Malware Analysis Report

2025-03-15 04:20

Sample ID 241025-3q2cxstnbn
Target d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N
SHA256 d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74

Threat Level: Shows suspicious behavior

The file d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Reads user/profile data of web browsers

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-25 23:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 23:43

Reported

2024-10-25 23:46

Platform

win7-20240903-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Shohdi.hdi C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification C:\Windows\SysWOW64\Shohdi.hdi C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\Microsoft Games\FreeCell\FreeCell.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\Mozilla Firefox\private_browsing.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\XLICONS.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\javaw.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\Office14\MSOHTMED.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\Microsoft Games\Chess\Chess.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\jconsole.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\Microsoft Games\Solitaire\Solitaire.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\SCANPST.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\maintenanceservice.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Games\Solitaire\Solitaire.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\MSTORE.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\PPTICO.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files\Google\Chrome\Application\chrome.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\Microsoft Games\Hearts\Hearts.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\Mozilla Firefox\uninstall\helper.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe

"C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe"

Network

N/A

Files

C:\Windows\SysWOW64\Shohdi.hdi

MD5 6c31b421bdb2c6b81f232eb6372f6390
SHA1 a2c3fbdef0254e404c552cf47129ba076766d3f9
SHA256 d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74
SHA512 d7785bb4d0d5dcc1dee2e8d53afbd02bd2b4ebae848d54d15f1d2f0a7f8a79fe062cfddb2b8f42903a6acb279cc79037ab309c7024a55ae6bba2e0bea00790e0

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 ff770d586e13c91bed490bccb6d32f44
SHA1 c1b717a80647fa60713c3abc2df863af9c7f332b
SHA256 8ca6788c055e9298de1c6225b1947876c0b67f6c5726b4b35d6d27fd1ae30e6c
SHA512 4e6413d9282936c66c2ef2b85c4d9326a357ff7882341fdca6bb63b029598f3f4a7777289c6a0fff8a0592b52140b6bac342e3ef77e1f19dcdae66476ca2cf4a

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 23:43

Reported

2024-10-25 23:45

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Shohdi.hdi C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification C:\Windows\SysWOW64\Shohdi.hdi C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files\7-Zip\7zFM.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\bin\javaw.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\ONENOTEM.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\Wordconv.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files\Common Files\microsoft shared\Source Engine\OSE.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft\Edge\Application\msedge.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\plugin-container.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\msoia.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\bin\javaws.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\MSQRY32.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\PPTICO.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\Wordconv.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateOnDemand.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\jconsole.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\javacpl.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\msotd.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\default-browser-agent.sho C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe

"C:\Users\Admin\AppData\Local\Temp\d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 110.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Windows\SysWOW64\Shohdi.hdi

MD5 6c31b421bdb2c6b81f232eb6372f6390
SHA1 a2c3fbdef0254e404c552cf47129ba076766d3f9
SHA256 d0d729dcbc883e2e9ff252fe6acd3bb2fcb992f85167a30e924d871559938c74
SHA512 d7785bb4d0d5dcc1dee2e8d53afbd02bd2b4ebae848d54d15f1d2f0a7f8a79fe062cfddb2b8f42903a6acb279cc79037ab309c7024a55ae6bba2e0bea00790e0