PUP.Gamehack.HDK

By CagedTech in Potentially Unwanted Programs

Table of Contents

Analysis Report

General information

Family Name:	PUP.Gamehack.HDK
Signature status:	No Signature

Known Samples

MD5: b3e595fffb3fe7fcb45c030d111281ad

SHA1: 16e60f184f0f1577bca9551d45938fe7d0afbc14

SHA256: AB01F1A65DAC3F081B8F594DF88694EBE28218901D4B2989BE1FDC0FD6161D13

File Size: 2.45 MB, 2445312 bytes

MD5: 7d98039c538c63fee95a06b937a84de2

SHA1: cb769505f9d64ea3607ee8aff8f51f2e7f522c6e

SHA256: F8D1BFC5C0D18E0D2D8A106A72136396E600CC772CD8E1555ADBB087F45B9CDD

File Size: 349.18 KB, 349184 bytes

MD5: a4f27cdab1b9a91763d8bc1077a7849a

SHA1: c4a163d166e26556627b72e1b00bff755cc3896a

SHA256: A5DB7EA89BF99920237E0548C86FD12025E91E89B28052401F294A7CFC792EA2

File Size: 1.07 MB, 1068032 bytes

MD5: b95a76c5c80dee266307a78b8ca9b9f2

SHA1: 6b9d5d7a57d470de9f9c85087e09b78d952239e6

SHA256: A5F2726C25605048139917520564F8D7ED55B371BDF9CFB19FC7E273B9B8E850

File Size: 1.79 MB, 1785856 bytes

MD5: 80db3abb72f613a673ea659623cb73f4

SHA1: adcbed5e2745f5301968919ba700b12871bacd83

SHA256: 1AA9B0895CAB641120F297DD20D5B13A06D9D816C2719174FDE7C94EAE12F24E

File Size: 409.60 KB, 409600 bytes

MD5: b9aa8be6582ab033e2af83969ba4fc65

SHA1: 7bd760e41ae9901ee3910de311bdc67bca58a990

SHA256: 4B5343C317CB32DC3470BC5B822D33CE5C842CCC4D3C78D839DA2C0EEE759A84

File Size: 1.31 MB, 1314816 bytes

MD5: 2b6440e0b9a2a2d648ae6a917813abb0

SHA1: 731e27d1bf40cb22a21344f324db2f5e36e67f3c

SHA256: 2A2173D8CA9602B05ED7C59A93DD690F472D8E923C397993008E735E01A4B219

File Size: 1.81 MB, 1805312 bytes

MD5: d9fc803d4d359c9f7c033c8a1e59d2d3

SHA1: 3f92207f80ad83d65af833d118753fd41e855756

SHA256: FE42903D6C86BCABA3E0CC722F8B596258974EF6CFAE895844F77D2D12B7F7C5

File Size: 3.83 MB, 3830784 bytes

MD5: d49e43f12fa0797ff70e56e329a14b2b

SHA1: 52e2ecc73f53ad82db3a330d466d0639cb2362a0

SHA256: EC81E0DB7EE80503F4C494044E54BE1201F6EC0ACCC3B3EDB7E36682C4B2D874

File Size: 1.94 MB, 1944064 bytes

MD5: 98c95e38f3e449061a84310eae53861a

SHA1: 2bca0a2e9b99e0f962446d9f703d214310ce28e2

SHA256: B2F1DA03A5EA2FA295085A290515F84EE52A70CB867D610765445BEA92597ACB

File Size: 3.83 MB, 3830272 bytes

MD5: 3aca25c34fb9183c247dd77000dc9e8d

SHA1: 6e6bc2f60fe717e6f0deee21926dcbb5ee59f41f

SHA256: 8BA277BFAABDCB7FE76D14B1373D5FA68FDCE82DF1CF7655621F471D523E409F

File Size: 2.51 MB, 2513920 bytes

MD5: a7615ffb35efffac391140e9a34425d8

SHA1: c70c1d3ecbdc7c27a5510f424024f38f6d4899dd

SHA256: F14F622C65ABF19DFB17EFAC25E100BEC323C3E924FD60ED52D7162C44CAA8F2

File Size: 1.54 MB, 1540096 bytes

MD5: d6ddabd7ce300d9da3bc5c209583a27b

SHA1: 2dbd29f89a20fd0f0d909f1b1aadd022ba92ee71

SHA256: AE6E40FEEE564902E6FF9D0EC4ECA2FF2F5BBA3143520474B758D8F1878D6458

File Size: 1.24 MB, 1236480 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have exports table
File doesn't have resources
File doesn't have security information
File has exports table
File has TLS information
File is 32-bit executable
File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)

File is Native application (NOT .NET application)
File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name	Value
File Description	IW3 single player modification Portal 2 RTX Remix Compatibility Mod
File Version	3.9.7.85 2.0
Internal Name	IW3SP-MOD p2-rtx
Legal Copyright	Jerry4LT xoxor4d.github.io
Original Filename	game.dll p2-rtx.dll
Product Name	IW3SP-MOD p2-rtx
Product Version	3.9.7 2.0

File Traits

dll
fptable
HighEntropy
imgui
No Version Info
WriteProcessMemory
x86

Block Information

Total Blocks:	2,373
Potentially Malicious Blocks:	267
Whitelisted Blocks:	1,866
Unknown Blocks:	240

Visual Map

? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 ? ? 0 0 ? 0 0 ? 0 ? ? 0 ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? 0 0 0 0 0 ? ? 0 0 0 ? ? 0 0 0 0 0 0 0 0 ? 0 0 0 ? 0 ? ? ? ? ? 0 ? 0 0 0 0 ? 0 0 0 0 ? ? 0 ? 0 ? 0 ? 0 ? 0 0 0 ? 0 0 x 0 ? ? 0 ? 0 0 0 0 0 0 0 0 0 ? ? ? ? ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? 0 ? 0 0 0 ? ? 0 ? 0 0 0 ? 0 0 ? 0 0 0 0 0 0 0 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 ? ? ? ? 0 x ? ? 0 ? 0 0 ? ? 0 ? ? ? ? ? 0 0 ? ? ? 0 0 0 ? 0 x ? 0 0 0 0 0 0 0 0 0 x ? ? 0 ? x x 0 0 0 0 x x ? x x x x 0 x x x 0 0 x 0 x 0 0 0 0 0 0 x ? 0 0 x 0 0 0 x 0 0 0 x x x x x 0 0 0 x 0 x x 0 0 0 0 0 x 0 0 0 0 ? ? x 0 0 x 0 x 0 ? x 0 0 x 0 0 x x ? x ? 0 ? 0 0 ? x 0 ? ? ? x ? x 0 0 x x x ? x x x x 0 ? ? 0 0 x 0 x ? ? ? 0 ? 0 0 0 ? x x x x ? x x 0 0 0 0 x x ? x x x ? 0 0 ? ? ? 0 ? ? x ? x 0 ? ? 0 0 0 0 0 x 0 x ? x x 0 0 0 0 ? x x 0 x x x x 0 0 ? x x ? ? x x ? x x 0 0 x 0 0 0 0 ? x x x ? 0 0 0 0 0 ? x x 0 0 0 0 x x 0 x ? ? x 0 x x x 0 ? 0 0 x 0 x 0 0 0 x 0 x x x x 0 x 0 x x ? x x x x x 0 0 ? x x 0 x 0 0 0 0 0 x x x x x x 0 x x 0 0 x 0 0 0 0 0 0 x ? x x 0 0 0 x 0 x x 0 x 0 x 0 x x x x x x x x 0 x 0 x ? x x ? x x x x x x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x x 0 x 0 x 0 0 0 0 0 0 0 0 0 0 x 0 0 0 ? 0 x x 0 0 x x 0 0 0 x 0 x x 0 0 0 0 0 0 0 0 x x ? x x 0 0 x 0 x x 0 0 0 0 0 0 0 0 x x 0 0 0 ? 0 x x x 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 x x 0 x x x x 0 0 x 0 ? x ? ? 0 0 0 ? ? 0 0 0 0 x 0 0 0 x x x x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x ? 0 x x x 0 0 0 0 0 ? x ? ? x 0 x 0 x 0 x ? 0 x x ? 0 0 ? ? ? x 0 x x 0 0 0 x 0 x 0 x 0 x x 0 x x 0 ? 0 ? ? 0 0 0 0 ? 0 0 x 0 x x ? 1 ? ? 0 ? 0 x x 0 x ? ? x 0 x x x ? ? 0 ? 0 ? ? 0 0 ? ? 0 0 0 0 0 ? x ? 0 ? x ? 0 0 ? 0 0 x 0 x ? x 0 0 ? ? 0 0 0 x ? 0 0 x x x ? x ? ? 0 x x 0 x ? 0 ? 0 x ? ? 0 x ? ? 0 ? x ? ? ? ? ? ? ? ? ? ? x ? x ? ? ? 0 x 0 x x 0 ? ? ? ? 0 ? ? ? ? ? 0 0 ? 0 x 0 x x x x 0 ? x 0 0 0 ? ? 0 0 0 0 x ? ? ? ? x 0 0 0 ? x x ? x x ? x ? ? x ? ? ? ? ? 0 0 0 x 0 0 0 0 x 0 0 x 0 0 x 0 0 x 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 1 0 1 1 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 1 0 3 1 1 1 1 2 0 0 0 0 1 0 0 0 2 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 1 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 0 2 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 0 2 2 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0

... Data truncated

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

File	Attributes
c:\windows\syswow64\shader patch.log	Generic Write,Read Attributes

Registry Modifications

Key::Value	Data	API Name
HKCU\software\microsoft\windows\currentversion\run::watchdog	c:\users\user\downloads\52e2ecc73f53ad82db3a330d466d0639cb2362a0_0001944064	RegNtPreCreateKey

Windows API Usage

Category	API
Syscall Use	ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtClose ntdll.dll!NtCreateFile ntdll.dll!NtCreateSection ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtMapViewOfSection ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenProcessToken ntdll.dll!NtProtectVirtualMemory Show More ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDebugFilterState ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtReadFile ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationFile ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtWaitForSingleObject ntdll.dll!NtWriteFile ntdll.dll!NtWriteVirtualMemory win32u.dll!NtUserGetKeyboardLayout win32u.dll!NtUserGetThreadState
Process Shell Execute	CreateProcess
Anti Debug	NtQuerySystemInformation
Process Manipulation Evasion	NtUnmapViewOfSection

Shell Command Execution


							C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\16e60f184f0f1577bca9551d45938fe7d0afbc14_0002445312.,LiQMAxHB


							C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\c4a163d166e26556627b72e1b00bff755cc3896a_0001068032.,LiQMAxHB


							C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\6b9d5d7a57d470de9f9c85087e09b78d952239e6_0001785856.,LiQMAxHB


							C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\7bd760e41ae9901ee3910de311bdc67bca58a990_0001314816.,LiQMAxHB


							C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\731e27d1bf40cb22a21344f324db2f5e36e67f3c_0001805312.,LiQMAxHB


									C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\3f92207f80ad83d65af833d118753fd41e855756_0003830784.,LiQMAxHB


									C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\2bca0a2e9b99e0f962446d9f703d214310ce28e2_0003830272.,LiQMAxHB


									C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\6e6bc2f60fe717e6f0deee21926dcbb5ee59f41f_0002513920.,LiQMAxHB


									C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\2dbd29f89a20fd0f0d909f1b1aadd022ba92ee71_0001236480.,LiQMAxHB

EnigmaSoft’s Payment Processor Digital River GmbH Filing for Bankruptcy Does Not Impact SpyHunter Customers’ Anti-Malware Protection

Search

Change Region

PUP.Gamehack.HDK

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Windows PE Version Information

Windows PE Version Information

File Traits

Block Information

Block Information

Visual Map

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Trending

Trojan.Downloader.ConsCorr

Trojan.Vapsup

Trojan.Vundo.HM

Most Viewed

Pornktube.porn

How To Fix 'Printer Driver is Unavailable' Error

Discord Shows Black Screen when Sharing Screen