Malware analysis sogouinput.com Malicious activity | ANY.RUN

Add for printing

URL:	sogouinput.com
Full analysis:	https://app.any.run/tasks/fc802483-b15c-4f5d-ae19-7f583e784230
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. Ramnit is a highly modular banking trojan and worm that evolved from a file-infecting virus into a powerful cybercrime tool. It specializes in financial fraud, credential theft, remote access, and malware delivery, being a serious threat to businesses and individuals. First spotted in 2010, Ramnit became popular after the 2014 takedown of the GameOver Zeus botnet, as cybercriminals sought alternatives for banking fraud. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	April 29, 2024, 06:24:22
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	adware sogou ramnit trojan
Indicators:
MD5:	BFFAEF165D7BFE9F1AD3FD5B8ACF5E67
SHA1:	349584416F48FB46DC14DC6537CE54D2C4C02A65
SHA256:	D401F96C1D2B620C192754883B7DB4E7D4CCE140D854D6D0E4CFFF4E598E0771
SSDEEP:	3:B3T:t

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Registers / Runs the DLL via REGSVR32.EXE
  - sogou_pinyin_guanwang.exe (PID: 3772)
  - biz_helper.exe (PID: 3896)
- Drops the executable file immediately after the start
  - sogou_pinyin_guanwang.exe (PID: 3772)
  - SogouExe.exe (PID: 2992)
  - SogouExe.exe (PID: 3240)
  - SogouExe.exe (PID: 764)
  - SogouComMgr.exe (PID: 2964)
- Creates a writable file in the system directory
  - sogou_pinyin_guanwang.exe (PID: 3772)
- Signature: RAMNIT has been detected
  - regsvr32.exe (PID: 1236)
SUSPICIOUS
- Executable content was dropped or overwritten
  - sogou_pinyin_guanwang.exe (PID: 3772)
  - SogouExe.exe (PID: 2992)
  - SogouExe.exe (PID: 3240)
  - SogouExe.exe (PID: 764)
  - SogouComMgr.exe (PID: 2964)
- Reads security settings of Internet Explorer
  - sogou_pinyin_guanwang.exe (PID: 3772)
  - SGTool.exe (PID: 2668)
  - SogouExe.exe (PID: 2992)
  - SGTool.exe (PID: 824)
  - SogouExe.exe (PID: 3240)
  - SGTool.exe (PID: 3032)
  - SogouExe.exe (PID: 764)
  - SGTool.exe (PID: 2864)
  - SogouComMgr.exe (PID: 2964)
  - SogouComMgr.exe (PID: 2860)
- Checks Windows Trust Settings
  - sogou_pinyin_guanwang.exe (PID: 3772)
  - SogouExe.exe (PID: 2992)
  - SogouExe.exe (PID: 3240)
  - SGTool.exe (PID: 3032)
  - SogouExe.exe (PID: 764)
- Reads settings of System Certificates
  - sogou_pinyin_guanwang.exe (PID: 3772)
  - SogouExe.exe (PID: 2992)
  - SogouExe.exe (PID: 3240)
  - SogouExe.exe (PID: 764)
  - SGTool.exe (PID: 3032)
- Creates/Modifies COM task schedule object
  - regsvr32.exe (PID: 1244)
  - regsvr32.exe (PID: 1236)
- Malware-specific behavior (creating "System.dll" in Temp)
  - sogou_pinyin_guanwang.exe (PID: 3772)
- The process creates files with name similar to system file names
  - sogou_pinyin_guanwang.exe (PID: 3772)
- Reads the Internet Settings
  - sogou_pinyin_guanwang.exe (PID: 3772)
  - SGTool.exe (PID: 2668)
  - SGTool.exe (PID: 824)
  - SGTool.exe (PID: 3032)
  - SGTool.exe (PID: 2864)
  - SogouComMgr.exe (PID: 2964)
  - SogouComMgr.exe (PID: 2860)
- Process requests binary or script from the Internet
  - sogou_pinyin_guanwang.exe (PID: 3772)
- Creates a software uninstall entry
  - sogou_pinyin_guanwang.exe (PID: 3772)
- Application launched itself
  - biz_helper.exe (PID: 3992)
INFO
- Drops the executable file immediately after the start
  - firefox.exe (PID: 4004)
- Application launched itself
  - firefox.exe (PID: 3988)
  - firefox.exe (PID: 4004)
- Reads the computer name
  - wmpnscfg.exe (PID: 3040)
  - sogou_pinyin_guanwang.exe (PID: 3772)
  - SGTool.exe (PID: 2668)
  - SogouExe.exe (PID: 2992)
  - SGTool.exe (PID: 824)
  - SGTool.exe (PID: 3032)
  - SogouExe.exe (PID: 3240)
  - SogouSvc.exe (PID: 3656)
  - SogouExe.exe (PID: 764)
  - SGTool.exe (PID: 3324)
  - userNetSchedule.exe (PID: 4076)
  - SGTool.exe (PID: 2864)
  - SGTool.exe (PID: 3392)
  - SogouComMgr.exe (PID: 2964)
  - SGTool.exe (PID: 3420)
  - SGTool.exe (PID: 3464)
  - SGTool.exe (PID: 2340)
  - SGTool.exe (PID: 2360)
  - SogouComMgr.exe (PID: 2860)
- Manual execution by a user
  - wmpnscfg.exe (PID: 3040)
  - sogou_pinyin_guanwang.exe (PID: 3552)
  - sogou_pinyin_guanwang.exe (PID: 3772)
- Checks supported languages
  - wmpnscfg.exe (PID: 3040)
  - sogou_pinyin_guanwang.exe (PID: 3772)
  - SGTool.exe (PID: 2356)
  - SogouExe.exe (PID: 2992)
  - SGTool.exe (PID: 824)
  - SGTool.exe (PID: 2668)
  - SogouExe.exe (PID: 3240)
  - SogouExe.exe (PID: 764)
  - SGTool.exe (PID: 3032)
  - SGTool.exe (PID: 3392)
  - SogouSvc.exe (PID: 3656)
  - SGTool.exe (PID: 3324)
  - SGTool.exe (PID: 2864)
  - SGTool.exe (PID: 2340)
  - userNetSchedule.exe (PID: 4076)
  - SogouImeBroker.exe (PID: 1060)
  - SGTool.exe (PID: 524)
  - SogouComMgr.exe (PID: 2964)
  - SGTool.exe (PID: 3420)
  - SGTool.exe (PID: 3464)
  - SGTool.exe (PID: 3284)
  - biz_helper.exe (PID: 3992)
  - biz_helper.exe (PID: 3896)
  - biz_helper.exe (PID: 3840)
  - biz_helper.exe (PID: 2984)
  - SogouComMgr.exe (PID: 2860)
  - SGTool.exe (PID: 2360)
- The process uses the downloaded file
  - firefox.exe (PID: 4004)
- Executable content was dropped or overwritten
  - firefox.exe (PID: 4004)
- Create files in a temporary directory
  - sogou_pinyin_guanwang.exe (PID: 3772)
- Reads the machine GUID from the registry
  - sogou_pinyin_guanwang.exe (PID: 3772)
  - SogouExe.exe (PID: 2992)
  - SogouExe.exe (PID: 3240)
  - SogouExe.exe (PID: 764)
  - SGTool.exe (PID: 3032)
  - SogouComMgr.exe (PID: 2860)
  - SogouComMgr.exe (PID: 2964)
- Creates files or folders in the user directory
  - sogou_pinyin_guanwang.exe (PID: 3772)
  - SogouExe.exe (PID: 2992)
  - SGTool.exe (PID: 2668)
  - SogouExe.exe (PID: 3240)
  - SGTool.exe (PID: 3032)
  - SGTool.exe (PID: 824)
  - SogouExe.exe (PID: 764)
  - SGTool.exe (PID: 3324)
  - SGTool.exe (PID: 2864)
  - userNetSchedule.exe (PID: 4076)
  - SGTool.exe (PID: 2340)
  - SGTool.exe (PID: 3392)
  - SGTool.exe (PID: 3420)
  - SGTool.exe (PID: 524)
  - SGTool.exe (PID: 3464)
  - SGTool.exe (PID: 3284)
  - SogouComMgr.exe (PID: 2964)
  - SGTool.exe (PID: 2360)
- Reads the software policy settings
  - sogou_pinyin_guanwang.exe (PID: 3772)
  - SogouExe.exe (PID: 2992)
  - SogouExe.exe (PID: 3240)
  - SogouExe.exe (PID: 764)
  - SGTool.exe (PID: 3032)
- Creates files in the program directory
  - sogou_pinyin_guanwang.exe (PID: 3772)
  - SogouExe.exe (PID: 2992)
  - SogouComMgr.exe (PID: 2964)
  - biz_helper.exe (PID: 3896)
  - biz_helper.exe (PID: 2984)
  - biz_helper.exe (PID: 3840)
  - SGTool.exe (PID: 2360)
- Dropped object may contain TOR URL's
  - sogou_pinyin_guanwang.exe (PID: 3772)
  - SogouComMgr.exe (PID: 2964)
- Checks proxy server information
  - sogou_pinyin_guanwang.exe (PID: 3772)
  - SGTool.exe (PID: 3032)
  - SogouComMgr.exe (PID: 2964)
  - SogouComMgr.exe (PID: 2860)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

524

"C:\Program Files\SogouInput\14.3.0.9006\SGTool.exe" --appid=check -o

C:\Program Files\SogouInput\14.3.0.9006\SGTool.exe

—

sogou_pinyin_guanwang.exe

User:

admin

Company:

Sogou.com

Integrity Level:

HIGH

Description:

搜狗输入法工具

Exit code:

Version:

14.3.0.9006

Modules

Images
c:\program files\sogouinput\14.3.0.9006\sgtool.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wininet.dll

764

"C:\Program Files\SogouInput\SogouExe\SogouExe.exe" /check

C:\Program Files\SogouInput\SogouExe\SogouExe.exe

SGTool.exe

User:

admin

Company:

Sogou.com

Integrity Level:

HIGH

Description:

搜狗输入法安全启动程序

Exit code:

Version:

14.3.0.9006

Modules

Images
c:\program files\sogouinput\sogouexe\sogouexe.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll

824

"C:\Program Files\SogouInput\14.3.0.9006\SGTool.exe" --appid=ucfont -yahei -extb6 "\"

C:\Program Files\SogouInput\14.3.0.9006\SGTool.exe

—

sogou_pinyin_guanwang.exe

User:

admin

Company:

Sogou.com

Integrity Level:

HIGH

Description:

搜狗输入法工具

Exit code:

4294967295

Version:

14.3.0.9006

Modules

Images
c:\program files\sogouinput\14.3.0.9006\sgtool.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wininet.dll

864

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4004.0.1610809843\137441533" -parentBuildID 20230710165010 -prefsHandle 1116 -prefMapHandle 1108 -prefsLen 28523 -prefMapSize 244195 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad1f33a4-8621-4362-aaf5-4721635550a0} 4004 "\\.\pipe\gecko-crash-server-pipe.4004" 1188 d7aba20 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Version:

115.0.2

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll

924

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4004.6.962055949\934546812" -childID 5 -isForBrowser -prefsHandle 3820 -prefMapHandle 2244 -prefsLen 29366 -prefMapSize 244195 -jsInitHandle 900 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd650204-e174-4337-88e0-aa75cfad7f9d} 4004 "\\.\pipe\gecko-crash-server-pipe.4004" 3824 1618cb20 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Version:

115.0.2

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll

972

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4004.8.1881867757\1579697159" -childID 7 -isForBrowser -prefsHandle 4228 -prefMapHandle 4232 -prefsLen 29366 -prefMapSize 244195 -jsInitHandle 900 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e2d23b0-6ab7-491b-8b9c-52dc7d05a969} 4004 "\\.\pipe\gecko-crash-server-pipe.4004" 4216 1618cf70 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Version:

115.0.2

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll

1008

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4004.4.1279327632\2054463067" -childID 3 -isForBrowser -prefsHandle 3596 -prefMapHandle 3500 -prefsLen 29102 -prefMapSize 244195 -jsInitHandle 900 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {516d4d9f-6a94-404f-9f1f-072fee9e4609} 4004 "\\.\pipe\gecko-crash-server-pipe.4004" 3580 171f5b20 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Version:

115.0.2

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll

1060

"C:\Windows\system32\IME\SogouPY\SogouImeBroker.exe" -RegServer

C:\Windows\System32\IME\SogouPY\SogouImeBroker.exe

—

sogou_pinyin_guanwang.exe

User:

admin

Company:

Sogou.com

Integrity Level:

HIGH

Description:

搜狗输入法 Metro代理程序

Exit code:

Version:

14.3.0.9006

Modules

Images
c:\windows\system32\ime\sogoupy\sogouimebroker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

1236

"regsvr32.exe" /s "C:\Program Files\SogouInput\Components\biz_center\1.0.0.2289\biz_shellext.dll"

C:\Windows\System32\regsvr32.exe

—

biz_helper.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft(C) Register Server

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

1244

regsvr32 /s /i "C:\Program Files\SogouInput\14.3.0.9006\SogouTSF.dll"

C:\Windows\System32\regsvr32.exe

—

sogou_pinyin_guanwang.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft(C) Register Server

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

Add for printing

Total events

64 303

Read events

63 843

Write events

395

Delete events

Modification events


(PID) Process:	(3988) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Launcher
Value: ABF1C0E200000000
(PID) Process:	(4004) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Browser
Value: E8ABC2E200000000
(PID) Process:	(4004) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Installer\308046B0AF4A39CB
Operation:	delete value	Name:	installer.taskbarpin.win10.enabled
Value:
(PID) Process:	(4004) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Telemetry
Value: 0
(PID) Process:	(4004) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\DllPrefetchExperiment
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe
Value: 0
(PID) Process:	(4004) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Theme
Value: 1
(PID) Process:	(4004) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Enabled
Value: 1
(PID) Process:	(4004) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\|DisableTelemetry
Value: 1
(PID) Process:	(4004) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\|DisableDefaultBrowserAgent
Value: 0
(PID) Process:	(4004) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\|SetDefaultBrowserUserChoice
Value: 1

Add for printing

Executable files

Suspicious files

168

Text files

256

Unknown types

Dropped files

PID	Process	Filename		Type
4004	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin		—
		MD5:—	SHA256:—
4004	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
4004	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\activity-stream.discovery_stream.json		—
		MD5:—	SHA256:—
4004	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.db-journal		binary
		MD5:C517C3BE0BADCBA57F9B141E8F28E787	SHA256:0D5BFA0DFC3890A2E8600CAB0A0D93433F6B8EB94EA4939CB1F69C11C1857B3D
4004	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\targeting.snapshot.json		—
		MD5:—	SHA256:—
4004	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
4004	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp		binary
		MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A	SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
4004	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
4004	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
4004	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

146

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4004	firefox.exe	GET	301	104.21.70.210:80	http://sogouinput.com/	unknown	—	—	unknown
4004	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	unknown	—	—	unknown
4004	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/success.txt?ipv4	unknown	—	—	unknown
4004	firefox.exe	POST	200	216.58.206.67:80	http://ocsp.pki.goog/gts1c3	unknown	—	—	unknown
4004	firefox.exe	POST	—	95.101.54.107:80	http://r3.o.lencr.org/	unknown	—	—	unknown
4004	firefox.exe	POST	—	95.101.54.107:80	http://r3.o.lencr.org/	unknown	—	—	unknown
4004	firefox.exe	POST	200	95.101.54.107:80	http://r3.o.lencr.org/	unknown	—	—	unknown
4004	firefox.exe	POST	200	95.101.54.107:80	http://r3.o.lencr.org/	unknown	—	—	unknown
4004	firefox.exe	POST	200	95.101.54.107:80	http://r3.o.lencr.org/	unknown	—	—	unknown
4004	firefox.exe	POST	200	216.58.206.67:80	http://ocsp.pki.goog/gts1c3	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	224.0.0.252:5355	—	—	—	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1088	svchost.exe	224.0.0.252:5355	—	—	—	unknown
4004	firefox.exe	104.21.70.210:80	sogouinput.com	CLOUDFLARENET	—	unknown
4004	firefox.exe	34.107.221.82:80	detectportal.firefox.com	GOOGLE	US	whitelisted
4004	firefox.exe	34.117.188.166:443	contile.services.mozilla.com	GOOGLE-CLOUD-PLATFORM	US	unknown
4004	firefox.exe	172.217.16.202:443	safebrowsing.googleapis.com	—	—	whitelisted
4004	firefox.exe	95.101.54.107:80	r3.o.lencr.org	Akamai International B.V.	DE	unknown
4004	firefox.exe	104.21.70.210:443	sogouinput.com	—	—	unknown

DNS requests

Domain	IP	Reputation
sogouinput.com	104.21.70.210 172.67.139.154 2606:4700:3036::ac43:8b9a 2606:4700:3034::6815:46d2	unknown
detectportal.firefox.com	34.107.221.82	whitelisted
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82 2600:1901:0:38d7::	whitelisted
example.org	93.184.215.14	whitelisted
ipv4only.arpa	192.0.0.170 192.0.0.171	whitelisted
contile.services.mozilla.com	34.117.188.166	whitelisted
spocs.getpocket.com	34.117.188.166	shared
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	unknown
r3.o.lencr.org	95.101.54.107 2.16.202.121 95.101.54.131	shared
a1887.dscq.akamai.net	2.16.202.121 95.101.54.107 2a02:26f0:480:e::210:f108 2a02:26f0:480:e::210:f10f 95.101.54.131	whitelisted

Threats

PID	Process	Class	Message
—	—	Misc activity	ET INFO Win32/Sogou User-Agent (SOGOU_UPDATER)

Add for printing

No debug info

General Info

sogouinput.com

BFFAEF165D7BFE9F1AD3FD5B8ACF5E67

349584416F48FB46DC14DC6537CE54D2C4C02A65

D401F96C1D2B620C192754883B7DB4E7D4CCE140D854D6D0E4CFFF4E598E0771

3:B3T:t

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Registers / Runs the DLL via REGSVR32.EXE

Drops the executable file immediately after the start

Creates a writable file in the system directory

Signature: RAMNIT has been detected

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Reads settings of System Certificates

Creates/Modifies COM task schedule object

Malware-specific behavior (creating "System.dll" in Temp)

The process creates files with name similar to system file names

Reads the Internet Settings

Process requests binary or script from the Internet

Creates a software uninstall entry

Application launched itself

INFO

Drops the executable file immediately after the start

Application launched itself

Reads the computer name

Manual execution by a user

Checks supported languages

The process uses the downloaded file

Executable content was dropped or overwritten

Create files in a temporary directory

Reads the machine GUID from the registry

Creates files or folders in the user directory

Reads the software policy settings

Creates files in the program directory

Dropped object may contain TOR URL's

Checks proxy server information

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings