Multi-License Discount Quote

Change Region

English
Threat Database Potentially Unwanted Programs PUP.Gamehack.GAIN

PUP.Gamehack.GAIN

By CagedTech in Potentially Unwanted Programs

Analysis Report

General information

Family Name: PUP.Gamehack.GAIN
Signature status: No Signature

Known Samples

MD5: 709877f82bb6a4be01d5f75f87e14401
SHA1: e68a21f9ce2f23de93d085b0c559d8e0b7389180
SHA256: 2ED4BAB3A1EDF0F59259AC266B549CE883AD547A9C0C40101542BF3ED3E2D175
File Size: 2.50 MB, 2497024 bytes
MD5: 019b6ad98918cfe839162fea5bafde6f
SHA1: 7cb67334fe05f78e6b467275a2a82a3ac2994828
SHA256: 9FF71033ABFD9160CCC123232A3E68510D1E1753EED19BE86A1435306203C1D2
File Size: 2.37 MB, 2365440 bytes
MD5: 34bf516de314b9d4f1b9813486548393
SHA1: c5a05bbf7ba786ac44cf8b0b6fdbc925d29f37b0
SHA256: 2C391E863D9A7C1307D057DA9B87E7A704344AEC780FAFD9AB8227C6F1FA6D87
File Size: 3.42 MB, 3420160 bytes
MD5: f4705b008f1c2461eee7ce926d6149f8
SHA1: edd735acebb408b8901fb6a690e391d59513e701
SHA256: 3438CDF342DEF78C294DE3A7E9FA39EB2F0B6998713AEA410ADDDDB249769F2D
File Size: 2.49 MB, 2489856 bytes
MD5: c09c92186eb50cc313b09eb821fe3a95
SHA1: 27ea3e0e1a91b521c4b4dc6dfda4411cb5844451
SHA256: 8E3E88CBCFBD0FF4BE869167DCAA1B384122DD90B1CD470DC3C7B66CABE0B802
File Size: 2.51 MB, 2506240 bytes
Show More
MD5: 93783505a4f5197ae445f8203f777bd3
SHA1: ec4298b2a2f3a004d185b72f5c0f92c3b2368f57
SHA256: AE93A0914DA3D596C4A2717DFD59E7133AD172C1CFE88C98ECB29AC3C2522A00
File Size: 2.46 MB, 2463232 bytes
MD5: df1b85de047d6c1ab016f537bb6ed433
SHA1: bbc9ea6b40cd00da8f162c78491ac07d0111c205
SHA256: 828D799341B8BEE6D457C029EE6996DE91985C8312862915492FFC198A059AA6
File Size: 2.50 MB, 2499584 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have exports table
  • File doesn't have security information
  • File has TLS information
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
Show More
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

File Traits

  • 2+ executable sections
  • GetConsoleWindow
  • HighEntropy
  • imgui
  • No Version Info
  • ntdll
  • VirtualQueryEx
  • WriteProcessMemory
  • x64

Block Information

Total Blocks: 7,730
Potentially Malicious Blocks: 404
Whitelisted Blocks: 7,010
Unknown Blocks: 316

Visual Map

0 0 0 0 0 0 x ? 0 0 ? 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 ? 0 0 0 0 x 0 0 0 0 0 0 x 0 0 x 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 x 0 0 0 x 0 0 x 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x 0 x x 0 x 0 x x x 0 0 ? ? x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 1 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 x x x x x 1 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 1 0 0 1 0 0 0 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 0 0 0 0 0 0 x 0 0 0 0 0 1 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 x 0 0 0 0 0 x x x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 x 0 0 0 0 0 x 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? x ? 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 x x 0 x 0 0 0 x 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x ? 0 0 x ? ? 0 0 ? x ? ? 0 0 0 0 0 x x ? x 0 0 0 0 x 0 0 x 0 0 0 x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 x x x x 0 x 0 x x x 0 x 0 0 x 0 0 0 0 0 0 0 0 x x x x 0 0 0 x x 0 x 0 0 0 x 0 0 x 0 0 0 0 0 0 0 0 0 x 0 0 x x 0 x x x x x x 0 0 0 1 0 0 0 0 0 x 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x 0 0 0 0 0 0 x 0 x x 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 x x 0 0 0 0 0 x x 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 0 x 0 0 0 0 x x 0 x x 0 0 0 0 0 0 0 0 x 0 x 0 0 0 x 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ? ? 0 ? ? x ? 0 0 0 0 0 0 x x x x 0 0 ? x x 0 ? 0 x x x x ? x x x 0 0 0 0 0 0 1 0 0 ? ? 0 ? ? ? ? 0 0 ? ? ? 0 ? ? 0 0 ? ? ? 0 ? ? 0 ? ? ? 0 ? ? ? ? ? 0 ? ? x x x x x x x ? ? 0 ? 0 ? 0 x ? x 1 0 0 ? 0 ? ? ? 0 ? 0 0 ? ? ? ? ? ? ? x 0 0 0 0 0 ? ? 0 ? ? 0 x ? ? 0 0 0 x ? ? x ? 0 0 0 ? x 0 0 0 ? 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 x x 0 0 0 0 0 x 0 x 0 x 0 x 0 0 ? x 0 0 0 0 1 0 0 0 0 0 0 0 0 ? 0 0 0 0 ? 0 0 x x 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? ? 0 0 ? ? 0 0 ? 0 0 ? ? 0 ? 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 ? 0 x 0 x 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 ? 1 ? 0 ? 0 0 ? ? 0 0 0 x ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 x ? ? ? x 0 x x 0 x x ? ? x 0 x x 0 x 0 x 0 x x x ? x x ? 0 0 x x 0 ? ? 0 ? x 0 x 0 ? x 0 ? x 0 ? ? ? 0 ? ? ? ? ? 0 x ? 0 0 0 0 0 0 0 0 x 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 ? ? 0 ? 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 ? 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 0 x 0 0 0 0 0 ? x x 0 0 0 x 0 0 0 0 0 0 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Gamehack.GAIN
  • Gamehack.GSH
  • Gamehack.GYF
  • TelegramHack.G

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
c:\guardianangel Generic Read,Write Data,Write Attributes,Write extended,Delete,LEFT 262144

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 퓊獚鞼ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 飻獟鞼ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe ો玳鞼ǜ RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateMutant
Show More
  • ntdll.dll!NtCreateNamedPipeFile
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTerminateProcess
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • UNKNOWN
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
  • WriteConsole
Anti Debug
  • IsDebuggerPresent
User Data Access
  • GetUserObjectInformation
Process Terminate
  • TerminateProcess

Shell Command Execution

C:\Windows\System32\cmd.exe /c echo d | xcopy "c:\users\user\downloads" "C:\GuardianAngel\" /Y && attrib +s +h "C:\GuardianAngel" && "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath \"C:\GuardianAngel\""
C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /S /D /c" echo d "
C:\WINDOWS\system32\xcopy.exe xcopy "c:\users\user\downloads" "C:\GuardianAngel\" /Y
WriteConsole: Unknown error.
WriteConsole: Unable to create
Show More
WriteConsole: Angel
WriteConsole: 0 File(s) copied
C:\GuardianAngel\GuardianAngel.exe -r "c:\users\user\downloads"

Trending

Most Viewed

Loading...