File name: | sohui.exe |
Full analysis: | https://app.any.run/tasks/b251c4bd-1001-4094-ab72-e7ae2040bb7a |
Verdict: | Malicious activity |
Analysis date: | July 13, 2020, 06:57:52 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, Nullsoft Installer self-extracting archive |
MD5: | 633FE2FC2FBB1A7366F19D6E11469653 |
SHA1: | D569A35E14CD3B3D256E6DC21B80FCAED9F39CDC |
SHA256: | 151EC0CB10F6B8CD9278A06ACE390ADACDBD6CEE828FE681B6E4ED105BACD133 |
SSDEEP: | 196608:4RFznWxQ58jpbT4SNKezvl8gjPKstVOjGhAXZndz3YVIWtnuPiZ3:Ddwe7egmsfOjWAX5JoeWtuPa |
.exe | | | UPX compressed Win32 Executable (39.3) |
---|---|---|
.exe | | | Win32 EXE Yoda's Crypter (38.6) |
.dll | | | Win32 Dynamic Link Library (generic) (9.5) |
.exe | | | Win32 Executable (generic) (6.5) |
.exe | | | Generic Win/DOS Executable (2.9) |
ProductVersion: | 2.0.1.1189 |
---|---|
ProductName: | Sogou Wubi Input Method |
LegalCopyright: | (C) 2011 Sogou.com Inc. All rights reserved. |
FileVersion: | 2.0.1.1189 |
FileDescription: | Sogou Input Installer |
CompanyName: | Sogou.com Inc. |
Comments: | - |
CharacterSet: | Unicode |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x0000 |
ProductVersionNumber: | 2.0.1.1189 |
FileVersionNumber: | 2.0.1.1189 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5 |
ImageVersion: | 6.1 |
OSVersion: | 5 |
EntryPoint: | 0x15ed30 |
UninitializedDataSize: | 1413120 |
InitializedDataSize: | 139264 |
CodeSize: | 20480 |
LinkerVersion: | 9 |
PEType: | PE32 |
TimeStamp: | 2009:09:09 15:23:23+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 09-Sep-2009 13:23:23 |
Detected languages: |
|
Comments: | - |
CompanyName: | Sogou.com Inc. |
FileDescription: | Sogou Input Installer |
FileVersion: | 2.0.1.1189 |
LegalCopyright: | (C) 2011 Sogou.com Inc. All rights reserved. |
ProductName: | Sogou Wubi Input Method |
ProductVersion: | 2.0.1.1189 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000E0 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 09-Sep-2009 13:23:23 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
UPX0 | 0x00001000 | 0x00159000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
UPX1 | 0x0015A000 | 0x00005000 | 0x00005000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.83238 |
.rsrc | 0x0015F000 | 0x00022000 | 0x00021200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.4366 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.21649 | 968 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 7.97924 | 50363 | UNKNOWN | English - United States | RT_ICON |
3 | 5.1116 | 9640 | UNKNOWN | English - United States | RT_ICON |
4 | 5.57695 | 4264 | UNKNOWN | English - United States | RT_ICON |
102 | 6.73406 | 180 | UNKNOWN | English - United States | RT_DIALOG |
103 | 2.57313 | 62 | UNKNOWN | English - United States | RT_GROUP_ICON |
105 | 7.44208 | 512 | UNKNOWN | English - United States | RT_DIALOG |
106 | 7.14241 | 248 | UNKNOWN | English - United States | RT_DIALOG |
111 | 6.98093 | 238 | UNKNOWN | English - United States | RT_DIALOG |
202 | 6.81862 | 160 | UNKNOWN | English - United States | RT_DIALOG |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.DLL |
SHELL32.dll |
USER32.dll |
VERSION.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1048 | "C:\Users\admin\Desktop\sohui.exe" | C:\Users\admin\Desktop\sohui.exe | — | explorer.exe |
User: admin Company: Sogou.com Inc. Integrity Level: MEDIUM Description: Sogou Input Installer Exit code: 3221226540 Version: 2.0.1.1189 | ||||
3324 | "C:\Users\admin\Desktop\sohui.exe" | C:\Users\admin\Desktop\sohui.exe | explorer.exe | |
User: admin Company: Sogou.com Inc. Integrity Level: HIGH Description: Sogou Input Installer Exit code: 0 Version: 2.0.1.1189 | ||||
2236 | "C:\Users\admin\AppData\Local\Temp\install.exe" -i -w | C:\Users\admin\AppData\Local\Temp\install.exe | — | sohui.exe |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2804 | "C:\Program Files\SogouWBInput\2.0.1.1189\SkinReg.exe" -register "C:\Program Files\SogouWBInput\2.0.1.1189" | C:\Program Files\SogouWBInput\2.0.1.1189\SkinReg.exe | — | sohui.exe |
User: admin Company: Sogou.com Inc. Integrity Level: HIGH Description: 搜狗五笔输入法 皮肤安装程序 Exit code: 0 Version: 2.0.1.1189 | ||||
3296 | regsvr32 /s /i "C:\Program Files\SogouWBInput\2.0.1.1189\SogouTSF.dll" | C:\Windows\system32\regsvr32.exe | — | sohui.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 4 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
996 | "C:\Program Files\SogouWBInput\2.0.1.1189\ScdReg.exe" -register "C:\Program Files\SogouWBInput\2.0.1.1189" | C:\Program Files\SogouWBInput\2.0.1.1189\ScdReg.exe | — | sohui.exe |
User: admin Company: Sogou.com Inc. Integrity Level: HIGH Description: 搜狗五笔输入法 细胞词库安装程序 Exit code: 0 Version: 2.0.1.1189 | ||||
2800 | "C:\Program Files\SogouWBInput\2.0.1.1189\ScdReg.exe" -cdefault | C:\Program Files\SogouWBInput\2.0.1.1189\ScdReg.exe | — | sohui.exe |
User: admin Company: Sogou.com Inc. Integrity Level: HIGH Description: 搜狗五笔输入法 细胞词库安装程序 Exit code: 0 Version: 2.0.1.1189 | ||||
3832 | "C:\Program Files\SogouWBInput\2.0.1.1189\ConfigIE.exe" 2 "C:\Program Files\SogouWBInput\2.0.1.1189" | C:\Program Files\SogouWBInput\2.0.1.1189\ConfigIE.exe | — | sohui.exe |
User: admin Company: Sogou.com Inc. Integrity Level: HIGH Description: 搜狗五笔输入法 导入导出配置向导 Exit code: 0 Version: 2.0.1.1189 | ||||
2376 | "C:\Program Files\SogouWBInput\2.0.1.1189\Wizard.exe" | C:\Program Files\SogouWBInput\2.0.1.1189\Wizard.exe | — | sohui.exe |
User: admin Company: Sogou.com Inc. Integrity Level: HIGH Description: 搜狗五笔输入法 设置向导 Exit code: 1 Version: 2.0.1.1189 | ||||
3004 | "C:\Program Files\SogouWBInput\2.0.1.1189\WbConfig.exe" | C:\Program Files\SogouWBInput\2.0.1.1189\WbConfig.exe | — | explorer.exe |
User: admin Company: Sogou.com Inc. Integrity Level: MEDIUM Description: 搜狗五笔输入法 设置程序 Exit code: 1 Version: 2.0.1.1189 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3324 | sohui.exe | C:\Users\admin\AppData\Local\Temp\nsnDAD3.tmp\modern-wizard.bmp | image | |
MD5:93C97FC221CAAF744A8BDB3C946A2E86 | SHA256:770F6FD67F4F3DA7B90A73B724ED6DBC726416F8E5318FBCA50FD6E34B859C49 | |||
3324 | sohui.exe | C:\Users\admin\AppData\Local\Temp\nsnDAD3.tmp\modern-header.bmp | image | |
MD5:BC6A811F6A6DDD8C1862E66AEC582CDA | SHA256:F33344A296DBF1068D5351F5708A1561EE819A73AEF80A303AF50FD1D6AF274F | |||
3324 | sohui.exe | C:\Users\admin\AppData\Local\Temp\nsnDAD3.tmp\SetupLib.dll | executable | |
MD5:7914E13F28535ED2B04C285AA887F161 | SHA256:CBA2CEFE830420AAC74E08ECFDE07ABACD5370B169248A95D252F31554EB80BC | |||
3324 | sohui.exe | C:\Users\admin\AppData\Local\Temp\nsnDAD3.tmp\ioSpecial.ini | text | |
MD5:13EF935A70FEE0BFD6D605605D79DB0E | SHA256:CB69CE7D3424E22B3684E53A9BC2E1D999189B2F0238FAF0489359F48F2BD269 | |||
3324 | sohui.exe | C:\Users\admin\AppData\Local\Temp\Install64.exe | executable | |
MD5:CB05F57EA1B1A3259FD4DF5DE8F416FB | SHA256:AD11030ED6047688871343EDC83720F071263C49272362DC51E67AB160DC9F32 | |||
3324 | sohui.exe | C:\Program Files\SogouWBInput\2.0.1.1189\ScdReg.exe | executable | |
MD5:C383DEC800DB3EC2A57AB3DA5E4D6BC5 | SHA256:A1E2D45A0D819E24B128556ED8A8531AA5ED5F3E404AF10B4985D740059569BB | |||
3324 | sohui.exe | C:\Program Files\SogouWBInput\2.0.1.1189\Wizard.exe | executable | |
MD5:12C72A11F4E14A364E0CAEF2428DB8D8 | SHA256:00CE1D1339C3776D14E5838FC0C32303F6B852C6F80EFAB7F7B46124C9AAFF88 | |||
3324 | sohui.exe | C:\Program Files\SogouWBInput\2.0.1.1189\WbConfig.exe | executable | |
MD5:9A1F24488A5593F33A17CDD0A919E120 | SHA256:1B0750980B7F0AEC996AF20D879CB471CC13D4EAB828D54762B8C56FB8F090B2 | |||
3324 | sohui.exe | C:\Program Files\SogouWBInput\2.0.1.1189\HWSignature.dll | executable | |
MD5:0B731658CCC76D34D82B1116B8CA9425 | SHA256:AEFFC7A279CBD549583FB2DF7F6A3C5C6BD3C523118FB08C626286DBBDC7E7AD | |||
3324 | sohui.exe | C:\Program Files\SogouWBInput\2.0.1.1189\ImeUtil.exe | executable | |
MD5:5A649923D2A3A6969612F804AB41A2FE | SHA256:9CF7C7ED1E53631DF760331125ECA217A74F58516F1F44536283E92EBFF35670 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3324 | sohui.exe | 211.159.235.216:80 | ime.sogou.com | Shenzhen Tencent Computer Systems Company Limited | CN | malicious |
Domain | IP | Reputation |
---|---|---|
ime.sogou.com |
| malicious |