512 cd36b28f87be9cf718f0c44bf7c500d53186edc08889bcfa5222041ff31c5cbee509b186004480efbd99c36b2233182ae0969447f4051510e1771a73ed209da5

\Program Files (x86)\SogouSoftware\update\UpdateService.exe

MD5 3d3e5a0455863ae5b4db90b07c974967
SHA1 d6316c15eeccb0942a2779636812be9b3da333d7
SHA256 8671d4570f9462ff5c4cca67094baaecefebea212b2c8f27ad29d38f76ff312b
SHA512 37178f6ce1bb692b3eb19767955089be56649a02b8eaa940522fcac29397030e2510a3c7419f3e72be0b595b2e8c8f13ce6d4ac723f22a52103d669e6490331e

\Program Files (x86)\SogouSoftware\download\download\ThunderFW.exe

MD5 f0372ff8a6148498b19e04203dbb9e69
SHA1 27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8
SHA256 298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf
SHA512 65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\MySoftwareManager.xml

MD5 f5f5698ee6b73535a7a55ffc9df6f38f
SHA1 76b4f170b339481149f72a7294218ad7ea5f9ecd
SHA256 613125461abb68bf1535c2b28d3cbf1efc3fe04484acdb89c0e961296837f1ec
SHA512 5c83a38a0a0639bada0666592bcd73754e3f161b52ffcb14f066ce11ddac2f818de39ac5a36ebe3d026c202d087fcd1284d6fd5b65d38a112c6c1647274a3bc1

C:\Program Files (x86)\SogouSoftware\manifest.cfg

MD5 dbdddb37dffafd829b9dddd86c8cbf57
SHA1 4fd1a652c7bfe2eb39e98a795cd77bc415b13d07
SHA256 e661aadd4b5793e960bebdb4862589720b757d7f2c9849c73a9490c162830466
SHA512 f1883accc58a7098f9b15a1a7225e7ef0e2ce3175dde6f5b2851c63654ee02919db734e41b45e74f998ba4c5e4f1fdc96abb5546a7fa1b02cc32ffe7d0c5fe36

memory/1752-1125-0x0000000009690000-0x00000000096E6000-memory.dmp

memory/1752-1127-0x0000000009690000-0x00000000096E6000-memory.dmp

memory/1352-1128-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1752-1126-0x0000000009690000-0x00000000096E6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 23:40

Reported

2024-06-14 23:42

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe"

Signatures

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe N/A
N/A N/A C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32\ = "C:\\Program Files (x86)\\SogouSoftware\\3.2.2.58\\npdownload64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SogouSoftwareAutoRun = "C:\\Program Files (x86)\\SogouSoftware\\SogouSoftware.exe /AutoRun" C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\close_act.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\.svn\text-base\driver_uninstall.gif.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\text-base\closebtn_normal_dlg.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\.svn\text-base\Monitor4848.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\gzipdll.dll C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\prop-base\tips_down.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\.svn\text-base\msvcp71.dll.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\update_dlg_otherfont.xml C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\.svn\text-base\CPU4848.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\.svn\text-base\Printer4848.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\smallbtn_shadow.png C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\prop-base\progress_bk.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\prop-base\closebtn.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\.svn\all-wcprops C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\.svn\prop-base\Monitor4848.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\prop-base\closebtn_normal.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\prop-base\default_pkgicon.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\uninstall_list_item.xml C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\star_half.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\MiniThunderPlatform.exe C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\dl_peer_id.dll C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver_restore_list_item.xml C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\GIF\.svn\prop-base\refreshing.gif.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\prop-base\update_dwn.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\update_info.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\prop-base\ins_app2phone_arrow.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\.svn\text-base\driver_uninstall_list_item.xml.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\feedback_dwn.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\ins_app2phone.png C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\.svn\text-base\MiniThunderPlatform.exe.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\.svn\text-base\driver_restore_page.xml.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\.svn\prop-base\bottom_shadow.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\IEHint64.dll C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\.svn\text-base\driver_restore_list_item.xml.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\download_btn_icon.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\logo3434.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\update\USBDT.dll C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\text-base\finishbtn.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\prop-base\recommend_hov.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\close_search.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\.svn\text-base\dash_line.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\confirm_closebtn.png C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\prop-base\item_icon_4.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\upgrade_beta_list_item.xml C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\prop-base\apk.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\driver_fresh_progress_fore.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\GIF\.svn\entries C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\prop-base\closebtn_hover.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\.svn\text-base\driver_backup_list_item.xml.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\.svn\text-base\hardware_info_page.xml.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\prop-base\1.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\.svn\prop-base\Disk4848.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\logo_text.png C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\search_bar_act_focus.png C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\prop-base\9+.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\ins_title.png C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\tab.png C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\HardwareInfo.dll C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver_restore_page.xml C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\setting_dwn.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\check_uncheck_disable.png C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\menu.xml C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\text-base\ins_confirm.png.svn-base C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\combo_mask.png C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D4D786E8-0535-41DB-91F8-B18ABBCCDE6C} C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D4D786E8-0535-41DB-91F8-B18ABBCCDE6C}\AppName C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D4D786E8-0535-41DB-91F8-B18ABBCCDE6C}\AppPath C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D4D786E8-0535-41DB-91F8-B18ABBCCDE6C}\Policy = "3" C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\ = "IGameDownload" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SogouSoftware\Shell C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SogouSoftware\ = "URL:SogouSoftware Protocol" C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SogouSoftware\DefaultIcon\ = "C:\\Program Files (x86)\\SogouSoftware\\SogouSoftware.exe" C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\TypeLib\ = "{13D91BAE-B37C-41C3-AE86-463E53990546}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4D786E8-0535-41DB-91F8-B18ABBCCDE6C} C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32\ = "C:\\Program Files (x86)\\SogouSoftware\\3.2.2.58\\npdownload64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Programmable C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SogouSoftware\Shell\Open\command\ = "\"C:\\Program Files (x86)\\SogouSoftware\\SogouSoftware.exe\" \"%1\"" C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\TypeLib\ = "{13D91BAE-B37C-41C3-AE86-463E53990546}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\SOFTWARE\Microsoft\Windows C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Version\ = "1.0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\ = "DownLoadBHO Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\0\win32\ = "C:\\Program Files (x86)\\SogouSoftware\\3.2.2.58\\npdownload64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SogouSoftware C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SogouSoftware\Shell\Open C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32\ = "C:\\Program Files (x86)\\SogouSoftware\\3.2.2.58\\npdownload.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SogouSoftware\Shell\Open\command C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4D786E8-0535-41DB-91F8-B18ABBCCDE6C}\LocalServer32\ = "C:\\Program Files (x86)\\SogouSoftware\\SogouSoftware.exe" C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\ = "IDownLoadBHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\ = "IGameDownload" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\SOFTWARE C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Version C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\TypeLib\ = "{13D91BAE-B37C-41C3-AE86-463E53990546}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4108 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\minidownload.exe
PID 4108 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\minidownload.exe
PID 4108 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\minidownload.exe
PID 4108 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe
PID 4108 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe
PID 4108 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe
PID 3256 wrote to memory of 1652 N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe
PID 3256 wrote to memory of 1652 N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe
PID 3256 wrote to memory of 1652 N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe
PID 1652 wrote to memory of 3160 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1652 wrote to memory of 3160 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1652 wrote to memory of 3160 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1652 wrote to memory of 1204 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1652 wrote to memory of 1204 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1652 wrote to memory of 1204 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1204 wrote to memory of 836 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 836 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1652 wrote to memory of 4984 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe
PID 1652 wrote to memory of 4984 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe
PID 1652 wrote to memory of 4984 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe
PID 1652 wrote to memory of 4932 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe
PID 1652 wrote to memory of 4932 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe
PID 1652 wrote to memory of 4932 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe
PID 1652 wrote to memory of 3144 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe
PID 1652 wrote to memory of 3144 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe
PID 1652 wrote to memory of 3144 N/A C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe
PID 4932 wrote to memory of 5928 N/A C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe C:\Program Files (x86)\SogouSoftware\download\download\ThunderFW.exe
PID 4932 wrote to memory of 5928 N/A C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe C:\Program Files (x86)\SogouSoftware\download\download\ThunderFW.exe
PID 4932 wrote to memory of 5928 N/A C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe C:\Program Files (x86)\SogouSoftware\download\download\ThunderFW.exe
PID 3256 wrote to memory of 4516 N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe
PID 3256 wrote to memory of 4516 N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe
PID 3256 wrote to memory of 4516 N/A C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\minidownload.exe

"C:\Users\Admin\AppData\Local\Temp\minidownload.exe"

C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe

"C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe" /Loader /DownLoad?status=true&softurl=https%3A%2F%2Fxiazai.sogou.com%2Fcomm%2Fredir%3Fsoftdown%3D1%26u%3D5M778mNuk-IR5IpbEw6j9YpS1Wc4Ved3WXa85rh1XgyheSu4KSc873XX-0eLlV_4175qK_X1cC089g3UvQT4HFgXJ8-dW6Zyh6i63LXZxGM0W2Wqaimckia18juZWspKniF5_tMpLpMTV9OOG3TDj5uSN8GNMfht-hhfyrotZuymqeXTs4DKsqrgKv2NitWRKqRFCy2Uw-s.%26pcid%3D-1577129102750396778%26fr%3Dxiazai%26source%3Dtencent%26filename%3DTHS_qqguanjia_9.10.20.exe&iconurl=http%3A%2F%2Fpc3.gtimg.com%2Fsoftmgr%2Flogo%2F48%2F1402_48_1626246961.png&softname=%E5%90%8C%E8%8A%B1%E9%A1%BA+%E5%85%8D%E8%B4%B9%E7%89%88&softsize=148.36MB

C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe

"C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe" /Update

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\SogouSoftware\3.2.2.58\npdownload.dll"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\SogouSoftware\3.2.2.58\npdownload64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\SogouSoftware\3.2.2.58\npdownload64.dll"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe

"C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe"

C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe

"C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe"

C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe

"C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe" /Install

C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe

"C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe" /Service

C:\Program Files (x86)\SogouSoftware\download\download\ThunderFW.exe

"C:\Program Files (x86)\SogouSoftware\download\download\ThunderFW.exe" MiniThunderPlatform2024-06-1423:42:37 "C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe"

C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe

"C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe" -StartTP

Network

Country Destination Domain Proto
US 8.8.8.8:53 yz.app.sogou.com udp
DE 49.51.130.237:80 yz.app.sogou.com tcp
DE 49.51.130.237:443 yz.app.sogou.com tcp
US 8.8.8.8:53 ocsp.digicert.cn udp
GB 79.133.176.213:80 ocsp.digicert.cn tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.130.51.49.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 213.176.133.79.in-addr.arpa udp
US 8.8.8.8:53 ping.t.sogou.com udp
US 8.8.8.8:53 pc3.gtimg.com udp
CN 112.84.131.76:80 pc3.gtimg.com tcp
CN 123.6.33.235:80 pc3.gtimg.com tcp
CN 112.84.131.72:80 pc3.gtimg.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
CN 61.54.91.250:80 pc3.gtimg.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
CN 211.97.84.24:80 pc3.gtimg.com tcp
CN 211.97.92.160:80 pc3.gtimg.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 xz.sogou.com udp
CN 81.69.138.210:80 xz.sogou.com tcp
US 8.8.8.8:53 yze.t.sogou.com udp
GB 168.235.193.88:80 yze.t.sogou.com tcp
US 8.8.8.8:53 88.193.235.168.in-addr.arpa udp
US 8.8.8.8:53 ping.t.sogou.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 ping.t.sogou.com udp
US 8.8.8.8:53 pc3.gtimg.com udp
CN 123.6.33.235:80 pc3.gtimg.com tcp
CN 112.84.131.72:80 pc3.gtimg.com tcp
US 8.8.8.8:53 ping.t.sogou.com udp
CN 81.69.138.210:80 xz.sogou.com tcp
US 8.8.8.8:53 zs.xiazai.sogou.com udp
CN 211.97.84.40:80 pc3.gtimg.com tcp
DE 49.51.130.237:80 zs.xiazai.sogou.com tcp
CN 211.97.84.40:80 pc3.gtimg.com tcp
CN 81.69.138.210:80 xz.sogou.com tcp
CN 123.138.13.58:80 pc3.gtimg.com tcp
CN 123.138.13.58:80 pc3.gtimg.com tcp
CN 81.69.138.198:80 xz.sogou.com tcp
US 8.8.8.8:53 ping.t.sogou.com udp
CN 81.69.138.198:80 xz.sogou.com tcp
CN 81.69.138.198:80 xz.sogou.com tcp
US 8.8.8.8:53 xiazai.sogou.com udp
US 8.8.8.8:53 hub5pnc.hz.sandai.net udp
US 8.8.8.8:53 hub5pn.hz.sandai.net udp
CN 81.69.138.210:443 xiazai.sogou.com tcp
CN 39.98.66.213:8000 hub5pnc.hz.sandai.net udp
US 8.8.8.8:53 hub5u.hz.sandai.net udp
US 8.8.8.8:53 hub5c.hz.sandai.net udp
US 8.8.8.8:53 relay.phub.hz.sandai.net udp
CN 112.64.218.154:80 hub5c.hz.sandai.net tcp
CN 47.97.7.140:80 pmap.hz.sandai.net tcp
US 8.8.8.8:53 213.66.98.39.in-addr.arpa udp
CN 140.206.220.33:80 hub5pr.hz.sandai.net tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\minidownload.exe

MD5 0618e9851ea4a522abeded8d40c2f19e
SHA1 c6772967fdf545e32d28f3b46e97aec5b9ff99f5
SHA256 506c374fbdf14420306e2da8d123c2138c2ceabd2046178317508a25949d3dc4
SHA512 b8c4816d81aa14646a3b690da76c0d33f59b7d419305638747503dba6bb84a63b906fe7d0ced59850ad25db37c1e0e6f3bd614a902f2f5ffb3d2bf74ec4e571f

C:\Program Files (x86)\SogouSoftware\download\download\.svn\prop-base\atl71.dll.svn-base

MD5 113136892f2137aa0116093a524ade0b
SHA1 a0284943f8ddfe69ceec90833e66d96bdf4a97f0
SHA256 ebbf7e8800c3446bc3a195fa53573bde1073b0bf7581a614372f1391a9286d02
SHA512 d3201cc19ae702a9813aa8bc39612ebaa48138903e9ede64dcadff213691f6e711876aa4fa083887c545325d5d8bf70649523c528090542459f2b01697180e99

C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe

MD5 0bc2d003fcfe3fa65f4c3ba7a015fa41
SHA1 72ed85bc1c57259b4f2ed36d16ce3fed4e30607c
SHA256 388069590fb9569b6c498f941d0565416cb52fc803648ee21b8c59917c63eb4b
SHA512 ae8d83e6ca21ee9b0d5e5845fac3a4dc01c6038243da36b4360b2f42763478265cdafc89072c47672b9738de1930e5e5191e2bf91715055cbd16a949d313ff24

C:\Program Files (x86)\SogouSoftware\SogouSoftwareLoader.dll

MD5 b1ce2dba9515e144908aa34ac77f5a46
SHA1 0a3e601eeba273a16d815c5e59793eb73db9daad
SHA256 5a7349e46f16ec394af8575b666c132c010bacaa2c59da472b842ffeccc5623f
SHA512 d0a78b5de9126b8126b531fb8f72ae375aac898930dccd8a61f173c28470895daab56b368c34a5925020dfdc642785651445967904d8756bb1ce7c1d2f95525a

memory/3256-64-0x00000000012D0000-0x00000000012D1000-memory.dmp

memory/3256-65-0x00000000012D0000-0x00000000012D1000-memory.dmp

C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe

MD5 1ea611695a4d643cf4c63a60151b9387
SHA1 7210cc8750b0c8c4d5cf0c49ad5274f1aab2c724
SHA256 9c2f73221152802fd96b407477ee23b75f1ce9c9dc7de0c019e95f9d9b453ff2
SHA512 68b50b8facba55b416b4160849c8ef4d79cc2af3969de14f26b96aeb9ed610ecfc201202a3f542030e5f26fb021e85acbb8c0602f1ef285387bfbac4b39e1a87

C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\format

MD5 c30f7472766d25af1dc80b3ffc9a58c7
SHA1 136571b41aa14adc10c5f3c987d43c02c8f5d498
SHA256 aa67a169b0bba217aa0aa88a65346920c84c42447c36ba5f7ea65f422c1fe5d8
SHA512 0354672b288ac5ccd92c7336f24c3b5a9e669d95bf3036241d3919bae5aadba2c312742d7b422cb04347d6ce98151019baf81a3390e12de140365f17a9cf9afc

C:\Users\Admin\AppData\Local\Temp\nsx2F16.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Program Files (x86)\SogouSoftware\3.2.2.58\SogouSoftware.dll

MD5 fb7a98797d8601196a79545775864de7
SHA1 0148ce7895eab4725b95a57e0fd3469a21de579f
SHA256 ffd9ab6a997659efee084a1493784c2755010a04f5a2ab03cd0ea74c637b3e96
SHA512 3afbef824abb40ccf128bdfa52cb7357b7340fe9a65139b6a2f42a17425548a96a7c95c3154728517aa784d8b00c0a5834a4af95f04bdc590eb8cfab9c24f75a

C:\Program Files (x86)\SogouSoftware\3.2.2.58\DuiLib.dll

MD5 28ba86c039552346dafff7e9363ce02e
SHA1 0c7848c17f84f7fae9f058ae49658dba4371975c
SHA256 49837458d579b16b25f81d0d477922c0d363867e120e0114577c2eb0506639a9
SHA512 60fa470134c5a9dfeacf2ebf615d656fd84d80f00ce0c3ff6d617e73f7942b5d48501b1073cd76fa717a0323d69b246170af5f8232ae7d4af3bc45b0325e7283

C:\Program Files (x86)\SogouSoftware\3.2.2.58\sqlite3.dll

MD5 ae8a8778ac495b47070774f33089753a
SHA1 24b443630adbf79b12c920f8fa2586abdf8ba6d2
SHA256 bc35883beeb5da827d8eceb32d30bd07a838ad6c8ffa07f0dc7708a118ab4a39
SHA512 1bd8933a7ca742769bce5463190d774ecfb70b984e500ab8b0229330eb7c4aa5e7c8432385459f4cc8e528504d2d5382e8379f7d6c13daa7a7506184fef3b125

C:\Program Files (x86)\SogouSoftware\3.2.2.58\CommonState.dll

MD5 6e888d41691f655ab9ec752384e009eb
SHA1 6c54689dc6fe3070e2d24011a9f8e710f5444d66
SHA256 a5adc7b2757172c55834a3720731c0b3eb22ddd1766cc531c06de537bcef786d
SHA512 5995cb6a7bc4573d5593904fb518bef91401b4f44fef808ed915017a0b7f0589bb5b810fc183b196ea57de32ec4a0e63b54ce89dde3283e41ff706c6999c4977

C:\Program Files (x86)\SogouSoftware\3.2.2.58\npdownload.dll

MD5 c97af614b96b1d7adeed67261b3771c0
SHA1 f67f94dff7a78953d4a9a6af63d30fc7dfe40a8e
SHA256 98f283754465cae416af646c9c68e4c1a60eea088616bb5a265cfdd9c896b1b8
SHA512 972cee7e0fe258ec1d62cbe7b077380010a5ab4a02c24791d23e10047f5d2a16e847b2a33bde9f7b27e6a59483f61371d98186281ef40a3a370629f546f6d322

C:\Program Files (x86)\SogouSoftware\3.2.2.58\npdownload64.dll

MD5 b256f88501223e358c03ea2a172e0f7f
SHA1 9ee8c5b3db6d7076742c488b001a76741fc3aefe
SHA256 2fc446c8fdb3ad5711e6e83c720379062accd40cf9203c6e484eea83faecb840
SHA512 10f9d2bcf55d2241cb92dea7b1f7833f7d2536e93c7906d3c483df25f8515f24bd3fa57659f8972b888cf57457ae5bd5a9f564e9326278ddc66ed7201e52d19e

C:\Program Files (x86)\SogouSoftware\manifest.cfg

MD5 dbdddb37dffafd829b9dddd86c8cbf57
SHA1 4fd1a652c7bfe2eb39e98a795cd77bc415b13d07
SHA256 e661aadd4b5793e960bebdb4862589720b757d7f2c9849c73a9490c162830466
SHA512 f1883accc58a7098f9b15a1a7225e7ef0e2ce3175dde6f5b2851c63654ee02919db734e41b45e74f998ba4c5e4f1fdc96abb5546a7fa1b02cc32ffe7d0c5fe36

C:\Program Files (x86)\SogouSoftware\Èí¼þÖúÊÖ.lnk

MD5 1a884f8e4e7bb2620c9bf45e451dddf8
SHA1 d4997bd8b700007ec0a76ae418fe2b0efa5f4613
SHA256 cf4384227eb9f77b1c618975bd1dc45e43b4ca3a36296d26ba670d248c901dc0
SHA512 72fd4fb81c915d1f4a7f3451adc1de811a6eff2bce8efd58fc961c6fec5d3742c9d3de9810108ad018ac06b30206289904be676496934f2aca0ab141a7828456

C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\MySoftwareManager.xml

MD5 f5f5698ee6b73535a7a55ffc9df6f38f
SHA1 76b4f170b339481149f72a7294218ad7ea5f9ecd
SHA256 613125461abb68bf1535c2b28d3cbf1efc3fe04484acdb89c0e961296837f1ec
SHA512 5c83a38a0a0639bada0666592bcd73754e3f161b52ffcb14f066ce11ddac2f818de39ac5a36ebe3d026c202d087fcd1284d6fd5b65d38a112c6c1647274a3bc1

C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\recommend_classify_table.xml

MD5 74b9cc551416a9e012ad8d30d309e754
SHA1 22168c14cfeaff5d9ad1399fba131a3c5d4ee67c
SHA256 a004641143d10d28fb7302963e1afc77b16b4df41fb3df6b752944f3a190fff3
SHA512 989ce2b5520976a0c5cbc9d44149e5cb86444614557ddcaaffbad580ae1b38b8868fe6bca09768d2ce7b868c2335920e744cf530f24658bac78ed877875b83d8

C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\search_bar_nor.png

MD5 6e0e5b09e6b0dbcd105c1dcfd13025bf
SHA1 421f47fb759a3b8a68dfd33e980ee01a3312677e
SHA256 d4bf4bf16ea64e57391cebd9d85d8cbbad866b7dfbb32882ecc7f8a29b19f5e0
SHA512 783070dc6a31297c942ca857a04c6d1c3542456b63987cf9ca54c7b7c22d6fc0b3bd78c7e7a7d0a8d898307a0c1740554096640991ffcf0d21baac96266a9f65

C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\soft_search_list.xml

MD5 70d0733d91369221657da75972aa2996
SHA1 96f083da2839e79d1abfd48a59814184abaa32b3
SHA256 af03f14213c248c7fe7b670a7aa2d9dea1a1c724330c32f01352cf386ff5e57d
SHA512 3999d25b5d0cf7f94f60f20b78704161aed4a3871cbf508b9f575e93081cc7a23a8bd950d0eb3c9b08e0c86f8b7775f33efe047a1fa3f08c21390430b2b057a1

C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe

MD5 58bb62e88687791ad2ea5d8d6e3fe18b
SHA1 0ffb029064741d10c9cf3f629202aa97167883de
SHA256 f02fa7ddab2593492b9b68e3f485e59eb755380a9235f6269705f6d219dff100
SHA512 cd36b28f87be9cf718f0c44bf7c500d53186edc08889bcfa5222041ff31c5cbee509b186004480efbd99c36b2233182ae0969447f4051510e1771a73ed209da5

C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\download_btn_icon.png

MD5 6e30b0f37668df11c09a638ec2901959
SHA1 62f3c4379d14c86261724942016e8b30777049cb
SHA256 bf08172a35630a61b905c438f4c7f33df2a57ad078e24125de41b77880ee7e53
SHA512 f82eb5a5efcb8994a89a30ec47fc43173964adc5913f5277ac30adfd5c7f7a5c8cddbb6dcdff6ae49dc5391bed38884633482600e1fca84ce9738e52ade08cc1

C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\all_updated.png

MD5 54fa38a675e31cb61c4d684857401bfa
SHA1 548d9fae0de3f34a40c66400524a48a4d9295491
SHA256 5bee78015e52f35c0e604a38b4045d04d174950a26658201714a770e4176f02d
SHA512 61bb5f5cbc3cb5ff9e05984678e2d12b5914340ab2dbf812ad1a519aa4938b3f4b220234c5b33d198efc2d8a90e6a947f8a20b352bd2862a313e57c43aad8fda

C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\grin.png

MD5 0d5b69334bc73302a52bc3bab5a5ac27
SHA1 da23a6f5ce158774ca047f7761e834258d907f52
SHA256 42030cb3333c77d3019180f5aca1deb1345de55cd33a1816db5b1a276445ac84
SHA512 c2d54552b7a874d8189adfb15d35af852d5b5b4526b76e72b914ea2fc4b022e632f5e583ff6528ad9bde2f2639d976d7215d9e76c5bf9376b1e33c84be1a3fb5

C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\shy.png

MD5 41e22dc53a45821cf4755dfd512097fa
SHA1 9009f852a32c89dc6a2a01c6a658579389f0907c
SHA256 81e89178822622014427ff3d3b11179d392ec4f222b331d6483214667e8e9749
SHA512 3770f8c789bc51b8d9354cd8de7e70072d4f4d09f66e37e6030e830f28a8f3b2f4aea90db53bf5e713d2a7b38b86f150e0f9b44ea4f56fe3362cc508feecabd4

C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\driver_icon.png

MD5 af5deb4ef4870c69e6a7edf2f38faef4
SHA1 16bc05409d7da0a8121da977607af958d10e96fb
SHA256 638a6fd479b267e2a2b349953604a149bd521fc3f9d8f1ccd4b53aaef0a78513
SHA512 153714ebf00226c67d2a6d2cd88c1226bd16b951704cde38df869d7c488e2c753d2bfcc9389f504558578af4819e4573fdcb1f0bf478fe227ccc9c3f31294054

C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\software_icon.png

MD5 db61ef6be10662bde9e80c76e3b51854
SHA1 f48725f24dec25548d1a778dbc9fa95146a042b2
SHA256 478ce132c5472395f0ccfe3853a6b60dc727c2ee1c8d525c05e8717e264fd176
SHA512 dce39e93e47089104cc9fd1a73abcc506ccb4b29132e2b56adf8f052c9bc6dc6a05452bf7e44c60363705467af13a1cfefb87fede4f15aee6e73272a07e72f95

C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\logo_text.png

MD5 9876c5a2a2433a1d0d12dc272c2c226b
SHA1 508fbfb0a0164ce84a83c1f8fe257035e3b62929
SHA256 e182eb30de511bbc685548a771daa015a42299c207989c495bba0e8c9f5d0c1b
SHA512 5c89ba6180d0b22cf45db507b4d90e61e4d32b0753703f5735d36caf442e25d2ee4a617495ff022a6cedbb9fd0949912d5feb068afcb6aecc2451a7541edeeef

C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\logo3434.png

MD5 4c74aab2bcf16cb617837aaeaa7cfa1b
SHA1 37925cfde22e94db3f4ad04df39d8fb20ca55c17
SHA256 8092dffbb4bc611d6f92786fbab70fddf7da5634f84d423c6fc20afd26172628
SHA512 62d96a3dc3001b396907855f12f91073a9d9e1d602e111a859c84a3207431c12564e46d0f052f293692cb130b56eb4b9e6fe7310ec2db0b401e4225f7afefc2f

C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver_scan_page.xml

MD5 273805210c8d49fd526e45ba8caca3c9
SHA1 0a45b0d24a345dbbae8be8f157af3288cc73a29b
SHA256 69931a6debab54157d1b5c0bdb124f36a6831ed7ae110b98c8f00cd886215f87
SHA512 f14df0ad40667999cc45710f342978c981a89cebd27a726e7b02bebd6dc807985db2cf1a2df6227ce8834c15763ecb6b9f3f161071c1bc4d7103ef39471e566e

C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\driver_fresh_progress_bk.png

MD5 a0151daa5f849bb6b22e20abbab78436
SHA1 0f8a2ae2f4982fd562221cf8567cd6a5e68bad1f
SHA256 4443ee00c111715fdfbcc9f221c44bef3333de7e887b70c39417c61ec7369728
SHA512 b9dfb5c784a762ea9ee6b0b3fa514dd3c96242019d79c1919f11f195984c9626b934e668480152ee56c8b88ac2ebd0e028cc6af0c33f25573bb5fd019781071e

C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\dash_line.png

MD5 1e8fb34ac9925d9bad14a75ec8ea5f56
SHA1 bb197cb5dc01c484788f958fcc4ada2b129fa5ef
SHA256 9f98ab7d58b34d7ce6bb84eac14edfb3ae263b315c1e8e6a3c161b31c19ed0a5
SHA512 9b9643a36bf239c78d77668e9b61bbb7247cc86ad03ff542fb2863c32775b1bd9f4ba964b23519e95c573cbae67389ea37697dd222dbca100cd3c2ea847b997b

C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver_backup_page.xml

MD5 99c91df6c81dadcd064743be25f50480
SHA1 da5af0368ada0b3ecb6eede6137a5a01ea388113
SHA256 f8e4a1dfa021ebea8f705739f0d1eeaa29824af0f7283eee268d72cc3b53a1f8
SHA512 b703ef1330337dca4499ae204e5e23aec8dff6b47f361257e56e6abc499650266f86133effd5843c0dfc076cde32b2d8b46ac67608366b815d0f2e8035abde10

C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\hwinfo.png

MD5 bd0f970f72b8b9064dfaab084fc55fea
SHA1 c792935e9f72bea9b4ecc555b28ebb5fdf03ddfb
SHA256 6234d5b195a6f28da3e7fff79c4a95262ce33a176e8e8355b94a36f61e96913e
SHA512 cfcc5608056bdaf647361416e5c51a58caaed58548c1d32942eb946d177f781f76e984e997f1326abd07395ec42fff6fe47b1553a83728e9b1c4bbb849fd13bf

C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\hardware_info_page.xml

MD5 25eff46b9c07384eb6514c3056cf3edc
SHA1 a2703aa571978fd4405a548f9ca3c58924c5451d
SHA256 a31e6b90ae103837c49da3037458b843248b58ce4a6a79e551dd9b4f30129c33
SHA512 3ef4c686657683c0b23b138b025ed0f1318a07cbb4013d009d0d980c09c43088548aabbe34c95cc586838f130f9d76f2421311387f0bb5e5e69d966081b8d5d1

C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\bottom_shadow.png

MD5 292cae7ef8a682ebc2fb855afcf54f2d
SHA1 2401ce33d598bf417859eee779127703fdaa4762
SHA256 9ccfd9c2c1a3b12aa881d6c4a52375595a50a7f3f2d8ba157dd12ffcdf1d75f7
SHA512 8f1b781676ba8dd945f9974282715be65f4b4302dc07196e7a1377b3fcbb73c209836be42e912a079879d5db0af9d411dd614a53fa5533d232b5dce5ea50055a

C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\driver_freshed_waring.png

MD5 e3e5a56632c8620a18044e695ba7cdb7
SHA1 bd2d52b5a6afcfc331117b6aa8e51b8c5db3e66e
SHA256 dfc05aa1d37f984f68db0303d2c4cf894b190659ebfc94486eda228d6b5fa95e
SHA512 c5808e1e035bce16e4599f0c0c7fcc54c007ea548c945a8c2bfff7c75efecfdc3a80da1b5fd9db70d60af05194b8b22842b501c76378af88a4f92f6e72bd2723

C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\pcinfo.png

MD5 ee3e7acb4e6cbd2bd2280af9f3b61805
SHA1 3173f5a908928a464ce97181e20b84bc67e7adc8
SHA256 7f721406c23540bef70c6f91abc63b98ca26bca59f13605f96005612e56e5e7a
SHA512 4adec1dbff9bf684f2637df46094f2e344b71c960775ebce7885b45fe71ac9f356cad868ee18b04d7cef54e52cb5d98756f1c2f3397a9fc3b30ac4f4ce6697dd

C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\logo3636.png

MD5 fa6fd08affac19e21aa47df7a50eacd4
SHA1 fff56332d1d2e2386ca874c9bd8540b3306f59fc
SHA256 97f1d1b373351f9593227c67cb5e8dc073641a962d81df936920f33cb8d3c4cc
SHA512 9f4ce00d51450ef25e06dfe64587fcf8a5e9d65288ac9c44af733e10825e2173f40ea1e37d4dd1c39842b4b23b8a53cf9d0a0aeb609261ef0a3ee394c6f3ddd8

C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver_uninstall_page.xml

MD5 5add447f7599a9bacc6c870c6d9e8c3d
SHA1 429cefa6b79b2bc2abe0923e6e222b102eff3228
SHA256 0fc1ccdcb753da863531b1da84ffcc482ebd2ef9f9e5bc2c0c1c5c9674527a6b
SHA512 f9ee6ce2c7a0e2f7574b4730a9dd7824f0c1926332743ab00a9772aadd600cd668ccd76a0b07a3a901ebcedd43aeed3b6c4624b4a2d23396c0342be669dcc2e7

C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver_restore_page.xml

MD5 0075ebe78309b52bd59fb132c31f912c
SHA1 dc931227e1f076abbce19c89245f38e303890665
SHA256 f7267655ec266625f19be5845a005da04da328cdd5ff91d239388a5ef21c0616
SHA512 fcfb1f872c5012db302f5330f12b2f6d5ee6ed86c3cd36f29ba4b57204f909f4be18692f4e2c887ef31cec009721191602f7c8d9647e3b293c168e674bb2563d

C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe

MD5 3d3e5a0455863ae5b4db90b07c974967
SHA1 d6316c15eeccb0942a2779636812be9b3da333d7
SHA256 8671d4570f9462ff5c4cca67094baaecefebea212b2c8f27ad29d38f76ff312b
SHA512 37178f6ce1bb692b3eb19767955089be56649a02b8eaa940522fcac29397030e2510a3c7419f3e72be0b595b2e8c8f13ce6d4ac723f22a52103d669e6490331e

C:\Program Files (x86)\SogouSoftware\download\download\ThunderFW.exe

MD5 f0372ff8a6148498b19e04203dbb9e69
SHA1 27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8
SHA256 298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf
SHA512 65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

memory/4516-1117-0x0000000000400000-0x0000000000456000-memory.dmp