Malware analysis http://pro.cdn.ime.sogou.com/sogou_pinyin_14.2.0.8968.exe Malicious activity

Add for printing

URL:	http://pro.cdn.ime.sogou.com/sogou_pinyin_14.2.0.8968.exe
Full analysis:	https://app.any.run/tasks/df9ac15a-4842-40dc-8877-b7ace022bae5
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Ramnit is a highly modular banking trojan and worm that evolved from a file-infecting virus into a powerful cybercrime tool. It specializes in financial fraud, credential theft, remote access, and malware delivery, being a serious threat to businesses and individuals. First spotted in 2010, Ramnit became popular after the 2014 takedown of the GameOver Zeus botnet, as cybercriminals sought alternatives for banking fraud. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	March 18, 2024, 08:59:14
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	adware sogou loader ramnit trojan
Indicators:
MD5:	E9C8EDCFCD0A36B0CBAAA6CEB03622E0
SHA1:	34E4EE5DCDCB35F305E8DD0A01FAFF9659EABA88
SHA256:	E80D444B99172A26CEE2E60E4DEEFCCFA428A788B771EDF3012DF887A852222B
SSDEEP:	3:N1KOXTpM9iZ/KKNepbLetNn:COXGi/KVbytNn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - sogou_pinyin_14.2.0.8968.exe (PID: 1728)
  - SogouExe.exe (PID: 3256)
  - SogouExe.exe (PID: 3780)
  - SogouExe.exe (PID: 752)
  - SogouComMgr.exe (PID: 2044)
- Registers / Runs the DLL via REGSVR32.EXE
  - sogou_pinyin_14.2.0.8968.exe (PID: 1728)
  - biz_helper.exe (PID: 3460)
- Creates a writable file in the system directory
  - sogou_pinyin_14.2.0.8968.exe (PID: 1728)
- Signature: RAMNIT has been detected
  - regsvr32.exe (PID: 3656)
SUSPICIOUS
- Malware-specific behavior (creating "System.dll" in Temp)
  - sogou_pinyin_14.2.0.8968.exe (PID: 1728)
- The process creates files with name similar to system file names
  - sogou_pinyin_14.2.0.8968.exe (PID: 1728)
- Executable content was dropped or overwritten
  - sogou_pinyin_14.2.0.8968.exe (PID: 1728)
  - SogouExe.exe (PID: 3256)
  - SogouExe.exe (PID: 3780)
  - SogouExe.exe (PID: 752)
  - SogouComMgr.exe (PID: 2044)
- Process requests binary or script from the Internet
  - sogou_pinyin_14.2.0.8968.exe (PID: 1728)
- Reads the Internet Settings
  - sogou_pinyin_14.2.0.8968.exe (PID: 1728)
  - SGTool.exe (PID: 3292)
  - SGTool.exe (PID: 3900)
  - SGTool.exe (PID: 2828)
  - SogouComMgr.exe (PID: 2044)
  - SGTool.exe (PID: 2088)
- Reads security settings of Internet Explorer
  - sogou_pinyin_14.2.0.8968.exe (PID: 1728)
  - SGTool.exe (PID: 3292)
  - SogouExe.exe (PID: 3256)
  - SGTool.exe (PID: 3900)
  - SogouExe.exe (PID: 3780)
  - SGTool.exe (PID: 2828)
  - SogouExe.exe (PID: 752)
  - SGTool.exe (PID: 2088)
  - SogouComMgr.exe (PID: 2044)
- Creates/Modifies COM task schedule object
  - regsvr32.exe (PID: 1636)
  - regsvr32.exe (PID: 3656)
- Checks Windows Trust Settings
  - SogouExe.exe (PID: 3256)
  - SogouExe.exe (PID: 3780)
  - SogouExe.exe (PID: 752)
- Reads settings of System Certificates
  - SogouExe.exe (PID: 3256)
  - SogouExe.exe (PID: 3780)
  - SogouExe.exe (PID: 752)
- Creates a software uninstall entry
  - sogou_pinyin_14.2.0.8968.exe (PID: 1728)
- Application launched itself
  - biz_helper.exe (PID: 3708)
INFO
- Drops the executable file immediately after the start
  - iexplore.exe (PID: 3276)
- Checks supported languages
  - wmpnscfg.exe (PID: 980)
  - sogou_pinyin_14.2.0.8968.exe (PID: 1728)
  - SGTool.exe (PID: 3292)
  - SGTool.exe (PID: 552)
  - SogouExe.exe (PID: 3256)
  - SGTool.exe (PID: 3900)
  - SogouExe.exe (PID: 3780)
  - SogouExe.exe (PID: 752)
  - SogouSvc.exe (PID: 2768)
  - SGTool.exe (PID: 908)
  - SGTool.exe (PID: 324)
  - userNetSchedule.exe (PID: 3588)
  - SGTool.exe (PID: 2088)
  - SGTool.exe (PID: 2612)
  - SGTool.exe (PID: 3548)
  - SGTool.exe (PID: 3876)
  - SogouImeBroker.exe (PID: 3268)
  - SGTool.exe (PID: 3884)
  - SogouComMgr.exe (PID: 2044)
  - biz_helper.exe (PID: 3708)
  - biz_helper.exe (PID: 3460)
  - SGTool.exe (PID: 2828)
  - biz_helper.exe (PID: 2356)
  - biz_helper.exe (PID: 3664)
  - SGTool.exe (PID: 2228)
- Executable content was dropped or overwritten
  - iexplore.exe (PID: 3276)
- Modifies the phishing filter of IE
  - iexplore.exe (PID: 4008)
- Reads the computer name
  - wmpnscfg.exe (PID: 980)
  - sogou_pinyin_14.2.0.8968.exe (PID: 1728)
  - SGTool.exe (PID: 3292)
  - SogouExe.exe (PID: 3256)
  - SGTool.exe (PID: 3900)
  - SogouExe.exe (PID: 3780)
  - SogouExe.exe (PID: 752)
  - SGTool.exe (PID: 2828)
  - SogouSvc.exe (PID: 2768)
  - SGTool.exe (PID: 324)
  - SGTool.exe (PID: 908)
  - SGTool.exe (PID: 2088)
  - userNetSchedule.exe (PID: 3588)
  - SGTool.exe (PID: 3548)
  - SGTool.exe (PID: 3884)
  - SogouComMgr.exe (PID: 2044)
- Application launched itself
  - iexplore.exe (PID: 4008)
- The process uses the downloaded file
  - iexplore.exe (PID: 4008)
- Create files in a temporary directory
  - sogou_pinyin_14.2.0.8968.exe (PID: 1728)
- Manual execution by a user
  - wmpnscfg.exe (PID: 980)
- Reads the machine GUID from the registry
  - sogou_pinyin_14.2.0.8968.exe (PID: 1728)
  - SogouExe.exe (PID: 3256)
  - SogouExe.exe (PID: 3780)
  - SGTool.exe (PID: 2828)
  - SogouExe.exe (PID: 752)
  - SogouComMgr.exe (PID: 2044)
- Dropped object may contain TOR URL's
  - sogou_pinyin_14.2.0.8968.exe (PID: 1728)
  - SogouComMgr.exe (PID: 2044)
- Creates files in the program directory
  - sogou_pinyin_14.2.0.8968.exe (PID: 1728)
  - SogouExe.exe (PID: 3780)
  - SogouComMgr.exe (PID: 2044)
  - biz_helper.exe (PID: 3460)
  - biz_helper.exe (PID: 3664)
  - biz_helper.exe (PID: 2356)
- Creates files or folders in the user directory
  - SGTool.exe (PID: 3292)
  - SogouExe.exe (PID: 3256)
  - SGTool.exe (PID: 3900)
  - sogou_pinyin_14.2.0.8968.exe (PID: 1728)
  - SGTool.exe (PID: 2828)
  - SogouExe.exe (PID: 752)
  - SGTool.exe (PID: 908)
  - SGTool.exe (PID: 324)
  - SGTool.exe (PID: 2088)
  - userNetSchedule.exe (PID: 3588)
  - SGTool.exe (PID: 2612)
  - SGTool.exe (PID: 2228)
  - SGTool.exe (PID: 3548)
  - SGTool.exe (PID: 3876)
  - SogouExe.exe (PID: 3780)
  - SGTool.exe (PID: 3884)
  - SogouComMgr.exe (PID: 2044)
- Reads the software policy settings
  - SogouExe.exe (PID: 3256)
  - SogouExe.exe (PID: 3780)
  - SogouExe.exe (PID: 752)
- Checks proxy server information
  - sogou_pinyin_14.2.0.8968.exe (PID: 1728)
  - SGTool.exe (PID: 2828)
  - SogouComMgr.exe (PID: 2044)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

324

"C:\Program Files\SogouInput\14.2.0.8968\SGTool.exe" --appid=scdreg -register "C:\Program Files\SogouInput\14.2.0.8968"

C:\Program Files\SogouInput\14.2.0.8968\SGTool.exe

—

sogou_pinyin_14.2.0.8968.exe

User:

admin

Company:

Sogou.com

Integrity Level:

HIGH

Description:

搜狗输入法工具

Exit code:

Version:

14.2.0.8968

Modules

Images
c:\program files\sogouinput\14.2.0.8968\sgtool.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wininet.dll

552

"C:\Program Files\SogouInput\14.2.0.8968\SGTool.exe" --appid=skinreg -register "C:\Program Files\SogouInput\14.2.0.8968"

C:\Program Files\SogouInput\14.2.0.8968\SGTool.exe

—

sogou_pinyin_14.2.0.8968.exe

User:

admin

Company:

Sogou.com

Integrity Level:

HIGH

Description:

搜狗输入法工具

Exit code:

Version:

14.2.0.8968

Modules

Images
c:\program files\sogouinput\14.2.0.8968\sgtool.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wininet.dll

568

"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\sogou_pinyin_14.2.0.8968.exe"

C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\sogou_pinyin_14.2.0.8968.exe

—

iexplore.exe

User:

admin

Company:

Sogou.com

Integrity Level:

MEDIUM

Description:

搜狗输入法安装程序

Exit code:

3221226540

Version:

14.2.0.8968

Modules

Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\po2hn1x2\sogou_pinyin_14.2.0.8968.exe
c:\windows\system32\ntdll.dll

752

"C:\Program Files\SogouInput\SogouExe\SogouExe.exe" /check

C:\Program Files\SogouInput\SogouExe\SogouExe.exe

SGTool.exe

User:

admin

Company:

Sogou.com

Integrity Level:

HIGH

Description:

搜狗输入法安全启动程序

Exit code:

Version:

14.2.0.8968

Modules

Images
c:\program files\sogouinput\sogouexe\sogouexe.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll

864

"regsvr32.exe" /s "C:\Program Files\SogouInput\Components\biz_center\1.0.0.2283\biz_shellext64.dll"

C:\Windows\System32\regsvr32.exe

—

biz_helper.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft(C) Register Server

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

908

"C:\Program Files\SogouInput\14.2.0.8968\SGTool.exe" --appid=scdreg -ConvV1toV2InstPath "C:\Program Files\SogouInput\14.2.0.8968"

C:\Program Files\SogouInput\14.2.0.8968\SGTool.exe

—

sogou_pinyin_14.2.0.8968.exe

User:

admin

Company:

Sogou.com

Integrity Level:

HIGH

Description:

搜狗输入法工具

Exit code:

Version:

14.2.0.8968

Modules

Images
c:\program files\sogouinput\14.2.0.8968\sgtool.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wininet.dll

980

"C:\Program Files\Windows Media Player\wmpnscfg.exe"

C:\Program Files\Windows Media Player\wmpnscfg.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Media Player Network Sharing Service Configuration Application

Exit code:

Version:

12.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1636

regsvr32 /s /i "C:\Program Files\SogouInput\14.2.0.8968\SogouTSF.dll"

C:\Windows\System32\regsvr32.exe

—

sogou_pinyin_14.2.0.8968.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft(C) Register Server

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

1728

"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\sogou_pinyin_14.2.0.8968.exe"

C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\sogou_pinyin_14.2.0.8968.exe

iexplore.exe

User:

admin

Company:

Sogou.com

Integrity Level:

HIGH

Description:

搜狗输入法安装程序

Exit code:

Version:

14.2.0.8968

Modules

Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\po2hn1x2\sogou_pinyin_14.2.0.8968.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll

2044

"C:\Program Files\SogouInput\Components\SogouComMgr.exe" -installdoall "C:\Program Files\SogouInput\Components\TempComponents" -param "-setup -rdele -installplu 0 -removelist SearchSuggestionBundle#WonderfulWriteBundle#SmartInfoBundle" -silent -overwrite

C:\Program Files\SogouInput\Components\SogouComMgr.exe

sogou_pinyin_14.2.0.8968.exe

User:

admin

Company:

Sogou.com

Integrity Level:

HIGH

Description:

搜狗输入法扩展功能管理器

Exit code:

Version:

14.2.0.8968

Modules

Images
c:\program files\sogouinput\components\sogoucommgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

Add for printing

Total events

50 272

Read events

49 812

Write events

376

Delete events

Modification events


(PID) Process:	(4008) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:	write	Name:	NTPDaysSinceLastAutoMigration
Value: 1
(PID) Process:	(4008) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:	write	Name:	NTPLastLaunchLowDateTime
Value:
(PID) Process:	(4008) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:	write	Name:	NTPLastLaunchHighDateTime
Value: 31095058
(PID) Process:	(4008) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:	write	Name:	NextCheckForUpdateLowDateTime
Value:
(PID) Process:	(4008) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:	write	Name:	NextCheckForUpdateHighDateTime
Value: 31095058
(PID) Process:	(4008) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(4008) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(4008) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(4008) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:	write	Name:	CompatibilityFlags
Value: 0
(PID) Process:	(4008) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1

Add for printing

Executable files

Suspicious files

Text files

177

Unknown types

Dropped files

PID	Process	Filename		Type
3276	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\sogou_pinyin_14.2.0.8968.exe.v3k9p51.partial		—
		MD5:—	SHA256:—
4008	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\sogou_pinyin_14.2.0.8968.exe		—
		MD5:—	SHA256:—
4008	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver995D.tmp		xml
		MD5:CBD0581678FA40F0EDCBC7C59E0CAD10	SHA256:159BD4343F344A08F6AF3B716B6FA679859C1BD1D7030D26FF5EF0255B86E1D9
1728	sogou_pinyin_14.2.0.8968.exe	C:\Users\admin\AppData\Local\Temp\nsu61CA.tmp\SetupUi.cupf		binary
		MD5:817CBF611CFF0DEB62A614ACA93F1B31	SHA256:EDA6D0EB05CDCC1941F67F8DF5C63A91ADEB073CF64C80A0276385A04A4D13EC
4008	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118A		binary
		MD5:C13726CB8F36554E48194607251E72D6	SHA256:F922131781EE8DE44C3E76C89E74E9F798E7A91F9651350F5E1C293A62780AE9
4008	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\urlblockindex[1].bin		binary
		MD5:FA518E3DFAE8CA3A0E495460FD60C791	SHA256:775853600060162C4B4E5F883F9FD5A278E61C471B3EE1826396B6D129499AA7
4008	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico		image
		MD5:DA597791BE3B6E732F0BC8B20E38EE62	SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
4008	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776		der
		MD5:671750E95147C280C29000B09A5A5540	SHA256:C2BCF615C8BD97A3BDAFF1E0BDCE5AD328B8777A1F694613BD227280BEE9645B
4008	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xml		xml
		MD5:CBD0581678FA40F0EDCBC7C59E0CAD10	SHA256:159BD4343F344A08F6AF3B716B6FA679859C1BD1D7030D26FF5EF0255B86E1D9
4008	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118A		der
		MD5:03286F86A6340EF1EB71162CA877B4CA	SHA256:F6E395EAB531C2331F213B764ECB38E1B4A1E883299D15C1D8B688291E26F20A

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4008	iexplore.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	binary	471 b	unknown
4008	iexplore.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D	unknown	binary	314 b	unknown
3276	iexplore.exe	GET	200	119.167.147.251:80	http://pro.cdn.ime.sogou.com/sogou_pinyin_14.2.0.8968.exe	unknown	executable	140 Mb	unknown
1728	sogou_pinyin_14.2.0.8968.exe	GET	200	129.226.103.145:80	http://pinyin.sogou.com/client/validateinstall.php?v=14.2.0.8968&h=0923E3199566CF719B92C686B73BE6C5&r=0000_sogou_pinyin_14.2.0.8968&pp=iexplore.exe&mode=0	unknown	text	87 b	unknown
1080	svchost.exe	GET	200	173.222.108.243:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1dd404ff67a3d8ee	unknown	compressed	67.5 Kb	unknown
3276	iexplore.exe	GET	—	119.167.147.251:80	http://pro.cdn.ime.sogou.com/sogou_pinyin_14.2.0.8968.exe	unknown	—	—	unknown
2044	SogouComMgr.exe	GET	200	43.129.115.16:80	http://ping.pinyin.sogou.com/component.gif?h=0923E3199566CF719B92C686B73BE6C5&r=0000_sogou_pinyin_14.2.0.8968&v=14.2.0.8968&tt=ipb&id=biz_center&ver=1.0.0.2283&it=5&ir=1	unknown	—	—	unknown
1080	svchost.exe	GET	304	173.222.108.243:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?aa4b77dd5ef709e5	unknown	compressed	67.5 Kb	unknown
2044	SogouComMgr.exe	GET	200	43.129.115.16:80	http://ping.pinyin.sogou.com/component.gif?h=0923E3199566CF719B92C686B73BE6C5&r=0000_sogou_pinyin_14.2.0.8968&v=14.2.0.8968&tt=ipb&id=biz_pdf&ver=1.0.0.2266&it=5&ir=1	unknown	—	—	unknown
2044	SogouComMgr.exe	GET	—	43.129.115.16:80	http://ping.pinyin.sogou.com/component.gif?h=0923E3199566CF719B92C686B73BE6C5&r=0000_sogou_pinyin_14.2.0.8968&v=14.2.0.8968&tt=ipb&id=game_center&ver=1.0.0.2281&it=5&ir=1	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
3276	iexplore.exe	113.201.158.139:80	pro.cdn.ime.sogou.com	CHINA UNICOM China169 Backbone	CN	unknown
4008	iexplore.exe	2.19.96.42:443	www.bing.com	Akamai International B.V.	DE	unknown
4008	iexplore.exe	173.222.108.147:80	ctldl.windowsupdate.com	Akamai International B.V.	CH	unknown
4008	iexplore.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
3276	iexplore.exe	119.167.147.251:80	pro.cdn.ime.sogou.com	CHINA UNICOM China169 Backbone	CN	unknown
4008	iexplore.exe	2.19.96.48:443	www.bing.com	Akamai International B.V.	DE	unknown
4008	iexplore.exe	173.222.108.210:80	ctldl.windowsupdate.com	Akamai International B.V.	CH	unknown

DNS requests

Domain	IP	Reputation
pro.cdn.ime.sogou.com	42.177.83.63 123.234.2.61 36.249.65.247 42.177.83.214 42.177.83.78 36.249.65.232 42.177.83.82 42.177.83.87 119.167.147.251 42.177.83.224 113.201.158.139 113.207.69.190 60.220.213.207	whitelisted
api.bing.com	13.107.5.80	whitelisted
www.bing.com	2.19.96.42 2.19.96.48 2.19.96.67 2.19.96.56 2.19.96.66 2.19.96.65 2.19.96.51 2.19.96.41 2.19.96.59 2.19.96.75 2.19.96.58 2.19.96.50 2.19.96.73 2.19.96.74 2.19.96.80	whitelisted
ctldl.windowsupdate.com	173.222.108.147 173.222.108.210 173.222.108.243	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
iecvlist.microsoft.com	152.199.19.161	whitelisted
r20swj13mr.microsoft.com	152.199.19.161	whitelisted
ieonline.microsoft.com	204.79.197.200	whitelisted
go.microsoft.com	23.43.62.58	whitelisted
pinyin.sogou.com	129.226.103.145 129.226.102.244	whitelisted

Threats

PID	Process	Class	Message
3276	iexplore.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
1728	sogou_pinyin_14.2.0.8968.exe	Misc activity	ET INFO Win32/Sogou User-Agent (SOGOU_UPDATER)

Add for printing

No debug info

General Info

http://pro.cdn.ime.sogou.com/sogou_pinyin_14.2.0.8968.exe

E9C8EDCFCD0A36B0CBAAA6CEB03622E0

34E4EE5DCDCB35F305E8DD0A01FAFF9659EABA88

E80D444B99172A26CEE2E60E4DEEFCCFA428A788B771EDF3012DF887A852222B

3:N1KOXTpM9iZ/KKNepbLetNn:COXGi/KVbytNn

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Registers / Runs the DLL via REGSVR32.EXE

Creates a writable file in the system directory

Signature: RAMNIT has been detected

SUSPICIOUS

Malware-specific behavior (creating "System.dll" in Temp)

The process creates files with name similar to system file names

Executable content was dropped or overwritten

Process requests binary or script from the Internet

Reads the Internet Settings

Reads security settings of Internet Explorer

Creates/Modifies COM task schedule object

Checks Windows Trust Settings

Reads settings of System Certificates

Creates a software uninstall entry

Application launched itself

INFO

Drops the executable file immediately after the start

Checks supported languages

Executable content was dropped or overwritten

Modifies the phishing filter of IE

Reads the computer name

Application launched itself

The process uses the downloaded file

Create files in a temporary directory

Manual execution by a user

Reads the machine GUID from the registry

Dropped object may contain TOR URL's

Creates files in the program directory

Creates files or folders in the user directory

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings