PUP.GameHack.GL

Analysis Report

General information

Family Name: PUP.GameHack.GL
Signature status: Root Not Trusted

Known Samples

MD5: 0bb0c0beaf06aa5b1f093ec8cd0666de
SHA1: 64c64d7d68fa18fb41e7a4d4e50a8eb1fa698162
File Size: 467.97 KB, 467968 bytes
MD5: f9192da8c5c46b87b3a8364a2498f5a3
SHA1: 4a70d4d46237a37335b4d470e09dd8c7abbfcb68
File Size: 365.09 KB, 365088 bytes
MD5: 735e962c5c09e2a1ab6f43fadd1cf7ba
SHA1: 82e9c4c7788afaadb41750327ada1b3a951b9b10
SHA256: 7403366A72C514986246F454DB1BCFDF4858401896B7EE0B82D6D24E43BE9FAF
File Size: 455.68 KB, 455680 bytes
MD5: bf12f4bb93bff1f5b805e033d2104f35
SHA1: c11b0b1d6b91b60ba1be72d4f40d04da63f40a85
SHA256: 3254A6A9A9FBEC7BDFE0FEAF04BC5941A4A2C7B0987B57667428093DD8454C09
File Size: 494.08 KB, 494080 bytes
MD5: 69731aaefc64345bc18eff5ef3e238a3
SHA1: 3a5557844e0638f76aea7aabbbedc03366dc83c7
SHA256: 50455F3643B5349C8430DE23BEF1578CDDB460E5E2A8B2976286B5063D93A94C
File Size: 469.50 KB, 469504 bytes
Show More
MD5: e1cf504f4e68a6dd2856b77a090e41c8
SHA1: cd3c0cb6944f842122d61e31fc71fc2a425821fc
SHA256: B4BAC6889E0822DF2E138EABA89C182BE719F0C6A3FEDA8392EF6E268C29DF0D
File Size: 1.07 MB, 1074176 bytes
MD5: 3eeca123adca108288b41c84cbb1c13b
SHA1: f3d464ee782ca8a6d8a516dcbd4cc3cd89c07875
SHA256: 0567C62493D9E3E454F0EDCEE4A10923C5C4C4F3603F08B403F05D68E53D8244
File Size: 803.84 KB, 803840 bytes
MD5: 07a8531fd0188f105e6488195f4f2cc7
SHA1: 0f9d53aa1fa744a2c382ed8c563222c5b8d749ad
SHA256: C8E635BCC658AE999282BA8C8E858F85A6965D9F7D47B314127AF42CABBF2A0F
File Size: 1.03 MB, 1031752 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have exports table
  • File doesn't have security information
  • File has exports table
  • File has TLS information
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
Show More
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Digital Signatures

Signer Root Status
NVIDIA Corporation VeriSign Class 3 Code Signing 2010 CA Self Signed
NVIDIA Corporation VeriSign Class 3 Public Primary Certification Authority - G5 Root Not Trusted

File Traits

  • dll
  • HighEntropy
  • imgui
  • No Version Info
  • ntdll
  • WriteProcessMemory
  • x64

Block Information

Total Blocks: 2,411
Potentially Malicious Blocks: 162
Whitelisted Blocks: 1,821
Unknown Blocks: 428

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 x 0 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 x x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? 0 0 ? 0 ? ? 0 ? 0 ? ? 0 0 0 0 0 ? ? ? ? ? 0 ? ? 0 ? ? 0 ? 0 0 ? ? ? 0 ? 0 ? ? ? ? ? ? ? ? 0 ? ? ? ? 0 ? ? 0 ? ? ? 0 ? ? ? 0 ? ? 0 ? ? ? ? ? ? ? ? ? 0 0 ? ? ? 0 0 0 0 1 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? 0 0 0 0 ? 0 0 0 ? ? 0 0 0 0 x ? ? ? ? ? ? 0 ? ? 0 ? x ? ? ? 0 0 0 ? ? ? ? ? ? 0 0 ? ? 0 ? ? ? ? ? ? ? 0 ? 0 0 0 ? ? ? x ? 0 ? 0 ? ? ? ? ? ? ? 0 ? ? ? 0 ? ? ? 0 ? ? ? 0 ? ? ? 0 ? ? ? ? 1 ? ? 0 ? 0 ? 0 ? 0 ? ? ? 0 0 ? ? ? 0 0 ? ? ? ? 0 0 ? ? ? ? ? 0 ? ? ? ? 0 ? 0 ? ? 0 ? ? ? ? 0 ? ? ? 0 ? ? ? 0 ? ? ? ? ? 0 ? ? ? 0 ? ? ? ? ? ? 0 ? ? ? ? 0 ? ? ? 0 0 ? ? ? 0 ? ? ? 0 0 0 ? 0 0 ? 0 0 0 0 0 0 ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ? 0 x 0 x 0 x ? x 0 ? x 0 ? x 0 ? x 0 ? x 0 ? ? ? ? 0 ? 0 ? ? 0 0 ? 0 ? ? 0 ? ? ? ? 0 ? ? 0 ? ? 0 0 0 ? ? 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 x 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 ? ? ? 0 0 0 0 ? ? 0 0 0 0 0 ? 0 0 ? 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 0 0 x 0 0 x 0 1 0 0 0 0 0 0 0 0 0 x ? 0 0 0 0 0 ? 0 0 x 0 0 0 ? 0 x 0 0 x 0 0 0 0 0 0 0 x 0 0 x 1 0 x 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 ? 0 ? 0 0 ? 0 ? ? ? x 0 x x 0 ? x 0 0 0 0 0 0 0 0 x 1 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 ? 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 x 0 ? ? 0 ? 0 0 0 ? 0 0 0 0 ? 0 ? 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x ? 0 x ? 0 x 0 0 x 0 0 0 0 0 x 0 x ? 0 0 0 0 0 0 1 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 0 1 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 0 1 0 0 ? 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 x 0 0 0 0 1 0 0 0 0 0 0 0 ? 0 0 1 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 ? x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 x 0 ? x 0 0 ? ? ? ? ? 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 ? 0 0 0 ? x x ? 0 0 0 0 0 x 0 x 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x ? 0 ? ? ? ? x x x ? ? 0 x ? 0 0 0 0 ? 0 0 ? ? 0 ? ? 0 0 0 ? ? 0 ? x x 0 x 0 0 0 0 0 0 0 0 x ? 0 x 0 0 0 0 0 ? x 0 x 0 0 0 0 0 ? x ? 0 0 0 0 0 0 x 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x 0 x 0 0 0 x x 0 x 0 x 0 x 0 x x x x x 0 x 0 0 0 x x x 0 x x 0 x x x x x 0 x 0 0 0 x x 0 x 0 x 0 x 0 x x x x x 0 x 0 x x 0 x 0 x 0 x x 0 x x x 0 x x x 0 0 0 x x x x 0 x 0 x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ? ? ? 0 0 ? ? ? ? ? ? 0 ? ? ? x ? ? x ? ? x ? x ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 ? ? ? x ? 0 0 ? ? ? ? ? ? ? ? ?
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

File Attributes
\device\namedpipe\gmdasllogger Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 朙棝✂ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer::slowcontextmenuentries RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\content::cacheprefix RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\cookies::cacheprefix Cookie: RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\history::cacheprefix Visited: RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAccessCheckByType
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAllocateReserveObject
  • ntdll.dll!NtAlpcAcceptConnectPort
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreatePort
  • ntdll.dll!NtAlpcCreatePortSection
Show More
  • ntdll.dll!NtAlpcCreateSectionView
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcQueryInformationMessage
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtAlpcSetInformation
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtCancelWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtImpersonateAnonymousToken
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtPowerInformation
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryEvent
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRemoveIoCompletionEx
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationObject
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetIoCompletionEx
  • ntdll.dll!NtSetSecurityObject
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSetTimerEx
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl

75 additional items are not displayed above.

Anti Debug
  • IsDebuggerPresent
Process Terminate
  • TerminateProcess
Process Shell Execute
  • ShellExecute

Shell Command Execution

open Minecraft://

Related Posts

Trending

Most Viewed

Loading...