PUP.Gamehack.GACB
Table of Contents
Analysis Report
General information
| Family Name: | PUP.Gamehack.GACB |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
0c00473b8f32ebb5c8670d70e886e03e
SHA1:
366634c855b6a67e67f46a617ec06a0f60a6b57d
SHA256:
B2E60A85E42FF2765DC65530BDE1E89A5BFCA583846F48CCEB46CBF38FCD72C9
File Size:
5.75 MB, 5745152 bytes
|
|
MD5:
0194b332e187c2f1b198daaa64bb689d
SHA1:
afd64800424876874f7482df2c68c40ef76df243
SHA256:
46707385080CF9EE4B491171181DE822F5A16078E53A1267F41945D680041229
File Size:
6.13 MB, 6134784 bytes
|
|
MD5:
ccf8d3da840d922ff17b64308d86d896
SHA1:
29de4a26a997013a6e35b2ab226d10102c9e6783
SHA256:
584CFA48AC7E506C24F9C67C9B2297053BCC19A55486D184093831AD84D77582
File Size:
2.96 MB, 2957313 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have exports table
- File doesn't have security information
- File has exports table
- File has TLS information
- File is 64-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
Show More
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Company Name | N/A |
| File Description | OpenXR SteamVR Passthrough API Layer |
| File Version | 0.3.2.0 |
| Internal Name | XR_APILAYER_NOVENDOR_steamvr_passthrough.dll |
| Legal Copyright | Copyright (C) Rectus 2024 |
| Original Filename | XR_APILAYER_NOVENDOR_steamvr_passthrough.dll |
| Product Name | OpenXR SteamVR Passthrough API Layer |
| Product Version | 0.3.2 |
File Traits
- dll
- HighEntropy
- imgui
- ntdll
- VirtualQueryEx
- WriteProcessMemory
- x64
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 3,851 |
|---|---|
| Potentially Malicious Blocks: | 411 |
| Whitelisted Blocks: | 3,123 |
| Unknown Blocks: | 317 |
Visual Map
x
0
0
0
0
x
x
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
?
?
0
0
0
0
0
0
?
?
?
?
?
x
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
x
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
x
0
0
0
0
x
x
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
x
x
0
x
0
0
1
x
0
x
?
x
0
0
0
0
0
x
0
0
x
0
0
0
0
x
x
0
0
0
0
0
x
x
0
0
0
x
0
x
0
x
0
x
0
0
0
0
0
1
0
0
0
0
0
0
x
0
x
0
0
x
0
x
0
0
x
0
0
0
0
0
0
0
0
?
?
?
0
0
0
0
0
0
x
0
x
1
?
?
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
x
x
0
0
0
x
x
x
0
x
x
0
x
0
0
0
?
?
?
0
0
0
x
0
0
?
0
0
x
0
0
0
0
0
x
0
1
x
x
0
0
x
0
0
0
0
1
0
0
0
1
0
0
x
x
0
0
0
0
x
x
0
0
0
x
x
x
0
x
1
0
x
0
x
0
0
x
0
0
x
0
x
x
0
x
x
0
0
0
x
x
x
0
x
x
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
x
x
?
0
0
0
0
x
0
0
0
0
0
0
0
0
0
x
0
0
x
0
0
x
x
0
0
0
0
0
0
0
0
?
x
0
0
0
0
0
x
x
0
0
0
0
0
x
x
0
0
0
0
0
x
0
0
0
0
0
x
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
x
1
x
x
0
0
x
x
0
x
0
0
0
x
0
0
0
0
0
0
x
0
x
x
0
0
x
x
0
x
0
x
0
1
x
0
0
x
0
0
0
0
0
0
0
1
0
x
0
x
0
0
0
x
0
0
?
1
0
x
0
0
0
1
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
1
x
x
x
0
x
0
0
x
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
1
0
0
0
0
0
1
0
0
1
0
0
0
1
0
0
1
0
0
1
0
0
1
0
0
1
0
0
1
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
x
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
x
0
x
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
x
0
0
0
x
0
x
0
0
0
0
x
x
x
?
x
x
x
0
0
x
0
0
1
0
x
0
0
0
0
0
0
0
0
0
x
0
0
0
0
x
x
0
x
0
0
0
0
0
0
0
0
0
0
x
x
x
0
x
0
x
0
0
0
0
x
0
x
0
x
x
0
x
0
0
0
0
0
0
0
0
0
0
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
?
0
0
x
x
0
0
0
x
0
x
?
x
?
?
?
0
0
0
?
?
0
0
?
?
?
0
0
?
0
0
0
0
0
0
0
0
0
0
?
x
0
x
x
0
0
0
?
?
?
0
?
0
?
0
0
x
0
0
0
0
0
x
x
0
0
0
?
?
0
0
0
0
0
?
0
0
0
?
?
0
?
?
?
0
0
0
0
0
0
x
x
0
0
0
0
0
0
?
?
0
?
?
0
?
?
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
?
?
?
?
0
?
?
?
0
x
?
0
?
?
0
0
0
0
x
0
x
0
0
x
x
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
1
0
0
0
0
0
?
0
x
x
x
x
0
x
x
0
x
x
x
x
0
x
x
x
0
0
0
0
0
0
?
?
x
x
0
x
x
x
x
x
0
x
0
0
0
x
0
x
x
x
x
0
x
x
x
x
x
0
x
0
0
0
x
0
x
x
x
x
0
x
x
x
x
x
0
x
0
0
0
x
0
x
x
x
x
0
x
x
x
0
0
x
0
x
x
x
x
0
x
x
x
0
0
0
x
?
0
0
0
0
0
0
0
0
?
0
?
0
?
?
?
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
1
0
0
1
0
0
1
0
0
0
1
0
0
0
1
0
0
0
x
0
0
0
x
0
0
0
x
0
0
0
0
x
0
0
x
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
0
0
0
0
x
0
0
0
0
0
0
0
0
x
0
x
x
0
0
0
0
0
0
0
0
0
0
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
x
0
0
x
0
0
x
0
0
x
x
x
x
?
?
?
?
?
0
?
?
?
0
?
?
0
x
0
?
?
?
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
x
0
0
0
0
0
0
0
0
x
0
1
0
0
0
0
1
1
0
0
0
0
0
0
0
0
?
0
x
0
?
0
0
0
0
x
0
0
1
0
0
0
0
1
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
x
?
x
0
0
0
x
0
0
0
0
0
x
0
0
x
0
0
1
0
0
0
0
0
0
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
x
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
?
0
0
x
?
0
0
0
?
0
0
0
0
0
0
0
0
0
x
0
x
x
x
0
x
0
?
x
?
0
x
x
0
0
0
0
0
0
0
0
0
x
x
?
0
0
1
0
x
?
x
0
?
0
0
0
0
0
x
x
0
0
0
?
x
0
0
x
x
0
x
x
0
x
x
0
x
x
0
0
0
x
0
0
0
0
0
0
0
x
0
0
0
x
x
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
0
?
?
?
0
?
?
0
?
?
?
0
?
?
?
0
?
0
?
?
0
?
0
?
?
?
0
?
0
?
?
?
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
x
0
x
x
x
x
x
0
0
x
0
x
0
x
x
x
0
0
0
0
x
0
0
0
0
0
0
x
0
x
x
0
0
0
0
x
x
0
x
0
0
0
0
0
x
0
x
0
x
0
0
x
0
0
0
0
0
0
x
x
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
?
0
?
x
x
?
?
0
...
Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
80 additional items are not displayed above. |
