PUP.ShandaAdd.B

By CagedTech in Potentially Unwanted Programs

Table of Contents

Analysis Report

General information

Family Name:	PUP.ShandaAdd.B
Signature status:	No Signature

Known Samples

MD5: a7632014dd80a619eaa08fd165a0d0bd

SHA1: 205b70d62bd06689fe6382dd0235f93be59b9c54

SHA256: 22E9B88300965F86E2B3F18D0FA427206EC51C97010E271B571C15651C03ED6C

File Size: 3.45 MB, 3453760 bytes

MD5: e8c2999157769a90755d530276279818

SHA1: f52a62154cf4f7a39f2e59bd911e8f89e970a07a

SHA256: AF1820117E2D0434133B35E8B17FF41BB44A9507C713F1F719374E7EBCB3B931

File Size: 5.26 MB, 5261640 bytes

MD5: 6df063b107c8dbd439db1c2526670c8a

SHA1: d1cf0ed79f601ef68b96000c16bd8453fbccc452

SHA256: 09AB49449CDBEBD3C9BD29B3C8992FFDB1D99BCA7F1560123DC0E74540BE4170

File Size: 4.19 MB, 4189568 bytes

MD5: 6b89ba9f8f197ae67ec7f31ba2bdec86

SHA1: 39ae37cd52b460185ff1f3ef06bc37a9e83794c0

SHA256: 516A9A0F20216E378DE89E515CD6261508F11A9E326308970909BA942F7C474C

File Size: 782.42 KB, 782423 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have debug information
File doesn't have exports table
File doesn't have relocations information
File doesn't have security information
File is 32-bit executable
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)
File is not packed

IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name	Value
Company Name	上海数龙科技有限公司盛趣游戏
File Description	《彩虹岛Online》客户端安装包冒险岛下载器卸载程序最终幻想14下载器
File Version	11.1.3.3 2.2.0.0 1, 0, 4, 174 1, 0, 4, 172
Internal Name	uninst 冒险岛下载器最终幻想14下载器
Legal Copyright	Copyright (C) 盛趣游戏版权所有 2013 - 2019 上海数龙科技有限公司盛趣游戏版权所有。
Original Filename	冒险岛下载器最终幻想14下载器
Product Name	StartingShot 《彩虹岛Online》卸载
Product Version	2.2.0.0 1, 0, 4, 649
Special Build	冒险岛下载器最终幻想14下载器

Digital Signatures

Signer	Root	Status
盛趣信息技术（上海）有限公司	DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1	Self Signed

File Traits

dll
HighEntropy
x86

Block Information

Similar Families

ShandaAdd.B

Files Modified

File	Attributes
c:\users\user\appdata\local\temp\nsuf39e.tmp\datacollection.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsuf39e.tmp\serverlist.ini	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsuf39e.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsuf39e.tmp\systeminfokeys.xml	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\~nsu.tmp\2026-05-10-00-44-53-735-41.dmp	Generic Read,Generic Execute,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 786496
c:\users\user\appdata\local\temp\~nsu.tmp\au_.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\local\uninst.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144

Registry Modifications

Key::Value	Data	API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old5af521\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old5af62*1\??\C:\P	RegNtPreCreateKey

HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75

RegNtPreCreateKey

Windows API Usage

Category	API
Process Manipulation Evasion	NtUnmapViewOfSection
Process Shell Execute	CreateProcess ShellExecute
Other Suspicious	SetWindowsHookEx

Shell Command Execution


							open C:\Users\Sjugbhkf\AppData\Local\uninst.exe c:\users\user\downloads


							"C:\Users\Qnotwlfx\AppData\Local\Temp\~nsu.tmp\Au_.exe"  _?=c:\users\user\downloads\

EnigmaSoft’s Payment Processor Digital River GmbH Filing for Bankruptcy Does Not Impact SpyHunter Customers’ Anti-Malware Protection

Search

Change Region

PUP.ShandaAdd.B

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Windows PE Version Information

Windows PE Version Information

Digital Signatures

Digital Signatures

File Traits

Block Information

Block Information

Similar Families

Similar Families

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Trending

FunkLyrics

SoftcoreTeenies

Trojan.Downloader.Cutwail.BF

Most Viewed

Pornktube.porn

How To Fix 'Printer Driver is Unavailable' Error

Discord Shows Black Screen when Sharing Screen