home

imgschome.exe

hao123桌面快捷方式 安装程序

Beijing baidu Netcom science and technology co.ltd

The application imgschome.exe by Beijing baidu Netcom science and technology co.ltd has been detected as a potentially unwanted program by 5 anti-malware scanners. This is a setup program which is used to install the application. The file has been seen being downloaded from s0.br.hao123img.com.
Publisher:
Baidu.com  (signed by Beijing baidu Netcom science and technology co.ltd)

Product:
hao123桌面快捷方式 安装程序

Version:
1.0.0.1111

MD5:
b2c3fb20bf93c6cd7971ad96a5da1d35

SHA-1:
53fc89b71de0fea4819215356c51344901851ccc

SHA-256:
ece8bb45ae94e77e34b6fb80d0472b1109fa1ba2f989c1c5f460ebabf26db2db

Scanner detections:
5 / 68

Status:
Potentially unwanted

Analysis date:
12/26/2024 5:43:10 PM UTC  (today)

Scan engine
Detection
Engine version

Bkav FE
W32.HfsAdware
1.3.0.6979

ESET NOD32
Win32/Hao123.C potentially unwanted (variant)
9.12198

K7 AntiVirus
Trojan
13.2017106

McAfee
Artemis!B2C3FB20BF93
5600.6647

Sophos
Generic PUA FD (PUA)
4.98

File size:
477.1 KB (488,592 bytes)

Product version:
1.0.0.1111

Copyright:
(C) 2011 Baidu.com。保留所有权利。

Original file name:
hao123Inst.exe

File type:
Executable application (Win32 EXE)

Language:
Chinese

Common path:
C:\users\{user}\downloads\imgschome.exe

Digital Signature
Signed by:
Beijing baidu Netcom science and technology co.ltd

Authority:
VeriSign, Inc.

Valid from:
2/26/2012 9:00:00 PM

Valid to:
2/26/2015 8:59:00 PM

Subject:
CN=Beijing baidu Netcom science and technology co.ltd, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Beijing baidu Netcom science and technology co.ltd, L=Beijing, S=Beijing, C=CN

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
56659719569BE07B775A1B2275E2D83A

File PE Metadata
Compilation timestamp:
8/8/2014 1:10:51 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
6144:fzoMGmeSfdMdnG4IOXUf9i+dkUpa5I2I087rQNB1nU/VYG7H9x9gW/q0F8LOPtMg:roMGhpZ1J9+dk/y0X9tG7T/q0ECNE

Entry address:
0x1F2510

Entry point:
60, BE, 00, 60, 58, 00, 8D, BE, 00, B0, E7, FF, 57, EB, 0B, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89, C5, EB, 0B, 01, DB, 75, 07, 8B...
 
[+]

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.24

Code size:
436 KB (446,464 bytes)

The file imgschome.exe has been seen being distributed by the following URL.

http://s0.br.hao123img.com/resource/.../imgschome.exe

Remove imgschome.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.