PUP.Gamehack.FDFA

Analysis Report

General information

Family Name: PUP.Gamehack.FDFA
Signature status: No Signature

Known Samples

MD5: 2c72ae0a4af22e4b6f0919ab254a892c
SHA1: 15dbaa9d5a49667823f36d41edd2c104267e23fb
SHA256: 57050ADC0CDBFD1A5317B0C0A58F2BA2815A091CFD4B189623F13B182EAC92BE
File Size: 324.10 KB, 324096 bytes
MD5: 2e30657cfb4d320eae81109c2358ee0d
SHA1: 14646d0ed6b93d86ae1de810568842528287fb35
SHA256: 05B5D3218057395E3F6E2BF8149727E76916A0257DFF31D506380786BDC81905
File Size: 301.89 KB, 301888 bytes
MD5: c83f32792bc08f88ee1c7a99a283943c
SHA1: 3ac7ee6135cc8570490adb308b03e67a900abbde
SHA256: FA6B5C6E5DB559654F5F25624561955EE8DEDA1891E32FA53BB74DB6192FF194
File Size: 1.55 MB, 1546752 bytes
MD5: 76940bdd100f4359c1f08d944b1313bc
SHA1: 9330bc40cc2622db9826d19877f6c4e6e5b000a3
SHA256: 82D1ADD0843638CFA835CC8C866CC1752009BA8759D9394BA7AF06FA51340A6F
File Size: 3.07 MB, 3068416 bytes
MD5: d2781b253b37162a10281dd2d1d0421d
SHA1: 629fb4f8013f6724639bfe2ce0b0791f00dd8d05
SHA256: 917A65CD149A37DC166B354B75B0314221EBC14DDA958155AB681D5321B177AA
File Size: 292.67 KB, 292672 bytes
Show More
MD5: 1d5b5b4e1ef4d8755a733360af83186d
SHA1: f34286c45da891c209125d2c75bcbbcec5f08620
SHA256: CE356918CF4F97396A5582008B8E1E05701CBED7CCFA961DA9094AE1B5381D35
File Size: 2.97 MB, 2972160 bytes
MD5: 99a65790dca554a1a58485b3003af422
SHA1: 1fd8c858ec40652e5f2772ebc1fff0525ac1c15b
SHA256: 03D2ED867245D843AEE6E3A1B28A4418F86A022B427291A3605D57818AC46FB1
File Size: 400.21 KB, 400208 bytes
MD5: 2249fd2c27830222c8a8f21ae8914f03
SHA1: 5c2a41d37374a2b6aadeb702ede13187c18c4a69
SHA256: FC05840A93BE7CBE78316C428854A0F607D20335EF3968FB5BF9B74C1CDAAFAA
File Size: 352.77 KB, 352768 bytes
MD5: 808cfd1e14b24754e85983fa20744d64
SHA1: 683472d426e858511964baedb652c11ba6ab630f
SHA256: 5ADA20C393F1B4B62D381F4AAC76FCFD75FC25AC286C11843CD0E4EDEE02C749
File Size: 2.30 MB, 2301952 bytes
MD5: 73d292f804dc3cc0229b9f0bd7101a96
SHA1: f9e5e01adbecdcd784f13f45817fb68c2dd2f194
SHA256: 89EE61A7BAF053EAEBD664C70893A7B8C4B5BDFC9B3421B5D285B51AEA28715F
File Size: 393.54 KB, 393544 bytes
MD5: 5d498571629dfed9bacb5808498bfcb0
SHA1: 5408a05ecdec6c232d6e8c1cea1a3268865c73dd
SHA256: 045A0CC66315E5D92F75B24A85006A79788DF91977E483C07F9FD351B7D4A5A2
File Size: 857.60 KB, 857600 bytes
MD5: 3aa8dd00d69f7b7673347d59988f95e9
SHA1: 219014e1db0d6a5a3e9ee9b92b456e940a8f1903
SHA256: BED9820B0E6A0DC3AE7D95368935BB784480867698E95D7B6F723E254375FEF1
File Size: 1.51 MB, 1505792 bytes
MD5: 54f0ee8b24cc676f4a1feae07e3e445b
SHA1: 08bc2b9fcd0bae730ea934ddb34f8c3c0b833157
SHA256: FAD56928DFB8082FC1E2A05899E798E1EDC5D073E671819137E6594EBDBF6141
File Size: 2.19 MB, 2193920 bytes
MD5: 7134578d02e645715efe75b7af7a5b63
SHA1: 92a7fad1bbbd8937764165d4d139d3c877c25877
SHA256: FE629FA20864141FF9E113FBA121D8AEC4A28E9B279266648749B3403EEA1236
File Size: 270.85 KB, 270848 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have exports table
  • File doesn't have resources
  • File doesn't have security information
  • File has TLS information
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
Show More
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

Windows PE Version Information

Name Value
Company Name recroom.gay
File Description recroom.gay - best free c++ cheat for rr
File Version 1.3.3.7
Internal Name recroom.gay
Legal Trademarks recroom.gay
Product Name recroom.gay
Product Version 1.3.3.7

Digital Signatures

Signer Root Status
Lisa Gamble SSL.com Root Certification Authority RSA Root Not Trusted
NVIDIA Corporation VeriSign Class 3 Code Signing 2010 CA Self Signed

File Traits

  • dll
  • GetConsoleWindow
  • HighEntropy
  • imgui
  • No Version Info
  • ntdll
  • VirtualQueryEx
  • WriteProcessMemory
  • x64

Block Information

Total Blocks: 131
Potentially Malicious Blocks: 4
Whitelisted Blocks: 126
Unknown Blocks: 1

Visual Map

0 0 0 0 0 ? x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 2 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.DFGF
  • CsgoInjector.QJ
  • Downloader.Agent.BTW
  • GameHack.GAR

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ¨ꋡ⫚ǜ RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAllocateReserveObject
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreatePort
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
  • ntdll.dll!NtAlpcQueryInformation
Show More
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRemoveIoCompletionEx
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetIoCompletionEx
  • ntdll.dll!NtSetSecurityObject
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForMultipleObjects
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • UNKNOWN
  • win32u.dll!NtGdiBitBlt
  • win32u.dll!NtGdiCreateBitmap
  • win32u.dll!NtGdiCreateCompatibleDC
  • win32u.dll!NtGdiCreateDIBitmapInternal
  • win32u.dll!NtGdiCreateSolidBrush
  • win32u.dll!NtGdiDdDDICloseAdapter
  • win32u.dll!NtGdiDdDDIEnumAdapters2
  • win32u.dll!NtGdiDdDDIGetDeviceState

54 additional items are not displayed above.

Anti Debug
  • IsDebuggerPresent
Process Terminate
  • TerminateProcess
Keyboard Access
  • GetAsyncKeyState
Other Suspicious
  • AdjustTokenPrivileges
Service Control
  • OpenSCManager
  • OpenService

Trending

Most Viewed

Loading...