PUP.ShandaAdd.B

Analysis Report

General information

Family Name: PUP.ShandaAdd.B
Signature status: Self Signed

Known Samples

MD5: a7632014dd80a619eaa08fd165a0d0bd
SHA1: 205b70d62bd06689fe6382dd0235f93be59b9c54
SHA256: 22E9B88300965F86E2B3F18D0FA427206EC51C97010E271B571C15651C03ED6C
File Size: 3.45 MB, 3453760 bytes
MD5: e8c2999157769a90755d530276279818
SHA1: f52a62154cf4f7a39f2e59bd911e8f89e970a07a
SHA256: AF1820117E2D0434133B35E8B17FF41BB44A9507C713F1F719374E7EBCB3B931
File Size: 5.26 MB, 5261640 bytes
MD5: 6df063b107c8dbd439db1c2526670c8a
SHA1: d1cf0ed79f601ef68b96000c16bd8453fbccc452
SHA256: 09AB49449CDBEBD3C9BD29B3C8992FFDB1D99BCA7F1560123DC0E74540BE4170
File Size: 4.19 MB, 4189568 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
Show More
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name
  • 盛趣游戏
File Description
  • 冒险岛下载器
  • 卸载程序
  • 最终幻想14下载器
File Version
  • 2.2.0.0
  • 1, 0, 4, 174
  • 1, 0, 4, 172
Internal Name
  • uninst
  • 冒险岛下载器
  • 最终幻想14下载器
Legal Copyright
  • Copyright (C) 盛趣游戏 版权所有 2013 - 2019
  • 盛趣游戏 版权所有。
Original Filename
  • 冒险岛下载器
  • 最终幻想14下载器
Product Name
  • StartingShot
  • 卸载
Product Version
  • 2.2.0.0
  • 1, 0, 4, 649
Special Build
  • 冒险岛下载器
  • 最终幻想14下载器

Digital Signatures

Signer Root Status
盛趣信息技术(上海)有限公司 DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 Self Signed

File Traits

  • HighEntropy
  • x86

Block Information

Total Blocks: 7,120
Potentially Malicious Blocks: 1,608
Whitelisted Blocks: 5,474
Unknown Blocks: 38

Visual Map

x 0 0 x 0 x x x 0 x x x 0 x x x 0 x x 0 x x x x x x x x x 0 x x 0 x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x 0 x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x x x x x x 0 x x x x x 0 x x x x x x x 0 x 0 x x x x x x x x 0 x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 x x x x 0 x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x x 0 0 x 0 0 0 0 0 0 0 1 0 0 0 0 0 x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 x x x 0 0 0 0 0 0 0 x x x x x 0 0 x x x x 0 x x ? ? x 0 x 0 0 x ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x ? 0 ? ? ? 0 0 ? ? x x 0 x x x x x 0 x x x 0 0 0 0 x x x 0 x x x 0 0 x x x x 0 x x x 0 x x x x x 0 0 x x x x x 0 0 0 0 0 x x x x x x x x x x x x 0 x x x 0 x x 0 x x x x x x x 0 x 0 x x x x x x x x x 0 x x x x x x x x x x 0 x x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x x 0 0 0 x x x 0 x 0 0 0 0 x x x 0 0 0 x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 x 0 x x x x x x x x x 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x 0 0 x 0 0 x x x x x 0 0 0 0 0 x 0 0 0 0 0 0 0 x x x x 0 x 0 0 x x 0 x x x x x x x x 0 0 x 0 0 0 0 0 0 0 0 0 0 x x x x x x x x x x x 0 x x x x x x 0 0 x x x 0 0 x x x x x x x x x x x 0 0 x x x x x x 0 x x 0 x x x x x x x x x x 0 x x x 0 x 0 0 x x x 0 x 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 x x x x x x 0 0 0 0 0 0 x 0 0 x x x x 0 0 x 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 x x x x x x x x 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 x x x 0 x 0 0 0 0 x x x 0 x x x x 0 0 x x x x 0 0 0 2 2 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1 2 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • ShandaAdd.B

Files Modified

File Attributes
c:\users\user\appdata\local\uninst.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey

Windows API Usage

Category API
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • ShellExecute
Other Suspicious
  • SetWindowsHookEx

Shell Command Execution

open C:\Users\Sjugbhkf\AppData\Local\uninst.exe c:\users\user\downloads

Trending

Most Viewed

Loading...