What is hao123_[cu003d1111]__93767729_o2_hao_.exe?
hao123_[cu003d1111]__93767729_o2_hao_.exe is part of hao123????? and developed by 123Juzi.COM according to the hao123_[cu003d1111]__93767729_o2_hao_.exe version information.
hao123_[cu003d1111]__93767729_o2_hao_.exe's description is "hao123?????"
hao123_[cu003d1111]__93767729_o2_hao_.exe is digitally signed by BeiJing Baidu Netcom Science Technology Co., Ltd.
hao123_[cu003d1111]__93767729_o2_hao_.exe is usually located in the 'c:\downloads\' folder.
Some of the anti-virus scanners at VirusTotal detected hao123_[cu003d1111]__93767729_o2_hao_.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Vendor and version information [?]
The following is the available information on hao123_[cu003d1111]__93767729_o2_hao_.exe:
| Property | Value |
|---|---|
| Product name | hao123????? |
| Company name | 123Juzi.COM |
| File description | hao123????? |
| Internal name | setup.exe |
| Original filename | setup.exe |
| Legal copyright | Copyright @ 2015 123Juzi.COM. All Rights Reserved. |
| Product version | 1.1.9.1051 |
| File version | 1.1.9.1051 |
Here's a screenshot of the file properties when displayed by Windows Explorer:
| Product name | hao123????? |
| Company name | 123Juzi.COM |
| File description | hao123????? |
| Internal name | setup.exe |
| Original filename | setup.exe |
| Legal copyright | Copyright @ 2015 123Juzi.COM. All Ri.. |
| Product version | 1.1.9.1051 |
| File version | 1.1.9.1051 |
Digital signatures [?]
hao123_[cu003d1111]__93767729_o2_hao_.exe has a valid digital signature.
| Property | Value |
|---|---|
| Signer name | BeiJing Baidu Netcom Science Technology Co., Ltd |
| Certificate issuer name | VeriSign Class 3 Code Signing 2010 CA |
| Certificate serial number | 07bb7e6586c7d00d361700e4139fe772 |
VirusTotal report
23 of the 66 anti-virus programs at VirusTotal detected the hao123_[cu003d1111]__93767729_o2_hao_.exe file. That's a 35% detection rate.
| Scanner | Detection Name |
|---|---|
| Alibaba | PUA:Win32/Hao123.45024344 |
| Avast | Win32:Malware-gen |
| AVG | Win32:Malware-gen |
| CAT-QuickHeal | Trojan.Agent |
| ClamAV | Win.Trojan.004ede-1 |
| Comodo | Malware@#esnraufrf4q6 |
| eGambit | Unsafe.AI_Score_60% |
| Endgame | malicious (high confidence) |
| ESET-NOD32 | a variant of Win32/Hao123.H potentially unwanted |
| Fortinet | Riskware/Hao123 |
| GData | Win32.Trojan.Agent.R0NMIX |
| Invincea | heuristic |
| K7AntiVirus | Adware ( 004ede111 ) |
| K7GW | Adware ( 004ede111 ) |
| Malwarebytes | PUP.Optional.Hao123 |
| MAX | malware (ai score=97) |
| McAfee | GenericR-OKC!41F188B6A4FF |
| McAfee-GW-Edition | GenericR-OKC!41F188B6A4FF |
| Sophos | Generic PUA OE (PUA) |
| TrendMicro-HouseCall | PUA_Hao |
| VBA32 | Trojan.Inject |
| Yandex | Trojan.Inject!FvlJEMDebY8 |
| Zillya | Trojan.Inject.Win32.207349 |
![23 of the 66 anti-virus programs detected the hao123_[cu003d1111]__93767729_o2_hao_.exe file.](/static/charts/pie/detected/35.png?file=hao123_%5Bcu003d1111%5D__93767729_o2_hao_.exe)
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\Installer\\nphao123DPS_x64.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\game\\gamelist.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\ttslist.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\setting.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\adblock\\adbraw.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\Installer\\npJuziPlugin_x64.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\hao123Juzi.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\zoomimage.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\softlist.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\vdown.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\skin\\LightCloud[ver=1.0.0.1].jzs",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\adblock\\adbept.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\dhres.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\Installer\\npJuziPlugin.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\Installer\\nphao123DPS.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\speedup.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\bmico\\www.hao123.com.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\8ejz.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\srca.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\juzihelper.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\bkmak.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\adblock\\adbwin.dat"
],
"regkey_written": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Persisted\\C:\\Users\\cuck\\AppData\\Local\\Temp\\0f0f7ac0635ce9c50e6aadc20b6a4ff851b4e4a4c4349dc37a6fa34db6c5efd5.bin"
],
"dll_loaded": [
"C:\\Windows\\syswow64\\MSCTF.dll",
"WindowsCodecs.dll",
"kernel32.dll",
"OLEAUT32.DLL",
"C:\\Windows\\system32\\ole32.dll",
"dwmapi.dll",
"C:\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\dhres.tmp",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_CURRENT_USER\\Software\\hao123JuziBrowser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CLASSES_ROOT\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance\\Disabled",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\LayoutIcon\\0409\\0000041d",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\0f0f7ac0635ce9c50e6aadc20b6a4ff851b4e4a4c4349dc37a6fa34db6c5efd5.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_CLASSES_ROOT\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Persisted",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\hao123JuziBrowser.exe"
],
"resolves_host": [
"s0.hao123img.com",
"s2.hao123img.com",
"s1.hao123img.com",
"s3.hao123img.com",
"www.hao123.com",
"hao123.com"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\Installer\\nphao123DPS_x64.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\game\\gamelist.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\ttslist.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\setting.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\adblock\\adbraw.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\Installer\\npJuziPlugin_x64.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\hao123Juzi.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\zoomimage.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\softlist.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\vdown.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\skin\\LightCloud[ver=1.0.0.1].jzs",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\adblock\\adbept.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\dhres.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\Installer\\npJuziPlugin.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\Installer\\nphao123DPS.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\speedup.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\bmico\\www.hao123.com.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\8ejz.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\srca.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\juzihelper.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\bkmak.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\adblock\\adbwin.dat"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\dhres.tmp"
],
"file_exists": [
"",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\game",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\skin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\Installer",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\bmico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\ie11core",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\dhres.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\0f0f7ac0635ce9c50e6aadc20b6a4ff851b4e4a4c4349dc37a6fa34db6c5efd5.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\adblock"
],
"mutex": [
"hao123juzibrowser_juzi_{06dc3546-4050-4ce0-9091-9d4bce75c85b}"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\dhres.tmp"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\game",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\skin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\Installer",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\bmico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\adblock"
]
}Dropped
[
{
"yara": [],
"sha1": "50112bf9f38056950d1a8bdf7305d5c702d72542",
"name": "f0ad35c878fa96b8_npjuziplugin_x64.dll",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\Installer\\npJuziPlugin_x64.dll",
"type": "PE32+ executable (DLL) (GUI) x86-64, for MS Windows",
"sha256": "f0ad35c878fa96b8f32439954207ed1574519168b7d31fe9b3bde55ddd0877c1",
"urls": [
"https:\/\/www.verisign.com\/cps0",
"http:\/\/ts-crl.ws.symantec.com\/tss-ca-g2.crl0(",
"https:\/\/d.symcb.com\/cps0%",
"http:\/\/sf.symcb.com\/sf.crt0",
"http:\/\/crl.thawte.com\/ThawteTimestampingCA.crl0",
"http:\/\/ocsp.verisign.com0",
"https:\/\/www.verisign.com\/rpa",
"http:\/\/crl.verisign.com\/pca3.crl0",
"http:\/\/crl.verisign.com\/pca3-g5.crl04",
"https:\/\/www.verisign.com\/rpa0",
"http:\/\/ocsp.thawte.com0",
"http:\/\/logo.verisign.com\/vslogo.gif04",
"http:\/\/ts-aia.ws.symantec.com\/tss-ca-g2.cer0",
"http:\/\/sf.symcd.com0",
"https:\/\/d.symcb.com\/rpa0",
"http:\/\/sf.symcb.com\/sf.crl0W",
"http:\/\/ts-ocsp.ws.symantec.com07"
],
"crc32": "7D53696E",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5629\/files\/f0ad35c878fa96b8_npjuziplugin_x64.dll",
"ssdeep": null,
"size": 180504,
"sha512": "368dac0f6a4543fe6ef908cee2a8e96b95ead5a8049dadbadfd8d2b7bcefa49e9acc7ccdade0480f23de7fcce98b67f241e88f27271fa661d84782e794f8d61b",
"pids": [
2456
],
"md5": "7e21d9adeb53d90877fa50ce9e2d296b"
},
{
"yara": [],
"sha1": "f901d47ceed7ab2e28c84492d4bdb86527dc399a",
"name": "b30a3946aa8e0034_npjuziplugin.dll",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\Installer\\npJuziPlugin.dll",
"type": "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows",
"sha256": "b30a3946aa8e00346ea89ac44045e85b93b5b91f65c268e6976748e809d3621d",
"urls": [
"https:\/\/www.verisign.com\/cps0",
"http:\/\/ts-crl.ws.symantec.com\/tss-ca-g2.crl0(",
"https:\/\/d.symcb.com\/cps0%",
"http:\/\/sf.symcb.com\/sf.crt0",
"http:\/\/crl.thawte.com\/ThawteTimestampingCA.crl0",
"http:\/\/ocsp.verisign.com0",
"https:\/\/www.verisign.com\/rpa",
"http:\/\/crl.verisign.com\/pca3.crl0",
"http:\/\/crl.verisign.com\/pca3-g5.crl04",
"https:\/\/www.verisign.com\/rpa0",
"http:\/\/ocsp.thawte.com0",
"http:\/\/logo.verisign.com\/vslogo.gif04",
"http:\/\/ts-aia.ws.symantec.com\/tss-ca-g2.cer0",
"http:\/\/sf.symcd.com0",
"https:\/\/d.symcb.com\/rpa0",
"http:\/\/sf.symcb.com\/sf.crl0W",
"http:\/\/ts-ocsp.ws.symantec.com07"
],
"crc32": "7282808D",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5629\/files\/b30a3946aa8e0034_npjuziplugin.dll",
"ssdeep": null,
"size": 191256,
"sha512": "988a96500fbd6fd75d4cb78dc462279c00ad429e7a72f34ed4cd0c3651b2682c6dd84a0592a01fa3f270b196252249363b35101edb4a886d7ad0bf6ca2445732",
"pids": [
2456
],
"md5": "ab472a0ca7902cac619a37947db26c72"
},
{
"yara": [],
"sha1": "7f7a95689f72152e4b62689d80123057b69fe3f6",
"name": "1aab48cbef767eeb_juzihelper.css",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\juzihelper.css",
"type": "ASCII text, with no line terminators",
"sha256": "1aab48cbef767eeb24a38bb421bcc685c9166afd32e2e0fc988d592c6ac5d811",
"urls": [],
"crc32": "10405531",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5629\/files\/1aab48cbef767eeb_juzihelper.css",
"ssdeep": null,
"size": 50,
"sha512": "259c56e97b98d6196558a49bb965d86225af3f2290aa15a5ca5cbbb67a443c0fb4706f2334a707bf14dbded3efae3dd43f927d784ef140a702bf7c0970d73138",
"pids": [
2456
],
"md5": "cacab7ed84c0454104689bf5525004fa"
},
{
"yara": [],
"sha1": "1d2d7dd1b24598245223562e4c8948b63b88c57b",
"name": "0bb97a23965b101a_speedup.dat",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\speedup.dat",
"type": "data",
"sha256": "0bb97a23965b101a29cf2f1c788391ed9194e8885b3c82c2c4d6e53010a68f2d",
"urls": [],
"crc32": "268AFCAB",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5629\/files\/0bb97a23965b101a_speedup.dat",
"ssdeep": null,
"size": 12030,
"sha512": "bd6c29f15a5392ce632b544a9c3d50be56be1a70068c60acc64d6aae770166c6b42ca95af051bc263ea7dad3a34ab7aab84eb38c569b69639712ac223e04698d",
"pids": [
2456
],
"md5": "99fb04fe14af27aa3c17c4a5ab37805a"
},
{
"yara": [],
"sha1": "b4f68e1725d5bfc8c89ccc0cb652ca035d54e6ed",
"name": "8a89c95d35bd6c45_srca.dat",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\srca.dat",
"type": "data",
"sha256": "8a89c95d35bd6c4579a887d683afeef9f33aecd971512d7f7adbe8354ca0889b",
"urls": [],
"crc32": "9EA9B255",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5629\/files\/8a89c95d35bd6c45_srca.dat",
"ssdeep": null,
"size": 686,
"sha512": "51552a1f04ffb17751f022328fb7bbf5ea1a8cac879d0fd4ea28b3a23776cdd28ac08d73541cade0d9ef3ae6a044a31ecd20b4f834de48cf0e56e485cc907507",
"pids": [
2456
],
"md5": "640d7cc01f9a97d572d204f8ee4321e8"
},
{
"yara": [],
"sha1": "494613017c23405fdf62c476b7dcb0c2fd623331",
"name": "561e1371ff656c66_adbraw.dat",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\adblock\\adbraw.dat",
"type": "data",
"sha256": "561e1371ff656c66291f2f65a28f22e0d098646b1b2268e81f2f30cfd3be9c98",
"urls": [],
"crc32": "305017F0",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5629\/files\/561e1371ff656c66_adbraw.dat",
"ssdeep": null,
"size": 172169,
"sha512": "2638275914015771756c5a805f7cea97a3870f92d4e94cf789d838cb26e5760ccfee975a7fc3141c78c035687dbe2d4ff8dd0be2b64050de91206b4a58f52374",
"pids": [
2456
],
"md5": "7c10b4e4135579f41e8d4684cb8ff243"
},
{
"yara": [],
"sha1": "3fb79d6429be1f5a6cfd0478647624519c22c8e4",
"name": "10704cc712d82fee_ttslist.dat",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\ttslist.dat",
"type": "data",
"sha256": "10704cc712d82feeadac70e8949c476e4e0dcc559c033248797e248de492b209",
"urls": [],
"crc32": "0F405BB9",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5629\/files\/10704cc712d82fee_ttslist.dat",
"ssdeep": null,
"size": 1658,
"sha512": "a787209465a338ed59a5ae991c1f16bb53243de78da9e40129a1f2382baac13cb2ad2465021579d4a274031e8f543acfb14feb5e8652f673531d114845f2b264",
"pids": [
2456
],
"md5": "44c0b8efe4f875da14e2323b71f79bbd"
},
{
"yara": [],
"sha1": "1e1005a64efdaf14247f3788c54836be5fc141ce",
"name": "99b94abc1d2388f1_softlist.dat",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\softlist.dat",
"type": "data",
"sha256": "99b94abc1d2388f102a1f2e821bbab992bf07e8893bd865983eb43391160851d",
"urls": [],
"crc32": "BAE4711F",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5629\/files\/99b94abc1d2388f1_softlist.dat",
"ssdeep": null,
"size": 4054,
"sha512": "56fe87f77d4b589e03cfd9ed1b1c6061c3ea21c209e1f0c21509c787c13770406c7c1c3770419d7b6b1e1044e91ece5669a8644e62ff9ba8b3856e0af3ee6df8",
"pids": [
2456
],
"md5": "520d4df0b493736a9c418b470d554c4b"
},
{
"yara": [],
"sha1": "dac2258a0387617a1c17402f072f892c05eae4d3",
"name": "c85e7b0ebb875595_vdown.dat",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\vdown.dat",
"type": "data",
"sha256": "c85e7b0ebb87559523604db24929ac49c7a8bfb52649fba8196f592c63beb3a5",
"urls": [],
"crc32": "E446C136",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5629\/files\/c85e7b0ebb875595_vdown.dat",
"ssdeep": null,
"size": 232,
"sha512": "a1cb5e5970705089449fbb010884fb800056061a207cc52cc8fc854a2c7d20eddb57d1c37382d16bab02fd01df6d4f0fab5c7accb100a310d7a6e8ccb7c65a53",
"pids": [
2456
],
"md5": "80d0814902f43e1fe3a8e7f84723605e"
},
{
"yara": [],
"sha1": "5b112f7c42fb9b6f3471489c7018e4f1bfced4e9",
"name": "c5291b908b922863_dhres.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\dhres.tmp",
"type": "7-zip archive data, version 0.2",
"sha256": "c5291b908b922863b9653f6edde3c1801649dc3012370e132d8aa4b64bba49b6",
"urls": [],
"crc32": "10F8CBED",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5629\/files\/c5291b908b922863_dhres.tmp",
"ssdeep": null,
"size": 2253668,
"sha512": "aa86a63951b9fd9049e69b7fe2e6f00df659a438133b97c263b8adff975d58290bc7243e1739fc4d33adb6eecac369297e7dcd7a8b9af1f54a608350c3477303",
"pids": [
2456
],
"md5": "bda22d6aba818c25d79779d211ca2dc3"
},
{
"yara": [],
"sha1": "c0b4800257f8d98defec087da31f17993eea07fd",
"name": "d20ddb5194a9de1b_gamelist.dat",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\game\\gamelist.dat",
"type": "data",
"sha256": "d20ddb5194a9de1b6faf4c6e3d09891bf2825dce1a4e962cf3778f0e3795627b",
"urls": [],
"crc32": "87CD7F58",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5629\/files\/d20ddb5194a9de1b_gamelist.dat",
"ssdeep": null,
"size": 5619,
"sha512": "0bfcdfcc098f7c4b412afab157f0cda824bafa792f4dd76c0139a523c757a8c1c3e0b66e7820e3d88abd84d38cbebbe31965d3ca2ecc21ca95b4c971d118ea62",
"pids": [
2456
],
"md5": "16f6a92eaaf96ed317290969158ba855"
},
{
"yara": [],
"sha1": "7158d6676c49d7936ca9a61942293b11ef6f2016",
"name": "51eafa690638fa44_adbwin.dat",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\adblock\\adbwin.dat",
"type": "data",
"sha256": "51eafa690638fa44562e037c1a9def9e9e4956c88f03f83ee3a432f1842eea64",
"urls": [],
"crc32": "53C84E48",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5629\/files\/51eafa690638fa44_adbwin.dat",
"ssdeep": null,
"size": 49773,
"sha512": "68cf3e8411867d06f8fa112f5ee904c1b52107aa9dc6e123c4c1c16d95dc3df0a5c7a8778d36a546a90bdda8f92ad4424607800917698e885dd0634bb42a337b",
"pids": [
2456
],
"md5": "f0de959e0c981a7a635b03dd51c5eb7f"
},
{
"yara": [],
"sha1": "228620efa95f42852c7c50f61199a8cb3f4045b6",
"name": "ba15601804a2710e_nphao123dps_x64.dll",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\Installer\\nphao123DPS_x64.dll",
"type": "PE32+ executable (DLL) (GUI) x86-64, for MS Windows",
"sha256": "ba15601804a2710e4785ae8762b6b1e7a5f6a72a105a5358d788b7a7bcd77cc5",
"urls": [
"https:\/\/www.verisign.com\/cps0",
"http:\/\/ts-crl.ws.symantec.com\/tss-ca-g2.crl0(",
"https:\/\/d.symcb.com\/cps0%",
"http:\/\/sf.symcb.com\/sf.crt0",
"http:\/\/crl.thawte.com\/ThawteTimestampingCA.crl0",
"http:\/\/ocsp.verisign.com0",
"https:\/\/www.verisign.com\/rpa",
"http:\/\/crl.verisign.com\/pca3.crl0",
"http:\/\/crl.verisign.com\/pca3-g5.crl04",
"https:\/\/www.verisign.com\/rpa0",
"http:\/\/ocsp.thawte.com0",
"http:\/\/logo.verisign.com\/vslogo.gif04",
"http:\/\/ts-aia.ws.symantec.com\/tss-ca-g2.cer0",
"http:\/\/sf.symcd.com0",
"https:\/\/d.symcb.com\/rpa0",
"http:\/\/sf.symcb.com\/sf.crl0W",
"http:\/\/ts-ocsp.ws.symantec.com07"
],
"crc32": "EA7CB77C",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5629\/files\/ba15601804a2710e_nphao123dps_x64.dll",
"ssdeep": null,
"size": 170264,
"sha512": "c33601385af0141eaa16c5cc222d5589d0178da7925d10f1b48c6b3ad9f207299ef5e4b06159bbaff7a1e5ca03a4a46bf14988e82d1a6819ee049eb5ffdee9a0",
"pids": [
2456
],
"md5": "c2f7a0238996a0ed4a103b817b558c9b"
},
{
"yara": [],
"sha1": "17bd1450c01d1e943f5339454e5898cbd3e866a5",
"name": "80070d8196687b76_8ejz.ico",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\8ejz.ico",
"type": "MS Windows icon resource - 9 icons, 48x48, 16 colors",
"sha256": "80070d8196687b7619b6ba3a2a7ce0f1e4a5797891b907eb55bb85650fdb4a6a",
"urls": [],
"crc32": "C1393D1C",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5629\/files\/80070d8196687b76_8ejz.ico",
"ssdeep": null,
"size": 25214,
"sha512": "a0706ede6aca1f83dc06be356c791f63be7b257d6d826f000f710455b9cfbbd7ca2edb098a42fb52a605a05c0fedfff8159b02ec0cf219acb829e553c3f26f5a",
"pids": [
2456
],
"md5": "a84d13d383663197170d3a0c5a35ae42"
},
{
"yara": [],
"sha1": "821bcb3602474fe0d14d4969fa192001a36a41d5",
"name": "a63a06ca6d959d31_hao123juzi.exe",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\hao123Juzi.exe",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"sha256": "a63a06ca6d959d3172a3cdfd9e6822caad7ca54d36f4b0335810a3253b8bb213",
"urls": [
"http:\/\/t.qq.com\/favicon.ico",
"https:\/\/www.verisign.com\/rpa",
"http:\/\/www.baidu.com\/s?wd=",
"http:\/\/www.xinhuanet.com\/",
"http:\/\/www.autohome.com.cn\/",
"http:\/\/ns.adobe.com\/xap\/1.0\/mm\/",
"http:\/\/www.qq.com\/",
"http:\/\/www.163.com\/favicon.ico",
"http:\/\/ns.adobe.com\/exif\/1.0\/",
"http:\/\/www.tudou.com\/",
"https:\/\/www.verisign.com\/cps0",
"http:\/\/a.xnimg.cn\/favicon-rr.ico",
"http:\/\/ts-crl.ws.symantec.com\/tss-ca-g2.crl0(",
"http:\/\/www.hao123.com\/api\/citymenu",
"http:\/\/www.cntv.cn\/",
"https:\/\/d.symcb.com\/cps0%",
"http:\/\/ts-aia.ws.symantec.com\/tss-ca-g2.cer0",
"http:\/\/www.hao123.com\/",
"http:\/\/www.sina.com",
"http:\/\/www.hao123.com\/api\/async_opendata?token=5246891f76da49e85b589df4f03bb062",
"http:\/\/tieba.baidu.com\/",
"http:\/\/www.ifeng.com\/",
"http:\/\/suggestion.baidu.com\/su?cb=?",
"http:\/\/update.123juzi.net\/ntads.php?ver=",
"http:\/\/www.youku.com\/",
"http:\/\/www.iqiyi.com\/favicon.ico",
"http:\/\/www.renren.com\/",
"http:\/\/www.sina.com.cn\/",
"http:\/\/www.jiayuan.com\/favicon.ico",
"http:\/\/ns.adobe.com\/xap\/1.0\/sType\/ResourceRef",
"https:\/\/www.google.com.hk\/",
"http:\/\/dillerdesign.com\/experiment\/DD_belatedPNG\/",
"http:\/\/www.iqiyi.com\/",
"http:\/\/www.hao123.com\/favicon.ico",
"http:\/\/jqueryui.com",
"http:\/\/logo.verisign.com\/vslogo.gif04",
"http:\/\/www.ctrip.com\/favicon.ico",
"http:\/\/www.dillerdesign.com\/experiment\/DD_belatedPNG\/",
"http:\/\/www.jiayuan.com\/",
"http:\/\/www.sohu.com\/",
"http:\/\/tieba.baidu.com\/favicon.ico",
"http:\/\/purl.org\/dc\/elements\/1.1\/",
"http:\/\/www.yhd.com\/favicon.ico",
"http:\/\/crl.verisign.com\/pca3.crl0",
"https:\/\/www.verisign.com\/rpa0",
"http:\/\/www.taobao.com\/favicon.ico",
"http:\/\/www.douban.com\/favicon.ico",
"http:\/\/www.ifeng.com\/favicon.ico",
"http:\/\/ocsp.verisign.com0",
"http:\/\/www.taobao.com\/",
"http:\/\/v.hao123.com\/",
"http:\/\/www.hao123.com\/api\/newforecast?token=",
"http:\/\/www.tmall.com\/favicon.ico",
"http:\/\/www.bitauto.com\/favicon.ico",
"http:\/\/www.xinhuanet.com\/favicon.ico",
"http:\/\/www.baidu.com\/",
"http:\/\/crl.thawte.com\/ThawteTimestampingCA.crl0",
"http:\/\/top.hao123.com",
"http:\/\/www.163.com\/",
"https:\/\/www.google.com.hk\/favicon.ico",
"http:\/\/www.jd.com\/",
"http:\/\/ocsp.thawte.com0",
"http:\/\/ns.adobe.com\/xap\/1.0\/sType\/ResourceEvent",
"http:\/\/t.qq.com\/",
"http:\/\/ns.adobe.com\/photoshop\/1.0\/",
"http:\/\/www.tudou.com\/favicon.ico",
"http:\/\/www.people.com.cn\/favicon.ico",
"http:\/\/www.baidu.com\/favicon.ico",
"http:\/\/sf.symcb.com\/sf.crt0",
"https:\/\/d.symcb.com\/rpa0",
"http:\/\/www.autohome.com.cn\/favicon.ico",
"http:\/\/sf.symcd.com0",
"http:\/\/www.weibo.com\/",
"http:\/\/ts-ocsp.ws.symantec.com07",
"http:\/\/www.cntv.cn\/favicon.ico",
"http:\/\/www.tmall.com\/",
"http:\/\/www.baidu.com",
"http:\/\/www.douban.com\/",
"http:\/\/www.baidu.com\/?tn=",
"http:\/\/www.weibo.com\/favicon.ico",
"http:\/\/ns.adobe.com\/tiff\/1.0\/",
"http:\/\/www.qidian.com\/favicon.ico",
"http:\/\/crl.verisign.com\/pca3-g5.crl04",
"http:\/\/www.qq.com\/favicon.ico",
"http:\/\/javascript.crockford.com\/jsmin.html",
"http:\/\/www.zhaopin.com\/",
"http:\/\/www.ctrip.com\/",
"http:\/\/www.qidian.com\/",
"http:\/\/css3pie.com",
"http:\/\/www.sina.com.cn\/favicon.ico",
"http:\/\/www.JSON.org\/js.html",
"http:\/\/v.hao123.com\/favicon.ico",
"http:\/\/www.jd.com\/favicon.ico",
"http:\/\/ns.adobe.com\/xap\/1.0\/",
"http:\/\/www.people.com.cn\/",
"http:\/\/www.zhaopin.com\/favicon.ico",
"http:\/\/sf.symcb.com\/sf.crl0W",
"http:\/\/www.bitauto.com\/"
],
"crc32": "4A771007",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5629\/files\/a63a06ca6d959d31_hao123juzi.exe",
"ssdeep": null,
"size": 4512536,
"sha512": "d615881de19f83e0102993ff80e3568d9fc58f1a7fe84593b8387cef806e14ae74bd26a506cd4434617b48b9ba6b09c68189c82ad310defc4e0609853e1577fc",
"pids": [
2456
],
"md5": "ab4e11431071cfb6cf75f80abb33a6fd"
},
{
"yara": [],
"sha1": "abe13e3ded8c1552754b62fde674706c0de9e079",
"name": "77bea62dae6a34a4_nphao123dps.dll",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\Installer\\nphao123DPS.dll",
"type": "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows",
"sha256": "77bea62dae6a34a4258a77ad801d4acbd5ba03709b96afca41ce1ee3d2b532df",
"urls": [
"https:\/\/www.verisign.com\/cps0",
"http:\/\/ts-crl.ws.symantec.com\/tss-ca-g2.crl0(",
"https:\/\/d.symcb.com\/cps0%",
"http:\/\/sf.symcb.com\/sf.crt0",
"http:\/\/crl.thawte.com\/ThawteTimestampingCA.crl0",
"http:\/\/ocsp.verisign.com0",
"https:\/\/www.verisign.com\/rpa",
"http:\/\/crl.verisign.com\/pca3.crl0",
"http:\/\/crl.verisign.com\/pca3-g5.crl04",
"https:\/\/www.verisign.com\/rpa0",
"http:\/\/ocsp.thawte.com0",
"http:\/\/logo.verisign.com\/vslogo.gif04",
"http:\/\/ts-aia.ws.symantec.com\/tss-ca-g2.cer0",
"http:\/\/sf.symcd.com0",
"https:\/\/d.symcb.com\/rpa0",
"http:\/\/sf.symcb.com\/sf.crl0W",
"http:\/\/ts-ocsp.ws.symantec.com07"
],
"crc32": "B2E82A69",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5629\/files\/77bea62dae6a34a4_nphao123dps.dll",
"ssdeep": null,
"size": 181016,
"sha512": "2ded54b73ac537b17af6940358c0a57c2b39cb4155424bc256f13babca900ad08985c4927153d48405b84ec96ff3dad72cf2b6f3cfb4b57c5ccfe353d73fea8f",
"pids": [
2456
],
"md5": "b271f220da84148d28fc99f66c1ba5da"
},
{
"yara": [],
"sha1": "fbdcbb813f84242f1857f3c9ea8f2da152ba9a6b",
"name": "42ce5f7851c46051_adbept.dat",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\adblock\\adbept.dat",
"type": "GLS_BINARY_LSB_FIRST",
"sha256": "42ce5f7851c4605179fe1a5f4fe4939b9980ceb406bb3f729e89f206d7f65351",
"urls": [],
"crc32": "99593ADA",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5629\/files\/42ce5f7851c46051_adbept.dat",
"ssdeep": null,
"size": 6415,
"sha512": "f7d04777cc02a41eb4109ec4fc73b6049aebd3858bb67571debae765d522ef9fd5b3ad112cfbc84919a42dde3860239690fdf50ffe8fa394543ff791440d950f",
"pids": [
2456
],
"md5": "f58b9007834fd8cf92181c74f1b19405"
},
{
"yara": [],
"sha1": "52f886f624c087c6a5d3b35044ebb58be02692ec",
"name": "d9c304be5abfb908_www.hao123.com.ico",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\bmico\\www.hao123.com.ico",
"type": "MS Windows icon resource - 1 icon, 16x16",
"sha256": "d9c304be5abfb9083f98491b7c91b40f4c441274d50219c71a7b9e5412409d0e",
"urls": [],
"crc32": "2174393B",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5629\/files\/d9c304be5abfb908_www.hao123.com.ico",
"ssdeep": null,
"size": 1150,
"sha512": "8b3fd6f7106506fc86b1963a41ccfcec950ff473130a7f4e9eb139a5e7188ef8fd1bcc037ac21f35fe27cb7e00065e3521ac51e8ee10be16f2cf2c23f5f2e4b9",
"pids": [
2456
],
"md5": "c94ed283958d284121ab0938f39688a4"
},
{
"yara": [],
"sha1": "1620f1728f910217683cadc13a74e8d15878f39c",
"name": "6454b23f3abd4e93_lightcloud[ver=1.0.0.1].jzs",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\skin\\LightCloud[ver=1.0.0.1].jzs",
"type": "Zip archive data, at least v2.0 to extract",
"sha256": "6454b23f3abd4e931d2fa4b9681e2e4953aa39c976fd6026b62346dd9a88b7a5",
"urls": [],
"crc32": "4B957F9C",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5629\/files\/6454b23f3abd4e93_lightcloud[ver=1.0.0.1].jzs",
"ssdeep": null,
"size": 86038,
"sha512": "1a9a6a23f55e70a2d2b49b27dabdaef98f1ff41c0895ffe298985e8163af73b22d12ea875ffcedc1b8475a31fcffd7f6af027bf50d0b0093cc97d7d489073f33",
"pids": [
2456
],
"md5": "4a6d34d15b983878d0e174d1a87df8d6"
},
{
"yara": [],
"sha1": "1721295d86cfdcffe39f5fb4d42307aceeb4b8d6",
"name": "8de5ee0c4aa9c511_zoomimage.dat",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\zoomimage.dat",
"type": "data",
"sha256": "8de5ee0c4aa9c51199f9a88c2268bd5316f8e74dfb7182016144aa2952056389",
"urls": [],
"crc32": "97DCE32C",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5629\/files\/8de5ee0c4aa9c511_zoomimage.dat",
"ssdeep": null,
"size": 7443,
"sha512": "83869dc34da0a9c79787a4d8870f8c36852353b4acb60f4224d3e63761726470e32def9274f5a725187e7f98aa32d9ffd4c839f5a909cf582b22e5b511d8390c",
"pids": [
2456
],
"md5": "36ddf82a8e6a2286c6ac274f6b869947"
},
{
"yara": [],
"sha1": "48ac27898fdf5e8607219e40e3dc9468191a562b",
"name": "443c0ac358f3b8fa_setting.dat",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\setting.dat",
"type": "data",
"sha256": "443c0ac358f3b8fabe0edfdd6f714979aabe3abeeb2a94b9ed5040e532d11b68",
"urls": [],
"crc32": "5B8C3DBD",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5629\/files\/443c0ac358f3b8fa_setting.dat",
"ssdeep": null,
"size": 125,
"sha512": "161241e175adb20313f21a4108c4301ec7aed859a14970e2ea995ed93c72e33baf468be00988f18cd948cd3df089fd4f2dc83524d642113662bebc985176168d",
"pids": [
2456
],
"md5": "3aa8927df98f4651d6b3430f3d4d72c9"
},
{
"yara": [],
"sha1": "af9829eb0a09226fb9caa46c9e1ee3e60ba9fd61",
"name": "ef74f7bd33870b5c_bkmak.dat",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\bkmak.dat",
"type": "data",
"sha256": "ef74f7bd33870b5c65f97da4a248bf35316037c15f8f3a64c6fdd192527e06e6",
"urls": [],
"crc32": "AEB232F8",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5629\/files\/ef74f7bd33870b5c_bkmak.dat",
"ssdeep": null,
"size": 120,
"sha512": "8e414e6592ea3f2ec7113ebdfd2c60f093247b4a346b8b8fe6279e253c4f95988e31ca3de11379b69b387d6cc15043d5b348f0b8a9f36f6f341b3e4cdd9a89da",
"pids": [
2456
],
"md5": "a499b229b67def7bda2fc02c69ca3385"
}
]Generic
[
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\0f0f7ac0635ce9c50e6aadc20b6a4ff851b4e4a4c4349dc37a6fa34db6c5efd5.bin",
"process_name": "0f0f7ac0635ce9c50e6aadc20b6a4ff851b4e4a4c4349dc37a6fa34db6c5efd5.bin",
"pid": 2456,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\Installer\\nphao123DPS_x64.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\game\\gamelist.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\ttslist.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\setting.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\adblock\\adbraw.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\Installer\\npJuziPlugin_x64.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\hao123Juzi.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\zoomimage.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\softlist.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\vdown.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\skin\\LightCloud[ver=1.0.0.1].jzs",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\adblock\\adbept.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\dhres.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\Installer\\npJuziPlugin.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\Installer\\nphao123DPS.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\speedup.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\bmico\\www.hao123.com.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\8ejz.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\srca.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\juzihelper.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\bkmak.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\adblock\\adbwin.dat"
],
"regkey_written": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Persisted\\C:\\Users\\cuck\\AppData\\Local\\Temp\\0f0f7ac0635ce9c50e6aadc20b6a4ff851b4e4a4c4349dc37a6fa34db6c5efd5.bin"
],
"dll_loaded": [
"C:\\Windows\\syswow64\\MSCTF.dll",
"WindowsCodecs.dll",
"kernel32.dll",
"OLEAUT32.DLL",
"C:\\Windows\\system32\\ole32.dll",
"dwmapi.dll",
"C:\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\dhres.tmp",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_CURRENT_USER\\Software\\hao123JuziBrowser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CLASSES_ROOT\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance\\Disabled",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\LayoutIcon\\0409\\0000041d",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\0f0f7ac0635ce9c50e6aadc20b6a4ff851b4e4a4c4349dc37a6fa34db6c5efd5.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_CLASSES_ROOT\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Persisted",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\hao123JuziBrowser.exe"
],
"resolves_host": [
"s0.hao123img.com",
"s2.hao123img.com",
"s1.hao123img.com",
"s3.hao123img.com",
"www.hao123.com",
"hao123.com"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\Installer\\nphao123DPS_x64.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\game\\gamelist.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\ttslist.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\setting.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\adblock\\adbraw.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\Installer\\npJuziPlugin_x64.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\hao123Juzi.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\zoomimage.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\softlist.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\vdown.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\skin\\LightCloud[ver=1.0.0.1].jzs",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\adblock\\adbept.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\dhres.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\Installer\\npJuziPlugin.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\Installer\\nphao123DPS.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\speedup.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\bmico\\www.hao123.com.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\8ejz.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\srca.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\juzihelper.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\bkmak.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\adblock\\adbwin.dat"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\dhres.tmp"
],
"file_exists": [
"",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\game",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\skin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\Installer",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\bmico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\ie11core",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\dhres.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\0f0f7ac0635ce9c50e6aadc20b6a4ff851b4e4a4c4349dc37a6fa34db6c5efd5.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\adblock"
],
"mutex": [
"hao123juzibrowser_juzi_{06dc3546-4050-4ce0-9091-9d4bce75c85b}"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\dhres.tmp"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\game",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\skin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\Installer",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\bmico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\User_Data\\Default\\adblock"
]
},
"first_seen": 1582559585.59375,
"ppid": 2780
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1582559585.34375,
"ppid": 376
}
]Signatures
[
{
"markcount": 1,
"families": [],
"description": "This executable has a PDB path",
"severity": 1,
"marks": [
{
"category": "pdb_path",
"ioc": "D:\\DarkDev\\src\\tools\\Installer\\Release_Hao123\\setup_hao123.pdb",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "has_pdb"
},
{
"markcount": 3,
"families": [],
"description": "The file contains an unknown PE resource name possibly indicative of a packer",
"severity": 1,
"marks": [
{
"category": "resource name",
"ioc": "BIN",
"type": "ioc",
"description": null
},
{
"category": "resource name",
"ioc": "BINARY",
"type": "ioc",
"description": null
},
{
"category": "resource name",
"ioc": "SKIN",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "pe_unknown_resource_name"
},
{
"markcount": 1,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2456,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x02310000"
},
"time": 1582559585.71875,
"tid": 2856,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2456,
"type": "call",
"cid": 107
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 49,
"families": [],
"description": "Foreign language identified in PE resource",
"severity": 2,
"marks": [
{
"name": "BIN",
"language": "LANG_CHINESE",
"offset": "0x00050cc4",
"filetype": "7-zip archive data, version 0.2",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00226364"
},
{
"name": "BINARY",
"language": "LANG_CHINESE",
"offset": "0x00277028",
"filetype": "ASCII text, with CRLF line terminators",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x000028df"
},
{
"name": "SKIN",
"language": "LANG_CHINESE",
"offset": "0x0030c65c",
"filetype": "PNG image data, 210 x 210, 8-bit\/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000f32"
},
{
"name": "SKIN",
"language": "LANG_CHINESE",
"offset": "0x0030c65c",
"filetype": "PNG image data, 210 x 210, 8-bit\/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000f32"
},
{
"name": "SKIN",
"language": "LANG_CHINESE",
"offset": "0x0030c65c",
"filetype": "PNG image data, 210 x 210, 8-bit\/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000f32"
},
{
"name": "SKIN",
"language": "LANG_CHINESE",
"offset": "0x0030c65c",
"filetype": "PNG image data, 210 x 210, 8-bit\/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000f32"
},
{
"name": "SKIN",
"language": "LANG_CHINESE",
"offset": "0x0030c65c",
"filetype": "PNG image data, 210 x 210, 8-bit\/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000f32"
},
{
"name": "SKIN",
"language": "LANG_CHINESE",
"offset": "0x0030c65c",
"filetype": "PNG image data, 210 x 210, 8-bit\/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000f32"
},
{
"name": "SKIN",
"language": "LANG_CHINESE",
"offset": "0x0030c65c",
"filetype": "PNG image data, 210 x 210, 8-bit\/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000f32"
},
{
"name": "SKIN",
"language": "LANG_CHINESE",
"offset": "0x0030c65c",
"filetype": "PNG image data, 210 x 210, 8-bit\/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000f32"
},
{
"name": "SKIN",
"language": "LANG_CHINESE",
"offset": "0x0030c65c",
"filetype": "PNG image data, 210 x 210, 8-bit\/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000f32"
},
{
"name": "SKIN",
"language": "LANG_CHINESE",
"offset": "0x0030c65c",
"filetype": "PNG image data, 210 x 210, 8-bit\/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000f32"
},
{
"name": "SKIN",
"language": "LANG_CHINESE",
"offset": "0x0030c65c",
"filetype": "PNG image data, 210 x 210, 8-bit\/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000f32"
},
{
"name": "SKIN",
"language": "LANG_CHINESE",
"offset": "0x0030c65c",
"filetype": "PNG image data, 210 x 210, 8-bit\/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000f32"
},
{
"name": "SKIN",
"language": "LANG_CHINESE",
"offset": "0x0030c65c",
"filetype": "PNG image data, 210 x 210, 8-bit\/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000f32"
},
{
"name": "SKIN",
"language": "LANG_CHINESE",
"offset": "0x0030c65c",
"filetype": "PNG image data, 210 x 210, 8-bit\/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000f32"
},
{
"name": "SKIN",
"language": "LANG_CHINESE",
"offset": "0x0030c65c",
"filetype": "PNG image data, 210 x 210, 8-bit\/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000f32"
},
{
"name": "SKIN",
"language": "LANG_CHINESE",
"offset": "0x0030c65c",
"filetype": "PNG image data, 210 x 210, 8-bit\/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000f32"
},
{
"name": "SKIN",
"language": "LANG_CHINESE",
"offset": "0x0030c65c",
"filetype": "PNG image data, 210 x 210, 8-bit\/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000f32"
},
{
"name": "SKIN",
"language": "LANG_CHINESE",
"offset": "0x0030c65c",
"filetype": "PNG image data, 210 x 210, 8-bit\/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000f32"
},
{
"name": "SKIN",
"language": "LANG_CHINESE",
"offset": "0x0030c65c",
"filetype": "PNG image data, 210 x 210, 8-bit\/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000f32"
},
{
"name": "SKIN",
"language": "LANG_CHINESE",
"offset": "0x0030c65c",
"filetype": "PNG image data, 210 x 210, 8-bit\/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000f32"
},
{
"name": "SKIN",
"language": "LANG_CHINESE",
"offset": "0x0030c65c",
"filetype": "PNG image data, 210 x 210, 8-bit\/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000f32"
},
{
"name": "SKIN",
"language": "LANG_CHINESE",
"offset": "0x0030c65c",
"filetype": "PNG image data, 210 x 210, 8-bit\/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000f32"
},
{
"name": "SKIN",
"language": "LANG_CHINESE",
"offset": "0x0030c65c",
"filetype": "PNG image data, 210 x 210, 8-bit\/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000f32"
},
{
"name": "SKIN",
"language": "LANG_CHINESE",
"offset": "0x0030c65c",
"filetype": "PNG image data, 210 x 210, 8-bit\/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000f32"
},
{
"name": "SKIN",
"language": "LANG_CHINESE",
"offset": "0x0030c65c",
"filetype": "PNG image data, 210 x 210, 8-bit\/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000f32"
},
{
"name": "SKIN",
"language": "LANG_CHINESE",
"offset": "0x0030c65c",
"filetype": "PNG image data, 210 x 210, 8-bit\/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000f32"
},
{
"name": "SKIN",
"language": "LANG_CHINESE",
"offset": "0x0030c65c",
"filetype": "PNG image data, 210 x 210, 8-bit\/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000f32"
},
{
"name": "SKIN",
"language": "LANG_CHINESE",
"offset": "0x0030c65c",
"filetype": "PNG image data, 210 x 210, 8-bit\/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000f32"
},
{
"name": "SKIN",
"language": "LANG_CHINESE",
"offset": "0x0030c65c",
"filetype": "PNG image data, 210 x 210, 8-bit\/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000f32"
},
{
"name": "SKIN",
"language": "LANG_CHINESE",
"offset": "0x0030c65c",
"filetype": "PNG image data, 210 x 210, 8-bit\/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000f32"
},
{
"name": "RT_ICON",
"language": "LANG_CHINESE",
"offset": "0x00316dc8",
"filetype": "GLS_BINARY_LSB_FIRST",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000468"
},
{
"name": "RT_ICON",
"language": "LANG_CHINESE",
"offset": "0x00316dc8",
"filetype": "GLS_BINARY_LSB_FIRST",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000468"
},
{
"name": "RT_ICON",
"language": "LANG_CHINESE",
"offset": "0x00316dc8",
"filetype": "GLS_BINARY_LSB_FIRST",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000468"
},
{
"name": "RT_ICON",
"language": "LANG_CHINESE",
"offset": "0x00316dc8",
"filetype": "GLS_BINARY_LSB_FIRST",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000468"
},
{
"name": "RT_ICON",
"language": "LANG_CHINESE",
"offset": "0x00316dc8",
"filetype": "GLS_BINARY_LSB_FIRST",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000468"
},
{
"name": "RT_ICON",
"language": "LANG_CHINESE",
"offset": "0x00316dc8",
"filetype": "GLS_BINARY_LSB_FIRST",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000468"
},
{
"name": "RT_ICON",
"language": "LANG_CHINESE",
"offset": "0x00316dc8",
"filetype": "GLS_BINARY_LSB_FIRST",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000468"
},
{
"name": "RT_ICON",
"language": "LANG_CHINESE",
"offset": "0x00316dc8",
"filetype": "GLS_BINARY_LSB_FIRST",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000468"
},
{
"name": "RT_ICON",
"language": "LANG_CHINESE",
"offset": "0x00316dc8",
"filetype": "GLS_BINARY_LSB_FIRST",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000468"
},
{
"name": "RT_ICON",
"language": "LANG_CHINESE",
"offset": "0x00316dc8",
"filetype": "GLS_BINARY_LSB_FIRST",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000468"
},
{
"name": "RT_ICON",
"language": "LANG_CHINESE",
"offset": "0x00316dc8",
"filetype": "GLS_BINARY_LSB_FIRST",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000468"
},
{
"name": "RT_ICON",
"language": "LANG_CHINESE",
"offset": "0x00316dc8",
"filetype": "GLS_BINARY_LSB_FIRST",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000468"
},
{
"name": "RT_DIALOG",
"language": "LANG_CHINESE",
"offset": "0x00317230",
"filetype": "data",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000040"
},
{
"name": "RT_STRING",
"language": "LANG_CHINESE",
"offset": "0x00317270",
"filetype": "data",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000034"
},
{
"name": "RT_GROUP_ICON",
"language": "LANG_CHINESE",
"offset": "0x00317328",
"filetype": "MS Windows icon resource - 3 icons, 48x48",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000030"
},
{
"name": "RT_GROUP_ICON",
"language": "LANG_CHINESE",
"offset": "0x00317328",
"filetype": "MS Windows icon resource - 3 icons, 48x48",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000030"
},
{
"name": "RT_VERSION",
"language": "LANG_CHINESE",
"offset": "0x00317358",
"filetype": "data",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x000002fc"
}
],
"references": [],
"name": "origin_langid"
},
{
"markcount": 3,
"families": [],
"description": "Drops an executable to the user AppData folder",
"severity": 2,
"marks": [
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\Installer\\npJuziPlugin.dll",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\hao123Juzi.exe",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\{E12936ED-C5E1-4F75-A5E7-7E4C2D9B4EF3}\\Installer\\nphao123DPS.dll",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "exe_appdata"
},
{
"markcount": 2,
"families": [],
"description": "The binary likely contains encrypted or compressed data indicative of a packer",
"severity": 2,
"marks": [
{
"entropy": 7.991118911144153,
"section": {
"size_of_data": "0x002c7c00",
"virtual_address": "0x00050000",
"entropy": 7.991118911144153,
"name": ".rsrc",
"virtual_size": "0x002c7a64"
},
"type": "generic",
"description": "A section with a high entropy has been found"
},
{
"entropy": 0.8981072555205047,
"type": "generic",
"description": "Overall entropy of this PE file is high"
}
],
"references": [
"http:\/\/www.forensickb.com\/2013\/03\/file-entropy-explained.html",
"http:\/\/virii.es\/U\/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf"
],
"name": "packer_entropy"
}
]Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 546,
"time": 3.0781619548797607,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 5226,
"time": 9.12558913230896,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7070,
"time": 3.08034610748291,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7398,
"time": 1.0380539894104004,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7726,
"time": 3.1278250217437744,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8054,
"time": 1.5379250049591064,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8382,
"time": -0.0905909538269043,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 8710,
"time": 1.6247680187225342,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 28120,
"time": 1.0713870525360107,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 36504,
"time": 3.1250650882720947,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "647759c4836e5b4423c3d76abbb5e26a3cbde78ec00b8d9ceaeb37b3ab255034",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "754c43901696ccc24bfb237cf1b94b2c661db5f9dc5cdf33c4491ad0da81060c",
"irc": [],
"https_ex": []
}Screenshots
hao123_[cu003d1111]__93767729_o2_hao_.exe removal instructions
The instructions below shows how to remove hao123_[cu003d1111]__93767729_o2_hao_.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the hao123_[cu003d1111]__93767729_o2_hao_.exe file for removal, restart your computer and scan it again to verify that hao123_[cu003d1111]__93767729_o2_hao_.exe has been successfully removed. Here are the removal instructions in more detail:
- Download and install FreeFixer: http://www.freefixer.com/download.html
- Start FreeFixer and press the Start Scan button. The scan will finish in approximately five minutes.
- When the scan is finished, locate hao123_[cu003d1111]__93767729_o2_hao_.exe in the scan result and tick the checkbox next to the hao123_[cu003d1111]__93767729_o2_hao_.exe file. Do not check any other file for removal unless you are 100% sure you want to delete it. Tip: Press CTRL-F to open up FreeFixer's search dialog to quickly locate hao123_[cu003d1111]__93767729_o2_hao_.exe in the scan result.
c:\downloads\hao123_[cu003d1111]__93767729_o2_hao_.exe 
- Scroll down to the bottom of the scan result and press the Fix button. FreeFixer will now delete the hao123_[cu003d1111]__93767729_o2_hao_.exe file.
- Restart your computer.
- Start FreeFixer and scan your computer again. If hao123_[cu003d1111]__93767729_o2_hao_.exe still remains in the scan result, proceed with the next step. If hao123_[cu003d1111]__93767729_o2_hao_.exe is gone from the scan result you're done.
- If hao123_[cu003d1111]__93767729_o2_hao_.exe still remains in the scan result, check its checkbox again in the scan result and click Fix.
- Restart your computer.
- Start FreeFixer and scan your computer again. Verify that hao123_[cu003d1111]__93767729_o2_hao_.exe no longer appear in the scan result.
Hashes [?]
| Property | Value |
|---|---|
| MD5 | 41f188b6a4ffb64841ce78144d9a4615 |
| SHA256 | 0f0f7ac0635ce9c50e6aadc20b6a4ff851b4e4a4c4349dc37a6fa34db6c5efd5 |
Error Messages
These are some of the error messages that can appear related to hao123_[cu003d1111]__93767729_o2_hao_.exe:
hao123_[cu003d1111]__93767729_o2_hao_.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
hao123_[cu003d1111]__93767729_o2_hao_.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
hao123????? has stopped working.
End Program - hao123_[cu003d1111]__93767729_o2_hao_.exe. This program is not responding.
hao123_[cu003d1111]__93767729_o2_hao_.exe is not a valid Win32 application.
hao123_[cu003d1111]__93767729_o2_hao_.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with the file?
To help other users, please let us know what you will do with the file:
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.