Malware Analysis Report

2025-01-03 09:27

Sample ID 240604-1m4b1add37
Target 2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid
SHA256 cbb99b1782212708d744ef1b01ddd2d8ba9cba5ce48844f34dbb0891dad6fbaa
Tags
bootkit discovery persistence upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

cbb99b1782212708d744ef1b01ddd2d8ba9cba5ce48844f34dbb0891dad6fbaa

Threat Level: Likely malicious

The file 2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery persistence upx

UPX dump on OEP (original entry point)

Drops file in Drivers directory

Sets DLL path for service in the registry

Executes dropped EXE

Loads dropped DLL

UPX packed file

Writes to the Master Boot Record (MBR)

Checks installed software on the system

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 21:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 21:46

Reported

2024-06-04 21:49

Platform

win7-20240508-en

Max time kernel

148s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\BDPSvr.sys C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
File opened for modification C:\Windows\system32\drivers\BDPSvr.sys C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
File created C:\Windows\SysWOW64\drivers\BDPSvr C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\HImageService\Parameters\ServiceDll = "C:\\Program Files (x86)\\Hao123Picture\\1.0.1.1130\\Hao123SP.dll" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
File opened for modification \??\PhysicalDrive0 \??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123Utility.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Res\error.png C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\lang\MultiLang.xml C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123PicInfo.ini C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Uninst.exe C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Util32.exe C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File opened for modification C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123PicInfo.ini \??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123PicView.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Upd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File opened for modification C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123PicInfo.ini \??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123Utility.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Hao123Picture\Hao123Pic.ini C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\icon\COMMON.ico C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\lang\lang_en.xml C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123PicSvr32.dat C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\ScrSnap.exe C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\DuiLib32.dll C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123SP.dll C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123PicView.exe C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Tool.exe C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File opened for modification C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123PicInfo.ini C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
File opened for modification C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123PicInfo.ini \??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123Utility.exe N/A
File opened for modification C:\Program Files (x86)\Hao123Picture\官方网站.url C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\icon\jpg.ico C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\lang\LanguageConfig.xml C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\lang\lang_pt.xml C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Util64.exe C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Util32.dll C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Util64.dll C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\icon\bmp.ico C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\icon\png.ico C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\icon\psd.ico C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Config.exe C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\icon\tif.ico C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\lang\lang_zh.xml C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123PicSvr64.dat C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\ImageDraw.dll C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File opened for modification C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123PicInfo.ini C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\icon\gif.ico C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ \??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123PicView.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.jpg\shell C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.png\shell\open C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.xpm\shell\open\command\ = "\"C:\\Program Files (x86)\\Hao123Picture\\1.0.1.1130\\Hao123PicView.exe\" OpenImage %1" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.gif\ = "Hao123Pic.gif" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.j2k\shell\open C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.raw\Hao123PicBack = "pfmfile" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.jpc C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pgx C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.ico\shell\open\command\ = "\"C:\\Program Files (x86)\\Hao123Picture\\1.0.1.1130\\Hao123PicView.exe\" OpenImage %1" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.png\shell\open\command C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.tif\DefaultIcon C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.j2k\shell\open\command\ = "\"C:\\Program Files (x86)\\Hao123Picture\\1.0.1.1130\\Hao123PicView.exe\" OpenImage %1" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.jp2\shell\open C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.tga\shell C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pnm\Hao123PicBack = "wmffile" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.pcx\shell\open\command\ = "\"C:\\Program Files (x86)\\Hao123Picture\\1.0.1.1130\\Hao123PicView.exe\" OpenImage %1" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.png\DefaultIcon\ = "C:\\Program Files (x86)\\Hao123Picture\\1.0.1.1130\\icon\\PNG.ico" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.wmf\DefaultIcon\ = "C:\\Program Files (x86)\\Hao123Picture\\1.0.1.1130\\icon\\COMMON.ico" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.wdp\ = "Hao123Pic.wdp" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.pcx\DefaultIcon\ = "C:\\Program Files (x86)\\Hao123Picture\\1.0.1.1130\\icon\\COMMON.ico" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.ras C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.tga C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.tif\ = "Hao123Pic.tif" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.ska\ = "Hao123Pic.ska" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.mng\shell C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.png\ = "Hao123Pic.png" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.xpm\DefaultIcon C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.ico\shell C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.mng C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ras C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.pfm\shell\open C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.bmp\ = "Hao123Pic.bmp" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.jp2\shell\open\command C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.pfm\shell C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.mng\ = "Hao123Pic.mng" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.png C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.j2k\ = "Hao123Pic.j2k" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.pnm\shell\open\command C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.gif C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.pgx\DefaultIcon C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.pgx\shell\open\command C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.pcx\ = "Hao123Pic.pcx" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.png C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tga C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.xpm C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.xpm\DefaultIcon\ = "C:\\Program Files (x86)\\Hao123Picture\\1.0.1.1130\\icon\\COMMON.ico" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gif C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.pfm\shell\open\command C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.wmf\shell\open C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pnm\ = "Hao123Pic.pnm" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.ska\shell\open\command C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.ras\shell\open\command\ = "\"C:\\Program Files (x86)\\Hao123Picture\\1.0.1.1130\\Hao123PicView.exe\" OpenImage %1" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.tif\shell C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.jp2\DefaultIcon\ = "C:\\Program Files (x86)\\Hao123Picture\\1.0.1.1130\\icon\\COMMON.ico" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.wmf\ = "Hao123Pic.wmf" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.bmp\DefaultIcon C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.ras\ = "Hao123Pic.ras" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.jpc C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.ska\shell\open\command\ = "\"C:\\Program Files (x86)\\Hao123Picture\\1.0.1.1130\\Hao123PicView.exe\" OpenImage %1" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.gif\shell\open\command C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.jp2\Hao123PicBack = "giffile" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.wmf\shell\open\command C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.bmp\shell\open C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.png\ = "Hao123Pic.png" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1640 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe
PID 1640 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe
PID 1640 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe
PID 1640 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe
PID 1640 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe
PID 1640 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe
PID 1640 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe
PID 1640 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe
PID 3040 wrote to memory of 1368 N/A C:\Windows\SysWOW64\svchost.exe \??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123Utility.exe
PID 3040 wrote to memory of 1368 N/A C:\Windows\SysWOW64\svchost.exe \??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123Utility.exe
PID 3040 wrote to memory of 1368 N/A C:\Windows\SysWOW64\svchost.exe \??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123Utility.exe
PID 3040 wrote to memory of 1368 N/A C:\Windows\SysWOW64\svchost.exe \??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123Utility.exe
PID 3040 wrote to memory of 3024 N/A C:\Windows\SysWOW64\svchost.exe \??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123PicView.exe
PID 3040 wrote to memory of 3024 N/A C:\Windows\SysWOW64\svchost.exe \??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123PicView.exe
PID 3040 wrote to memory of 3024 N/A C:\Windows\SysWOW64\svchost.exe \??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123PicView.exe
PID 3040 wrote to memory of 3024 N/A C:\Windows\SysWOW64\svchost.exe \??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123PicView.exe
PID 3040 wrote to memory of 2468 N/A C:\Windows\SysWOW64\svchost.exe \??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123Utility.exe
PID 3040 wrote to memory of 2468 N/A C:\Windows\SysWOW64\svchost.exe \??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123Utility.exe
PID 3040 wrote to memory of 2468 N/A C:\Windows\SysWOW64\svchost.exe \??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123Utility.exe
PID 3040 wrote to memory of 2468 N/A C:\Windows\SysWOW64\svchost.exe \??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123Utility.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe"

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe

"C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe" InstallSpreadOperate 270fcdaea0dafc67f15c0d171d105a9e_icedid240604

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe

"C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe" CreateStartMenu 1

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k HImageService

\??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123Utility.exe

"c:\program files (x86)\hao123picture\1.0.1.1130\Hao123Utility.exe" UpOnlineData 0

\??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123PicView.exe

"c:\program files (x86)\hao123picture\1.0.1.1130\Hao123PicView.exe" OpenUpdate

\??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123Utility.exe

"c:\program files (x86)\hao123picture\1.0.1.1130\Hao123Utility.exe" JuziBrowserProtect

Network

Country Destination Domain Proto
US 8.8.8.8:53 tj.sgshurufa.com udp
CN 180.150.178.118:80 tj.sgshurufa.com tcp
US 8.8.8.8:53 tj.hao123pic.com udp
US 8.8.8.8:53 update.hao123pic.com udp

Files

\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe

MD5 55714810abbd85ebe135fe5e473cc3d5
SHA1 66f6b76244f221de208bca007c990390e9692f9a
SHA256 33f8098d37c6b2829758534130f63f3986f8bf03937c666e2c9085e1cc240a0a
SHA512 d13925581e50fa679ff4f505342a091b7a01b321b4b3102a3cdc6f09b83f941e91e190c991725ceb9176f62d28e3c5956400a97b8598e6ad69225413daa92248

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123PicInfo.ini

MD5 707590ef3d1777859898624392f1c8e0
SHA1 2784e32a5b2a7932d049e4d292a7289345295e2f
SHA256 110f483f2a3d40fa3199ac384bf32935c7b3c2dc70d5024cddc9d0d6f9243619
SHA512 d6e368a82aaff9db45a2344117805d89d24fa49540136aeeed6caddb2b2bf8932a1046289f6d21e30cddbbbc410e6e9706066953143b51d5471e4bf583d04722

C:\Program Files (x86)\Common Files\Hao123Picture\Hao123Pic.ini

MD5 df333703f81c9fd2951466be4c3f4672
SHA1 e844e12aeaba3d8ad18899e9fa60b0428391fc84
SHA256 5ac395657e9c2ffb1e4e2857f08631eda722aa3ff1499b1206349118ba6afd76
SHA512 fcc6a225081c0ee0469f29b92e339b861e7961a2159d4486fdc547e5d76e5cf610d83786bf9673a0d29e8f2f3f57b09fee8392fed319293c8a95f1a86e7a22b0

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123SP.dll

MD5 1a128bcf1b94a14a3352b5fddbcd0c73
SHA1 6463860f9bf08301cbd52258249f887847723caf
SHA256 ba81b6b483d877dc5158bf5229f1571e8bba04d76ab8a83ad3c90d9d0311ebbb
SHA512 627b328a547774a6d37ab0f9f8b2544d03147b367ff94e14a40cb3b1a72e1f5679111a40e70fd7c15ad920b0b50e01fc3def63184171a9ecbf77055e25d2b8a6

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123PicInfo.ini

MD5 9984976a7e1f9ebc4c333ee9891c46d3
SHA1 8448d2b5b6bfe8b8e732fb0389169a11c9cd5700
SHA256 c4694ea4e9a986bc6bba0290102e5b56618d7ff98b720c2c8690db7355c3b385
SHA512 33ed7440f67bd6bc4b0ef40cbdf8bdb7a7cfdd94aa17e41f82cf8f3900e9f6c5391ba398813c10af3fddf9061916ae72611c67da5ee6de50f04ff22f8937c8dd

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\hao123看图王\官方网站.url

MD5 68435c620b01565ba5363e642503cd52
SHA1 8c03a2921108401d3ef5fbc98025da24c66da9bc
SHA256 bbbe703a61e8647059696cbb0517a094da960ca61a97b3d5b14562828646efe3
SHA512 f67ab13a9df924c3911ead9152e7b23f2a935e4295c3aa63ec52e8b177e886825d88ff3cde78c297376afe99c567d190a980e2faeabd2fc097ff24e7cff46117

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Upd.exe

MD5 892fe8f0a05749eeb2596a93d4db4f3c
SHA1 af837b5c671116bc944d4bf23f2a1ca49a859fc5
SHA256 886ee9e27c636b39dc95ef233cd066243fe6e664c9e696f960012b113f731abf
SHA512 b880d80e8de3edfa64be9865e8d63f6bc87e972c2c54173caba10871823cff2cb93a775604b124ea182bc14dd18bfdce7ff9e9ae6c2de1bb85c847589969b7b7

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\duilib32.dll

MD5 61c81a34bfce9c19e4c9224fe08b3e8a
SHA1 540c6847ba81b63a1c28b5eda0d47020cf335bcb
SHA256 2f20fa97af6167acfb8f8fafdd96e1ab4817091ce349ba1fc4390976b8be7be9
SHA512 70e350c686d51337a714efcad659fab7916ea1a1f9ec8cdcb75f320e345155f99d8c30e8f377fbdd0f6dc1fb72f60c663bb86849bea8a7905488d59711abbd4a

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\hao123picview.exe

MD5 99668b0bf9afd57b6d79394dd9da3268
SHA1 c1b0bc252b34558a504fb286a71b1aee0d0355af
SHA256 0a5dfef294a95c36130cdb29d99c180f45f5c413eefcb04debac17aee2f043d3
SHA512 7f61eb30cb2c9a06228a990fad796ff670a48bd82633840b4d7b6508b89348520b11a2ded4007da78a042437b3c23c3bcbe8eacc5544c1c9ff6c2425526f5fc6

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\hao123uninst.exe

MD5 ebfbebb8fc852d3768f023508ab6d6ed
SHA1 a146511e5717c4abac4f9009191d834bc6289fcf
SHA256 dc41b61819cbbcb6ec64c5907ac5bff8aa703ea1f42399291ef7cd572bf40762
SHA512 3ebb248099cf3e0809def597562f1e24f2d68c503c654dd12c1b7979e42e3a0db3bd2e8ace06c8338850dacd0c89d4317cf01a1d6873ed6740ae1038186b7e78

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\hao123tool.exe

MD5 4e4665b9fdce84f0e73a3b96b8a71fe8
SHA1 3262c6bf6d32dec96774211cfc0e13407562c45c
SHA256 150d86e846c83753b7acd3bee04a5846f4b4adbe5e543eeca9779fe00d1f6aeb
SHA512 eaf2888e51acb5eebe385f732d3eb4358ecfbcae8c9e7d39c0367fa86f6f08a80962d99fa1f9449eadc3f507ac5a01613c325a246324ea88c7ba3d805aca22ba

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\hao123plugin.dll

MD5 2d595ce5698a258c4a946e581c0668a1
SHA1 e6f0f948f50fd89b1d036f3f93e2147ce6ea8ecb
SHA256 9a1327f67a16025fd00a4077c082f910014731ca2ee7667d62a409b271efeacf
SHA512 7129156f89a3f8f7a4823013180eb5f44998e4d8ef3da5ee3b1e053b43d9d5b00f9b6529288882c56995bff82f64c85327a9c3b425d2b09f2a825486ba89cbc7

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\hao123picsvr64.dat

MD5 111878d5a664d9fd3b909676cb155f82
SHA1 8e5acfaee98d3b867facc157a02d097c751156c6
SHA256 7bb7d49461417c6a6aa6a1e2fb153258561a5250208c104c352ebeac3374f2b8
SHA512 c5af17d1c4a5f294cfa79d448f36636e217dd152e8858d8c97722e15880fc3e8a9e07720631538b1f51f821257f02bbc3c8dd5854fa030fe78baad8709e5c3be

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\hao123util64.dll

MD5 2bbb0772777b60e1010290d25a1ac23c
SHA1 e006af98d6b184304c695775d1cbaa21286b6a4e
SHA256 d24092880538563f77065d4a3fdb17851eac1db43c18a653c48e2cd293f7aa78
SHA512 7e7d3fc6f5f575a6a6fdf1dc5975c1198c5e782baaf730cb6d45c1b3d8c31cb08c1e2969ae3e7eff3216197e39546957a8bbc2869f0f2a13c91a11b0e915afb6

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\icon\common.ico

MD5 6e8c00d7a3853bd0a88ff8db18d8befb
SHA1 d3fcf1f056bca24dce2a9b0e841882997d3b163b
SHA256 480480d7acda5ec5e4a571bb3a5e82a4a3a4d0d88591470eee3fe16e12666450
SHA512 e5e21b6ed4a85b9db658a794bf60a5bc6108da0f7164b873597189969ea594280cd78845efaccd4e2c342f94407c9d480576a3096a9233da7eca55b7aa2e6706

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\scrsnap.exe

MD5 f292df343664ea67af73cfd8f25dc72a
SHA1 8f055850435358e59bcc6b13d1595d4ca3060da8
SHA256 995a5aa21657bf076f3e96355c3507904ca2937e0bfe485e59943924a8e185f3
SHA512 cd532433e2fe554cf6bcbc01612e4333670af7f949cfcebade40946fafdffc78bb252231a8b0e16036f208c16f8f72e237941b1b304e96c628fbc2fd58de3f72

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\res\error.png

MD5 cee6e917c0a214b2d23a2dfa1e1fbcae
SHA1 54c46a5979327810717048394c7491701cd31222
SHA256 b24aa0da0efb63d905c82fb08b219eb2d6a13e2e422936aadaa6e41c32dabf68
SHA512 707e397bfb30e6df8157ae7c1cf39e1574d92afea0b72b127098276a0b9b559d0817829037592893224eca669d1aa5ba7385199e7cbe9b9a71408db8e0d67bfc

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\lang\multilang.xml

MD5 6f6fb21886c5571cc4dbcb8004418819
SHA1 2455729a17466d6d621314b7ca4bffe5f3c092ad
SHA256 2795c56ba1c0cbb62ce13ab90f0feeac6c582dff76b97e8f75af6a9a3a9b2471
SHA512 3e86d23a81e75750646b0226b3469c8b390fd06709ffeaef13f290b4a1f7c4ba795f448cd2d101917dbacdebd9e9038ea2c23c829b7dacc9707ad9dd388c7b8c

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\lang\lang_zh.xml

MD5 b70656ac5212f6768f0fb7a6db417b94
SHA1 caeb5f9b46a4872fc3453f7e7fa433aa057499da
SHA256 b4c7d9122e0a09ad83ffb11b72bbc1d772110aa307e2da175fb6c80c1871856f
SHA512 766a956daffc62cd17bcee12c59577405a060cc9f319138cef2eaf7fd701511709e4c99eac615e4823e71ada1b3295edbedaafb4918f59eb999653300fecd11f

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\lang\lang_pt.xml

MD5 841cdd4c337ef688b42d0fff96f92887
SHA1 493ed13121eb5506c0cf879d9a3eb20e99b1ba0e
SHA256 2e30790ba59990dca82a424e69983fc7ee5b9fa0670044a3e6ed48a93ba4baac
SHA512 7dae2a8c74d08766a297645e7ff046450b513883b7fc280091bd17048ce16cef753a3aed32e4c015ebf87ed6bbdbe01ca46a46189fd9e2a1e7dbe403d8fa603c

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\lang\lang_en.xml

MD5 fe9eddb052c88267d6da6d547b2c90e7
SHA1 5296d53915add943b8c1b3e155df727794df3ebc
SHA256 7213e551c8810ee3e4d88a6eedb1b420ed5092552c67476fe20329587234bba7
SHA512 54a5482dd2ab3a0ae94e2d6c5269c1c7299483679615ee87d67447a6e7f8fdc4e077b917ca523c4478a94af8c56eeeb645446c2866a3eb540fe3d74c25762a73

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\lang\languageconfig.xml

MD5 30675eb7defb05bdcd079053d6724ca5
SHA1 8e9903751c9d957f86429fe52071ab6811091c85
SHA256 aa8d83be5ebd6ee968e9224ec76c3cb63701ccd08c55c3d07acf5c80d8306c39
SHA512 ae570fafd46e1aa22d61f59fce289cb77d6b28a04f175ecf8938e69e5803080e574cf6f38884003cd497f50ca471596d8cc429005e60178cdc776bb4a4afa8de

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\imagedraw.dll

MD5 28261bca4c40a67c10c57d8a568a9a72
SHA1 ed60db43af8de3ff3d4ff7b3d3ef5ca5e9c90bb2
SHA256 f3acdde318d139ff53138c4b4cc95e241b2b02fe6caa4f8238d3e5c321c7fbad
SHA512 306efc1cde6da22e6a82795a719c725d08a724bb72440a907622255604b33aa9ca2aecf0b39c937ecec5e2eedb32191087e4fa2bc2416a9732083975d04225b6

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\icon\tif.ico

MD5 33161b0e4f90909d4e0e4b6dbc0181d6
SHA1 21c521a807c73205f109df9b08f7ed1e988301e0
SHA256 f777c2c7ace9d6249cd38f75d1d90803e93b0bee00645d95c3caf366032a3e79
SHA512 7329df9a2d1bdabb20720c5cc48f1bbb97cc2c544873743e849319c6d2a9dfe15e0b4d5e15f57fcbde09c5adb9b9e79456cb70bfaaa9c487a899a834db48e63d

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\icon\psd.ico

MD5 18793719f720140444587591a6419b77
SHA1 fb5d311985cd751fdd6853c9c839d70d8a417a51
SHA256 b5011dda647c450dfd7971c56d28fa3442be223b12f7ea9307f93224dee83911
SHA512 86b98a0121e501c2f41c84775b7ae39e5a1038d789a5da76a614a2f183ad02fee0f74a757933d231b577dd9c62ec5231bca5b83b1ebd9696c5b1f4c4646f2437

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\icon\png.ico

MD5 ace012e5488865ff5f37d119e591b79a
SHA1 b7471cfc7ca0480f8a0055ca2e782553b08bbc1c
SHA256 5a753e3ed1588e75971573a97dc4ce65853cc4d9eb91541def171fec3a953a11
SHA512 1e7767454cd6829502b000782c99f84d1d796c1cf357ac561962f6751c6af8f007edd3de9ae1ca396e7ba3de37873eafc432cd3aa8b26d67cb8208c40b2714fc

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\icon\jpg.ico

MD5 db405fd27439d831e453919fa6ddf9a0
SHA1 b150791775f6fb2fd83cb34896256428b1f461d9
SHA256 57ad6c79063c55007e6eaf18112a228a929a734ba806ee2a540a1c63c5397b5a
SHA512 5dc3ee549405b6a8bc25fff4c2b859fb030627da8538f15a1d601be948d0f8a1f329f3a1c1ecfe8cbb2d70c76da0b0c3775b0737433241bdf35aed61ce3bda06

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\icon\gif.ico

MD5 09b992e47444ded62499b6b039e5fef6
SHA1 df20ffea28de72adc7d5f9b400e927ba12fcbbe8
SHA256 5045ef2c28d623913b7192801c321316fba26719ee6f678e7683791473753eb3
SHA512 e87bc05ece9f782b12c433301ca7eaae614faac4ab89828eaf69c114d4cf5032b5bf06ed0a6b0d5b9f0d3546f869773c18a27a518fb2de0ba1413cfde5efba46

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\icon\bmp.ico

MD5 2d6a06fd57410a123398f766cb1f9815
SHA1 1650b0b3d858235dc5ad1d5289a003542e080feb
SHA256 a2926a84a8b2c39f2589ca7268ba035d33ecc153a611dacd4e94366617b47327
SHA512 797776d9d254e28b986a2e4eba9ab7810fbdd00e5efea344968ea397bcaea666fc4925a7ef15915b65785e31019f722b531f562215af1ef970f4074fb1883d1a

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\hao123util64.exe

MD5 55ef9723c9bdbaaae37bee79b33d8cf7
SHA1 5695bc1714eb441c3ce9cd2376293b38cce05b3d
SHA256 3f8aa7a19eb230069c99ef873b5d2aa4734d6ec93ed2a30217c37593f320ad69
SHA512 9ed51d417734f224c7c5f6a749adea946c86db8cb63edcf2a89579a93a80bbd0394cdf327b1735e49787bbe21bafc0be0ff757955d6bfabd80e732c292841337

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\hao123util32.exe

MD5 8de7c4995b5beb7d9fcc9e256f06f891
SHA1 2c0ed2f3814262dc068c53bec56ee0cc4f9cb0ed
SHA256 1ab8e077000af3ea0710b1f4a97512c0ce15167b6c44701af077257d82a979cb
SHA512 d23a6e2f8045862dc76aafe67e31d0edb0bf6a2d081c27fb966077f393be946db24b52fd65510c641676831a08f98e91cc0f2e9730ea14a515a0f83a5bfd0eeb

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\hao123util32.dll

MD5 17f9e90ff55687e2cd7fae09cc513f5e
SHA1 e4144317ae1d1a3291e5ad5a22fe2a33a27d2afe
SHA256 601198cd6ab310bdf81dcdae1f1bc746a280e68290bdf233c7f979ff3f91121e
SHA512 430a7c919fbc68f2094d6b1d716dbdc43b34b6bfde2f977e9b9313bd28777213c3be5dc782aa23baf96c77f7ea1dd69fcd1f7fc6c686aa5646dcc6cdea7b02ba

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\hao123picsvr32.dat

MD5 31c7fed6a81ab157d329cbbbde1cef17
SHA1 8a47102208f5ee5e7d9d34a46ab202c6500294f1
SHA256 82be5b676a165c2bb0b48a88a087086617dc9c8fe53d6293d64cf26cb3900ff8
SHA512 d42acf11767d2044d115d11aabfb010f0bd1bfb69f0f0f7e0e0bee2759176cf53181eb0090556dce874606bac3b6bb132d77b1831c29fae49dfe59f84c19c8c9

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\hao123config.exe

MD5 63c3c99134d417ae0a373f517134b272
SHA1 a9bf78d62a7ea2a4a20a4f863ed2ef8f2ab10dab
SHA256 51f7f3fdc81581de3743ec875086b3bbe9616f618c8be7bf3155289f007a94c2
SHA512 70b93aa1090e3c1ad214f2b1f3e6054aa33cf27ce9d4bd12cb12d6a85d96a5e2dbe6ceca9b9437704fbb0ebcd62a6f4da26508e62df93eae3b2de1168b538046

C:\Users\Admin\AppData\LocalLow\Hao123PicView\Config\UseVestige.ini

MD5 f0b3d8a3545bf04bce4af5cc43e3040c
SHA1 ec93e299df7c8e21a517c445348ca7b705357ac1
SHA256 4c286dc4b4f1d990381ac7ef50cf0eb09cdbef26a6e72d474ff404680a85a114
SHA512 f1b0e487e80b4488b1ac33ad99e7415c2d74f005f766c8cac2047f6346b06f710cef9884144757d4f24d5677662e1255aae14ea9108939a8b81e0b0fb02d5cb9

\??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123PicInfo.ini

MD5 a1ca5ebf8abaffe67a7fc0006acedf33
SHA1 9b7dd63ce31e9b6bc7800c60cad3a34e95e16ec1
SHA256 e2daf39ba1aef71be22c4b9e2ee7d2f39591d2b8337f9cc3281175ff51fd3fd3
SHA512 319c39c6aef2b604dd623326c7ccc8a6882a8eb24aade59af86bb173be7e7b71648a6fd09ff7e6d640eaa500505f6aed0e8123c4f7d3c2fdb2b81671960a0d86

memory/3024-139-0x0000000000620000-0x00000000006E7000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Hao123PicView\Config\UseVestige.ini

MD5 1df5bf9f56aa9789b9966b161c1d9bd5
SHA1 2b06811773c3abef90635a76e7b8942f54d89fb3
SHA256 8b9268bdecb0fe452be584bd826bc8c8dc56a96a9ed4de39a146d92cb378e6d9
SHA512 7aca3320170aa41c9b7741b21fa0eaa6280a325b9a0b508f46ef819e2e6dd9d371696323dd3c3ebc2af1419e845c965554e0ee4c487b23eb37266f58364510f4

C:\Users\Admin\AppData\LocalLow\Hao123PicView\Config\UseVestige.ini

MD5 59bb3a8d68f78a5757fb240cc185bba2
SHA1 e35d5023d49b25bcfec8c9dca2f2694ff4b535c7
SHA256 0f9ca55d703fb523aa9dc6c21cdea326e40a23edd5eaeae7dced795050508bbb
SHA512 bae4cedfaadbc9497b2db0757d2ef8870974e5f2e88dcca9d80c3d18ce53546e159d3705d93a4a6c08b55488d1900d628318259a5aa1967db84f741419b8e21c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 21:46

Reported

2024-06-04 21:49

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\BDPSvr.sys C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
File opened for modification C:\Windows\system32\drivers\BDPSvr.sys C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
File created C:\Windows\SysWOW64\drivers\BDPSvr C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\HImageService\Parameters\ServiceDll = "C:\\Program Files (x86)\\Hao123Picture\\1.0.1.1130\\Hao123SP.dll" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 \??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123Utility.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\lang\lang_en.xml C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Tool.exe C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Util64.dll C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File opened for modification C:\Program Files (x86)\Hao123Picture\官方网站.url C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Hao123Picture\Hao123Pic.ini C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\icon\psd.ico C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\icon\jpg.ico C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File opened for modification C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123PicInfo.ini \??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123Utility.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123PicInfo.ini C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123PicSvr32.dat C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Util64.exe C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Res\error.png C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\lang\LanguageConfig.xml C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123PicSvr64.dat C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Util32.exe C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File opened for modification C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123PicInfo.ini C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
File opened for modification C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123PicInfo.ini \??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123PicView.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\icon\COMMON.ico C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\icon\png.ico C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\lang\lang_zh.xml C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Config.exe C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\icon\gif.ico C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\lang\lang_pt.xml C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Upd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\DuiLib32.dll C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File opened for modification C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123PicInfo.ini C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\icon\bmp.ico C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Uninst.exe C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123PicView.exe C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\ImageDraw.dll C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File opened for modification C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123PicInfo.ini \??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123Utility.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\icon\tif.ico C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\lang\MultiLang.xml C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123SP.dll C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Util32.dll C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\ScrSnap.exe C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A
File created C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ \??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123PicView.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.jng C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.jng\Hao123PicBack = "AppX43hnxtbyyps62jhe9sqpd" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.pcx C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.pcx\shell\open C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.wmf\shell\open\command\ = "\"C:\\Program Files (x86)\\Hao123Picture\\1.0.1.1130\\Hao123PicView.exe\" OpenImage %1" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.bmp\ = "Hao123Pic.bmp" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.bmp\shell C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ras C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.raw\Hao123PicBack = "pfmfile" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.wdp C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.jng\ = "Hao123Pic.jng" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.pcx\shell C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.ras\shell C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.jp2\ = "Hao123Pic.jp2" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.wmf\ = "Hao123Pic.wmf" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.wdp\DefaultIcon C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.bmp\ = "Hao123Pic.bmp" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.png\shell C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.ska\shell\open\command C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.pgx\shell C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.jng\shell C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.png\shell\open\command C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.pfm\DefaultIcon\ = "C:\\Program Files (x86)\\Hao123Picture\\1.0.1.1130\\icon\\COMMON.ico" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.tga\ = "Hao123Pic.tga" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.j2k\ = "Hao123Pic.j2k" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.pnm C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.bmp\shell\open\command C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mng C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.tif\ = "Hao123Pic.tif" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pgx C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.mng\DefaultIcon C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.png\DefaultIcon\ = "C:\\Program Files (x86)\\Hao123Picture\\1.0.1.1130\\icon\\PNG.ico" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.png\ = "Hao123Pic.png" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.tga\shell\open\command\ = "\"C:\\Program Files (x86)\\Hao123Picture\\1.0.1.1130\\Hao123PicView.exe\" OpenImage %1" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.xpm\shell\open\command\ = "\"C:\\Program Files (x86)\\Hao123Picture\\1.0.1.1130\\Hao123PicView.exe\" OpenImage %1" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.jp2\DefaultIcon\ = "C:\\Program Files (x86)\\Hao123Picture\\1.0.1.1130\\icon\\COMMON.ico" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.jpg C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mng\Hao123PicBack = "AppX43hnxtbyyps62jhe9sqpd" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.jpg C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.pcx\DefaultIcon\ = "C:\\Program Files (x86)\\Hao123Picture\\1.0.1.1130\\icon\\COMMON.ico" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.pfm\shell C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.jpc C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.wdp\DefaultIcon\ = "C:\\Program Files (x86)\\Hao123Picture\\1.0.1.1130\\icon\\COMMON.ico" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.png C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.png\DefaultIcon C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.ska\ = "Hao123Pic.ska" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.jp2\shell\open\command\ = "\"C:\\Program Files (x86)\\Hao123Picture\\1.0.1.1130\\Hao123PicView.exe\" OpenImage %1" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.raw\shell C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wmf\Hao123PicBack = "wmffile" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.pgx\ = "Hao123Pic.pgx" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.ico\DefaultIcon C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.wmf\DefaultIcon C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pcx\ = "Hao123Pic.pcx" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.tif\shell\open\command C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.j2k\shell\open\command\ = "\"C:\\Program Files (x86)\\Hao123Picture\\1.0.1.1130\\Hao123PicView.exe\" OpenImage %1" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.pgx\shell\open\command C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.pnm\DefaultIcon C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.ras\ = "Hao123Pic.ras" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xpm\Hao123PicBack = "PhotoViewer.FileAssoc.Tif" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.pfm\shell\open C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pnm\ = "Hao123Pic.pnm" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.bmp\DefaultIcon C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.jpg\Hao123PicBack = "jpegfile" C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hao123Pic.xpm\DefaultIcon C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3448 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe
PID 3448 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe
PID 3448 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe
PID 3448 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe
PID 3448 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe
PID 3448 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe
PID 3180 wrote to memory of 3292 N/A C:\Windows\SysWOW64\svchost.exe \??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123Utility.exe
PID 3180 wrote to memory of 3292 N/A C:\Windows\SysWOW64\svchost.exe \??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123Utility.exe
PID 3180 wrote to memory of 3292 N/A C:\Windows\SysWOW64\svchost.exe \??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123Utility.exe
PID 3180 wrote to memory of 3308 N/A C:\Windows\SysWOW64\svchost.exe \??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123PicView.exe
PID 3180 wrote to memory of 3308 N/A C:\Windows\SysWOW64\svchost.exe \??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123PicView.exe
PID 3180 wrote to memory of 3308 N/A C:\Windows\SysWOW64\svchost.exe \??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123PicView.exe
PID 3180 wrote to memory of 4872 N/A C:\Windows\SysWOW64\svchost.exe \??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123Utility.exe
PID 3180 wrote to memory of 4872 N/A C:\Windows\SysWOW64\svchost.exe \??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123Utility.exe
PID 3180 wrote to memory of 4872 N/A C:\Windows\SysWOW64\svchost.exe \??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123Utility.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_270fcdaea0dafc67f15c0d171d105a9e_icedid.exe"

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe

"C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe" InstallSpreadOperate 270fcdaea0dafc67f15c0d171d105a9e_icedid240604

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe

"C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe" CreateStartMenu 1

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k HImageService -s HImageService

\??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123Utility.exe

"c:\program files (x86)\hao123picture\1.0.1.1130\Hao123Utility.exe" UpOnlineData 0

\??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123PicView.exe

"c:\program files (x86)\hao123picture\1.0.1.1130\Hao123PicView.exe" OpenUpdate

\??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123Utility.exe

"c:\program files (x86)\hao123picture\1.0.1.1130\Hao123Utility.exe" JuziBrowserProtect

Network

Country Destination Domain Proto
US 8.8.8.8:53 tj.sgshurufa.com udp
CN 180.150.178.118:80 tj.sgshurufa.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 tj.hao123pic.com udp
US 8.8.8.8:53 update.hao123pic.com udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 tj.hao123pic.com udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Utility.exe

MD5 55714810abbd85ebe135fe5e473cc3d5
SHA1 66f6b76244f221de208bca007c990390e9692f9a
SHA256 33f8098d37c6b2829758534130f63f3986f8bf03937c666e2c9085e1cc240a0a
SHA512 d13925581e50fa679ff4f505342a091b7a01b321b4b3102a3cdc6f09b83f941e91e190c991725ceb9176f62d28e3c5956400a97b8598e6ad69225413daa92248

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123PicInfo.ini

MD5 9984976a7e1f9ebc4c333ee9891c46d3
SHA1 8448d2b5b6bfe8b8e732fb0389169a11c9cd5700
SHA256 c4694ea4e9a986bc6bba0290102e5b56618d7ff98b720c2c8690db7355c3b385
SHA512 33ed7440f67bd6bc4b0ef40cbdf8bdb7a7cfdd94aa17e41f82cf8f3900e9f6c5391ba398813c10af3fddf9061916ae72611c67da5ee6de50f04ff22f8937c8dd

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123SP.dll

MD5 1a128bcf1b94a14a3352b5fddbcd0c73
SHA1 6463860f9bf08301cbd52258249f887847723caf
SHA256 ba81b6b483d877dc5158bf5229f1571e8bba04d76ab8a83ad3c90d9d0311ebbb
SHA512 627b328a547774a6d37ab0f9f8b2544d03147b367ff94e14a40cb3b1a72e1f5679111a40e70fd7c15ad920b0b50e01fc3def63184171a9ecbf77055e25d2b8a6

C:\Program Files (x86)\Common Files\Hao123Picture\Hao123Pic.ini

MD5 df333703f81c9fd2951466be4c3f4672
SHA1 e844e12aeaba3d8ad18899e9fa60b0428391fc84
SHA256 5ac395657e9c2ffb1e4e2857f08631eda722aa3ff1499b1206349118ba6afd76
SHA512 fcc6a225081c0ee0469f29b92e339b861e7961a2159d4486fdc547e5d76e5cf610d83786bf9673a0d29e8f2f3f57b09fee8392fed319293c8a95f1a86e7a22b0

C:\Program Files (x86)\Hao123Picture\官方网站.url

MD5 68435c620b01565ba5363e642503cd52
SHA1 8c03a2921108401d3ef5fbc98025da24c66da9bc
SHA256 bbbe703a61e8647059696cbb0517a094da960ca61a97b3d5b14562828646efe3
SHA512 f67ab13a9df924c3911ead9152e7b23f2a935e4295c3aa63ec52e8b177e886825d88ff3cde78c297376afe99c567d190a980e2faeabd2fc097ff24e7cff46117

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123Upd.exe

MD5 892fe8f0a05749eeb2596a93d4db4f3c
SHA1 af837b5c671116bc944d4bf23f2a1ca49a859fc5
SHA256 886ee9e27c636b39dc95ef233cd066243fe6e664c9e696f960012b113f731abf
SHA512 b880d80e8de3edfa64be9865e8d63f6bc87e972c2c54173caba10871823cff2cb93a775604b124ea182bc14dd18bfdce7ff9e9ae6c2de1bb85c847589969b7b7

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\Hao123PicView.exe

MD5 99668b0bf9afd57b6d79394dd9da3268
SHA1 c1b0bc252b34558a504fb286a71b1aee0d0355af
SHA256 0a5dfef294a95c36130cdb29d99c180f45f5c413eefcb04debac17aee2f043d3
SHA512 7f61eb30cb2c9a06228a990fad796ff670a48bd82633840b4d7b6508b89348520b11a2ded4007da78a042437b3c23c3bcbe8eacc5544c1c9ff6c2425526f5fc6

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\hao123util64.exe

MD5 55ef9723c9bdbaaae37bee79b33d8cf7
SHA1 5695bc1714eb441c3ce9cd2376293b38cce05b3d
SHA256 3f8aa7a19eb230069c99ef873b5d2aa4734d6ec93ed2a30217c37593f320ad69
SHA512 9ed51d417734f224c7c5f6a749adea946c86db8cb63edcf2a89579a93a80bbd0394cdf327b1735e49787bbe21bafc0be0ff757955d6bfabd80e732c292841337

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\scrsnap.exe

MD5 f292df343664ea67af73cfd8f25dc72a
SHA1 8f055850435358e59bcc6b13d1595d4ca3060da8
SHA256 995a5aa21657bf076f3e96355c3507904ca2937e0bfe485e59943924a8e185f3
SHA512 cd532433e2fe554cf6bcbc01612e4333670af7f949cfcebade40946fafdffc78bb252231a8b0e16036f208c16f8f72e237941b1b304e96c628fbc2fd58de3f72

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\res\error.png

MD5 cee6e917c0a214b2d23a2dfa1e1fbcae
SHA1 54c46a5979327810717048394c7491701cd31222
SHA256 b24aa0da0efb63d905c82fb08b219eb2d6a13e2e422936aadaa6e41c32dabf68
SHA512 707e397bfb30e6df8157ae7c1cf39e1574d92afea0b72b127098276a0b9b559d0817829037592893224eca669d1aa5ba7385199e7cbe9b9a71408db8e0d67bfc

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\lang\multilang.xml

MD5 6f6fb21886c5571cc4dbcb8004418819
SHA1 2455729a17466d6d621314b7ca4bffe5f3c092ad
SHA256 2795c56ba1c0cbb62ce13ab90f0feeac6c582dff76b97e8f75af6a9a3a9b2471
SHA512 3e86d23a81e75750646b0226b3469c8b390fd06709ffeaef13f290b4a1f7c4ba795f448cd2d101917dbacdebd9e9038ea2c23c829b7dacc9707ad9dd388c7b8c

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\lang\lang_zh.xml

MD5 b70656ac5212f6768f0fb7a6db417b94
SHA1 caeb5f9b46a4872fc3453f7e7fa433aa057499da
SHA256 b4c7d9122e0a09ad83ffb11b72bbc1d772110aa307e2da175fb6c80c1871856f
SHA512 766a956daffc62cd17bcee12c59577405a060cc9f319138cef2eaf7fd701511709e4c99eac615e4823e71ada1b3295edbedaafb4918f59eb999653300fecd11f

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\lang\lang_pt.xml

MD5 841cdd4c337ef688b42d0fff96f92887
SHA1 493ed13121eb5506c0cf879d9a3eb20e99b1ba0e
SHA256 2e30790ba59990dca82a424e69983fc7ee5b9fa0670044a3e6ed48a93ba4baac
SHA512 7dae2a8c74d08766a297645e7ff046450b513883b7fc280091bd17048ce16cef753a3aed32e4c015ebf87ed6bbdbe01ca46a46189fd9e2a1e7dbe403d8fa603c

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\lang\lang_en.xml

MD5 fe9eddb052c88267d6da6d547b2c90e7
SHA1 5296d53915add943b8c1b3e155df727794df3ebc
SHA256 7213e551c8810ee3e4d88a6eedb1b420ed5092552c67476fe20329587234bba7
SHA512 54a5482dd2ab3a0ae94e2d6c5269c1c7299483679615ee87d67447a6e7f8fdc4e077b917ca523c4478a94af8c56eeeb645446c2866a3eb540fe3d74c25762a73

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\lang\languageconfig.xml

MD5 30675eb7defb05bdcd079053d6724ca5
SHA1 8e9903751c9d957f86429fe52071ab6811091c85
SHA256 aa8d83be5ebd6ee968e9224ec76c3cb63701ccd08c55c3d07acf5c80d8306c39
SHA512 ae570fafd46e1aa22d61f59fce289cb77d6b28a04f175ecf8938e69e5803080e574cf6f38884003cd497f50ca471596d8cc429005e60178cdc776bb4a4afa8de

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\imagedraw.dll

MD5 28261bca4c40a67c10c57d8a568a9a72
SHA1 ed60db43af8de3ff3d4ff7b3d3ef5ca5e9c90bb2
SHA256 f3acdde318d139ff53138c4b4cc95e241b2b02fe6caa4f8238d3e5c321c7fbad
SHA512 306efc1cde6da22e6a82795a719c725d08a724bb72440a907622255604b33aa9ca2aecf0b39c937ecec5e2eedb32191087e4fa2bc2416a9732083975d04225b6

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\icon\tif.ico

MD5 33161b0e4f90909d4e0e4b6dbc0181d6
SHA1 21c521a807c73205f109df9b08f7ed1e988301e0
SHA256 f777c2c7ace9d6249cd38f75d1d90803e93b0bee00645d95c3caf366032a3e79
SHA512 7329df9a2d1bdabb20720c5cc48f1bbb97cc2c544873743e849319c6d2a9dfe15e0b4d5e15f57fcbde09c5adb9b9e79456cb70bfaaa9c487a899a834db48e63d

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\icon\psd.ico

MD5 18793719f720140444587591a6419b77
SHA1 fb5d311985cd751fdd6853c9c839d70d8a417a51
SHA256 b5011dda647c450dfd7971c56d28fa3442be223b12f7ea9307f93224dee83911
SHA512 86b98a0121e501c2f41c84775b7ae39e5a1038d789a5da76a614a2f183ad02fee0f74a757933d231b577dd9c62ec5231bca5b83b1ebd9696c5b1f4c4646f2437

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\icon\png.ico

MD5 ace012e5488865ff5f37d119e591b79a
SHA1 b7471cfc7ca0480f8a0055ca2e782553b08bbc1c
SHA256 5a753e3ed1588e75971573a97dc4ce65853cc4d9eb91541def171fec3a953a11
SHA512 1e7767454cd6829502b000782c99f84d1d796c1cf357ac561962f6751c6af8f007edd3de9ae1ca396e7ba3de37873eafc432cd3aa8b26d67cb8208c40b2714fc

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\icon\jpg.ico

MD5 db405fd27439d831e453919fa6ddf9a0
SHA1 b150791775f6fb2fd83cb34896256428b1f461d9
SHA256 57ad6c79063c55007e6eaf18112a228a929a734ba806ee2a540a1c63c5397b5a
SHA512 5dc3ee549405b6a8bc25fff4c2b859fb030627da8538f15a1d601be948d0f8a1f329f3a1c1ecfe8cbb2d70c76da0b0c3775b0737433241bdf35aed61ce3bda06

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\icon\gif.ico

MD5 09b992e47444ded62499b6b039e5fef6
SHA1 df20ffea28de72adc7d5f9b400e927ba12fcbbe8
SHA256 5045ef2c28d623913b7192801c321316fba26719ee6f678e7683791473753eb3
SHA512 e87bc05ece9f782b12c433301ca7eaae614faac4ab89828eaf69c114d4cf5032b5bf06ed0a6b0d5b9f0d3546f869773c18a27a518fb2de0ba1413cfde5efba46

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\icon\common.ico

MD5 6e8c00d7a3853bd0a88ff8db18d8befb
SHA1 d3fcf1f056bca24dce2a9b0e841882997d3b163b
SHA256 480480d7acda5ec5e4a571bb3a5e82a4a3a4d0d88591470eee3fe16e12666450
SHA512 e5e21b6ed4a85b9db658a794bf60a5bc6108da0f7164b873597189969ea594280cd78845efaccd4e2c342f94407c9d480576a3096a9233da7eca55b7aa2e6706

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\icon\bmp.ico

MD5 2d6a06fd57410a123398f766cb1f9815
SHA1 1650b0b3d858235dc5ad1d5289a003542e080feb
SHA256 a2926a84a8b2c39f2589ca7268ba035d33ecc153a611dacd4e94366617b47327
SHA512 797776d9d254e28b986a2e4eba9ab7810fbdd00e5efea344968ea397bcaea666fc4925a7ef15915b65785e31019f722b531f562215af1ef970f4074fb1883d1a

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\hao123util64.dll

MD5 2bbb0772777b60e1010290d25a1ac23c
SHA1 e006af98d6b184304c695775d1cbaa21286b6a4e
SHA256 d24092880538563f77065d4a3fdb17851eac1db43c18a653c48e2cd293f7aa78
SHA512 7e7d3fc6f5f575a6a6fdf1dc5975c1198c5e782baaf730cb6d45c1b3d8c31cb08c1e2969ae3e7eff3216197e39546957a8bbc2869f0f2a13c91a11b0e915afb6

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\hao123util32.exe

MD5 8de7c4995b5beb7d9fcc9e256f06f891
SHA1 2c0ed2f3814262dc068c53bec56ee0cc4f9cb0ed
SHA256 1ab8e077000af3ea0710b1f4a97512c0ce15167b6c44701af077257d82a979cb
SHA512 d23a6e2f8045862dc76aafe67e31d0edb0bf6a2d081c27fb966077f393be946db24b52fd65510c641676831a08f98e91cc0f2e9730ea14a515a0f83a5bfd0eeb

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\hao123util32.dll

MD5 17f9e90ff55687e2cd7fae09cc513f5e
SHA1 e4144317ae1d1a3291e5ad5a22fe2a33a27d2afe
SHA256 601198cd6ab310bdf81dcdae1f1bc746a280e68290bdf233c7f979ff3f91121e
SHA512 430a7c919fbc68f2094d6b1d716dbdc43b34b6bfde2f977e9b9313bd28777213c3be5dc782aa23baf96c77f7ea1dd69fcd1f7fc6c686aa5646dcc6cdea7b02ba

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\hao123uninst.exe

MD5 ebfbebb8fc852d3768f023508ab6d6ed
SHA1 a146511e5717c4abac4f9009191d834bc6289fcf
SHA256 dc41b61819cbbcb6ec64c5907ac5bff8aa703ea1f42399291ef7cd572bf40762
SHA512 3ebb248099cf3e0809def597562f1e24f2d68c503c654dd12c1b7979e42e3a0db3bd2e8ace06c8338850dacd0c89d4317cf01a1d6873ed6740ae1038186b7e78

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\hao123tool.exe

MD5 4e4665b9fdce84f0e73a3b96b8a71fe8
SHA1 3262c6bf6d32dec96774211cfc0e13407562c45c
SHA256 150d86e846c83753b7acd3bee04a5846f4b4adbe5e543eeca9779fe00d1f6aeb
SHA512 eaf2888e51acb5eebe385f732d3eb4358ecfbcae8c9e7d39c0367fa86f6f08a80962d99fa1f9449eadc3f507ac5a01613c325a246324ea88c7ba3d805aca22ba

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\hao123plugin.dll

MD5 2d595ce5698a258c4a946e581c0668a1
SHA1 e6f0f948f50fd89b1d036f3f93e2147ce6ea8ecb
SHA256 9a1327f67a16025fd00a4077c082f910014731ca2ee7667d62a409b271efeacf
SHA512 7129156f89a3f8f7a4823013180eb5f44998e4d8ef3da5ee3b1e053b43d9d5b00f9b6529288882c56995bff82f64c85327a9c3b425d2b09f2a825486ba89cbc7

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\hao123picsvr64.dat

MD5 111878d5a664d9fd3b909676cb155f82
SHA1 8e5acfaee98d3b867facc157a02d097c751156c6
SHA256 7bb7d49461417c6a6aa6a1e2fb153258561a5250208c104c352ebeac3374f2b8
SHA512 c5af17d1c4a5f294cfa79d448f36636e217dd152e8858d8c97722e15880fc3e8a9e07720631538b1f51f821257f02bbc3c8dd5854fa030fe78baad8709e5c3be

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\hao123picsvr32.dat

MD5 31c7fed6a81ab157d329cbbbde1cef17
SHA1 8a47102208f5ee5e7d9d34a46ab202c6500294f1
SHA256 82be5b676a165c2bb0b48a88a087086617dc9c8fe53d6293d64cf26cb3900ff8
SHA512 d42acf11767d2044d115d11aabfb010f0bd1bfb69f0f0f7e0e0bee2759176cf53181eb0090556dce874606bac3b6bb132d77b1831c29fae49dfe59f84c19c8c9

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\hao123config.exe

MD5 63c3c99134d417ae0a373f517134b272
SHA1 a9bf78d62a7ea2a4a20a4f863ed2ef8f2ab10dab
SHA256 51f7f3fdc81581de3743ec875086b3bbe9616f618c8be7bf3155289f007a94c2
SHA512 70b93aa1090e3c1ad214f2b1f3e6054aa33cf27ce9d4bd12cb12d6a85d96a5e2dbe6ceca9b9437704fbb0ebcd62a6f4da26508e62df93eae3b2de1168b538046

C:\Program Files (x86)\Hao123Picture\1.0.1.1130\duilib32.dll

MD5 61c81a34bfce9c19e4c9224fe08b3e8a
SHA1 540c6847ba81b63a1c28b5eda0d47020cf335bcb
SHA256 2f20fa97af6167acfb8f8fafdd96e1ab4817091ce349ba1fc4390976b8be7be9
SHA512 70e350c686d51337a714efcad659fab7916ea1a1f9ec8cdcb75f320e345155f99d8c30e8f377fbdd0f6dc1fb72f60c663bb86849bea8a7905488d59711abbd4a

C:\Users\Admin\AppData\LocalLow\Hao123PicView\Config\UseVestige.ini

MD5 f0b3d8a3545bf04bce4af5cc43e3040c
SHA1 ec93e299df7c8e21a517c445348ca7b705357ac1
SHA256 4c286dc4b4f1d990381ac7ef50cf0eb09cdbef26a6e72d474ff404680a85a114
SHA512 f1b0e487e80b4488b1ac33ad99e7415c2d74f005f766c8cac2047f6346b06f710cef9884144757d4f24d5677662e1255aae14ea9108939a8b81e0b0fb02d5cb9

\??\c:\program files (x86)\hao123picture\1.0.1.1130\Hao123PicInfo.ini

MD5 a1ca5ebf8abaffe67a7fc0006acedf33
SHA1 9b7dd63ce31e9b6bc7800c60cad3a34e95e16ec1
SHA256 e2daf39ba1aef71be22c4b9e2ee7d2f39591d2b8337f9cc3281175ff51fd3fd3
SHA512 319c39c6aef2b604dd623326c7ccc8a6882a8eb24aade59af86bb173be7e7b71648a6fd09ff7e6d640eaa500505f6aed0e8123c4f7d3c2fdb2b81671960a0d86

memory/3308-124-0x0000000000BF0000-0x0000000000D7A000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Hao123PicView\Config\UseVestige.ini

MD5 1df5bf9f56aa9789b9966b161c1d9bd5
SHA1 2b06811773c3abef90635a76e7b8942f54d89fb3
SHA256 8b9268bdecb0fe452be584bd826bc8c8dc56a96a9ed4de39a146d92cb378e6d9
SHA512 7aca3320170aa41c9b7741b21fa0eaa6280a325b9a0b508f46ef819e2e6dd9d371696323dd3c3ebc2af1419e845c965554e0ee4c487b23eb37266f58364510f4

C:\Users\Admin\AppData\LocalLow\Hao123PicView\Config\UseVestige.ini

MD5 80804bac6edc8785ce0dfa3d33804054
SHA1 90bd228876c9ad589d0b609dcb86d591329bd462
SHA256 ca4b634a47a44f3cf1c026190876e29ca4ddebfa72c92bb2d8c6b78e423d3a32
SHA512 97fab3b9f5bceb37aec72e5b71e4e8340fd3f12e84698e6c23fe569ac8511805e21084eb745ba937a832210253612372fb035407b86b3048f3418bf51b7a7d28