'Microsoft Azure' Pop-Ups
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Popularity Rank: | 21,446 |
| Threat Level: | 10 % (Normal) |
| Infected Computers: | 1 |
| First Seen: | September 26, 2022 |
| Last Seen: | August 17, 2025 |
| OS(es) Affected: | Windows |
The 'Microsoft Azure' pop-up windows that may be shown in the foreground of new tab pages titled 'Google Security Alert' should not be trusted. Azure by Microsoft is a cloud service that offers cloud storage and server functionality to business worldwide, but the 'Microsoft Azure' has nothing to do with that. Moreover, the Google Safebrowsing Web filter maintained by Google Inc. is not connected to the Azure services by Microsoft. The 'Microsoft Azure' alerts are created by con artists who use names, logos, slogans, and fake security verification banners to make users believe they were infected with a virus or were attacked by a hacker remotely. The 'Microsoft Azure' messages contain misleading information and aim to convince users to call a toll-free phone line like 888-790-4177. The phone lines operated by the 'Microsoft Azure' con artists offer PC users to subscribe to premium technical support services. The services promoted via the 'Microsoft Azure' windows are nonexistent. The 'Microsoft Azure' pop-up windows may offer the following text:
'Microsoft Azure
Firewall detecting ‘suspicious’ incoming network connections, we recommend that you click “Back to Safety”
For help, Call: +1888-790-4177
Your computer has been Locked
Your computer with the IP address [your real IP address] has been infected by the Trojans – Because System Activation KEY has expired & Your information (for example, passwords, messages, and credit cards) have been stolen. Call the Windows Help Desk to protect your files and identity from further damage.
Call Now: +1888-790-4177
Automatically report details of possible incidents to Google.'
It is recommended to report the pages associated with the 'Microsoft Azure' tech support tactic by using your browser's built-in security features. Do not call 888-790-4177 or other numbers that may be found on the 'Google Security Alert' new tabs and 'Microsoft Azure' warnings. Google Inc. and Microsoft Corp. are not associated with services that are promoted via phishing pages and fake security alerts. You can find tips on how to access the security reports in Chrome, Firefox, Opera, Edge and IE below:
- Edge: Open the browser's menu and click 'Send Feedback' then choose 'Report site issue', enter the URL and add a short explanation about your experience.
- Internet Explorer 11: Click on the gear icon, chose 'Safety' and then click 'Report unsafe site,' in the pop-up window mark the category of the site and complete the CAPTCHA challenge.
- Google Chrome: Click on the three dots icon, mark 'Help' and chose 'Report an issue'. You can add a few sentences as a comment and click 'Send.'
- Mozilla Firefox: Open the browser's menu and navigate to 'Help' (the question mark icon) and click on 'Report Deceptive Site.'
- Opera: Click on the site's badge located in the URL bar and click 'Details' then load the 'Fraud and Malware Protection' tab and click 'Report Site.'
Table of Contents
Analysis Report
General information
| Family Name: | PUP.MSIL.Gamehack.BBB |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
8296381459450412ce697bb6dc424d89
SHA1:
17e7c306464a17f799d278a1f89e7f8c53527b55
SHA256:
72BAFE252CC232CBEDE729C87698B08A1ABB515D7C155D9BA8D97F9A50DF3574
File Size:
83.46 KB, 83456 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have exports table
- File doesn't have security information
- File is .NET application
- File is 32-bit executable
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
- File is either console or GUI application
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Assembly Version | 0.0.0.0 |
| File Version | 0.0.0.0 |
| Internal Name | BTD Backend.dll |
| Original Filename | BTD Backend.dll |
| Product Version | 0.0.0.0 |
File Traits
- .NET
- dll
- WriteProcessMemory
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 200 |
|---|---|
| Potentially Malicious Blocks: | 112 |
| Whitelisted Blocks: | 88 |
| Unknown Blocks: | 0 |
Visual Map
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- MSIL.Gamehack.BBB
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
|
