Multi-License Discount Quote

Change Region

English
Threat Database Potentially Unwanted Programs PUP.Gamehack.HMA

PUP.Gamehack.HMA

By CagedTech in Potentially Unwanted Programs

Analysis Report

General information

Family Name: PUP.Gamehack.HMA
Signature status: No Signature

Known Samples

MD5: 5c8ef834e0ef2841fd8126daff7ae345
SHA1: 34bf9bbbb6b5a2ac6135bad72014e6738fb84816
SHA256: FB12143280DF7C3FC50615521180E7B05D44B42993C422F31856D564147A5907
File Size: 1.12 MB, 1116160 bytes
MD5: ce2f52eb9e57266a82f7d349b2e1b2c5
SHA1: 9c6b066f87545b7430ece59a0941f0f74bba0fa8
SHA256: D3C7A1337E4A15A1590DED175A779EE88BB0054137A9E9F997B5A301B3CB9FC3
File Size: 1.35 MB, 1348608 bytes
MD5: 78d10806ce81089acff285ff455d99de
SHA1: aa7aa99aa1d18f3d5e753a322c381087cb236ed1
SHA256: D721809357B25DE604688F921FD7702F0693356D1C7DD694C78B1ACA7C97101A
File Size: 1.44 MB, 1437696 bytes
MD5: a7af68805c89c1b9c854b275b989c560
SHA1: 69ad39147b1a1ebd01761f173e7a9970d4449b2c
SHA256: 0E853DB77E6DEAC164A5A0B78C725DE48880C991BDA98B0CCFA5D76C78DC81E1
File Size: 1.07 MB, 1065472 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have exports table
  • File doesn't have resources
  • File doesn't have security information
  • File has exports table
  • File has TLS information
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
Show More
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

Windows PE Version Information

Name Value
Company Name Ichirin
Developer Ichirin
File Version 2.0.0.0
Internal Name PracticeEX
Legal Copyright Ichirin, 2021
Original Filename PracticeEX

File Traits

  • dll
  • HighEntropy
  • imgui
  • ntdll
  • x86

Block Information

Total Blocks: 3,093
Potentially Malicious Blocks: 168
Whitelisted Blocks: 2,204
Unknown Blocks: 721

Visual Map

? ? ? ? 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ? 0 0 ? ? 0 0 ? ? ? 0 ? ? 0 ? 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? ? 0 ? ? ? ? 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? 0 ? ? 0 0 0 0 0 1 ? ? ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 ? 0 0 ? ? ? 1 0 ? ? 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 ? ? 0 ? ? ? 0 ? ? 0 ? ? ? ? ? ? ? 0 0 0 0 0 0 ? ? 0 0 0 0 0 ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? 0 ? ? 0 ? ? ? ? ? 0 0 0 0 0 0 ? ? ? ? 0 ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 0 ? 0 0 ? 0 0 0 ? ? ? ? 0 ? ? ? 0 0 0 0 ? 0 0 0 0 ? 0 0 0 0 ? 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 ? 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 ? 1 1 0 0 0 0 0 0 ? 0 ? 0 ? 0 ? ? 0 0 ? ? 0 0 ? ? 0 ? ? 0 ? 0 ? 0 ? ? ? 0 ? ? ? ? 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 ? ? ? ? 0 0 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? 0 ? ? ? ? 0 ? ? 0 0 0 0 0 ? 0 ? ? 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? 0 0 0 0 ? ? ? 0 ? ? ? ? ? ? ? ? ? 0 ? ? ? 0 ? 0 ? 0 0 0 ? ? ? ? ? 0 ? 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 ? ? x 0 ? ? 0 ? ? ? ? ? ? 0 x x x 0 0 x x 0 x x 0 x x 0 ? ? ? 0 0 0 ? ? ? 0 0 ? ? ? x x ? ? 0 ? ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x x x x x x x x x x x x x x 0 0 0 x x x x x x x x x x x x x x x x x x x x x x x x x 0 ? ? ? ? ? 0 0 0 0 0 ? 0 0 0 ? ? 0 ? 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 x x 0 0 x 0 0 0 0 0 0 ? 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 ? ? x x 0 x x 0 x 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x ? x 0 0 ? 0 x 0 0 0 0 ? x x 0 0 x 0 x x x 0 x 0 0 0 x ? ? x ? x x 0 x 0 0 0 x ? 0 ? 0 ? 0 ? ? x x 0 x ? x ? x ? 0 0 0 0 0 0 0 0 0 0 x x ? x x 0 x x 0 ? x 0 x x 0 x 0 0 x 0 x 0 0 0 0 0 0 0 0 0 ? x ? x x x x x x x x 0 0 x x x ? ? 0 0 0 0 0 ? x ? x x x 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? x ? 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 ? 0 x x 0 0 0 x x 0 0 x 0 0 0 0 ? 0 0 0 0 0 0 0 0 x 0 0 0 x 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 x ? 0 0 0 0 x 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 ? 0 0 x 0 x 0 0 0 0 0 0 x x x ? x ? ? ? ? ? ? ? ? ? 0 ? 0 x ? 0 0 0 x 0 0 0 0 0 ? 0 ? x 0 ? 0 0 ? 0 0 0 0 0 0 0 0 x 0 0 0 x 0 ? 0 0 0 0 0 0 0 x ? ? 0 ? x 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x ? ? ? ? ? ? 0 x 0 0 ? ? 0 0 0 0 0 ? 0 ? ? 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 ? ? 0 ? ? ? x x ? x 0 ? 0 0 x 0 ? 0 0 0 0 0 0 0 ? 0 ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? 0 0 0 ? 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 0 0 0 0 0 0 0 ? ? 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? 0 0 ? 0 0 ? 0 0 0 0 ? 0 0 0 0 ? 0 0 0 0 ? 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? 0 ? ? 0 ? 0 0 0 0 0 0 0 ? ? 0 0 0 0 ? 0 ? 0 0 ? 0 ? ? ? ? ? ? ? ? 0 0 0 ? ? ? 0 0 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? 0 0 0 0 0 0 0 0 0 ? ? ? ? ? ? ? 0 0 0 0 0 0 0 0 ? ? ? ? ? ? ? ? 0 0 0 0 0 0 0 ? ? ? ? ? ? ? ? 0 0 ? 0 ? 0 ? ? 0 0 ? 0 ? 0 ? ? ? ? ? ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 0 0 0 0 0 ? 0 ? 0 0 ? 0 ? ? ? ? 0 0 ? 0 0 0 0 ? 0 0 0 0 0 0 ? 0 0 0 0 ? 0 0 ? ? 0 ? ? ? ? ? 0 ? ? ? 0 ? ? 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 ? 0 0 0 0 0 0 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 㒧੹ǜ RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
Show More
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenMutant
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • win32u.dll!NtGdiAnyLinkedFonts
  • win32u.dll!NtGdiBitBlt
  • win32u.dll!NtGdiCreateBitmap
  • win32u.dll!NtGdiCreateCompatibleBitmap
  • win32u.dll!NtGdiCreateCompatibleDC
  • win32u.dll!NtGdiCreateDIBitmapInternal
  • win32u.dll!NtGdiCreateRectRgn
  • win32u.dll!NtGdiCreateSolidBrush
  • win32u.dll!NtGdiDeleteObjectApp
  • win32u.dll!NtGdiDoPalette
  • win32u.dll!NtGdiDrawStream
  • win32u.dll!NtGdiExcludeClipRect
  • win32u.dll!NtGdiExtGetObjectW
  • win32u.dll!NtGdiExtSelectClipRgn
  • win32u.dll!NtGdiExtTextOutW
  • win32u.dll!NtGdiFlush
  • win32u.dll!NtGdiFontIsLinked
  • win32u.dll!NtGdiGetCharABCWidthsW
  • win32u.dll!NtGdiGetDCDword
  • win32u.dll!NtGdiGetDCforBitmap
  • win32u.dll!NtGdiGetDCObject
  • win32u.dll!NtGdiGetDeviceCaps
  • win32u.dll!NtGdiGetDIBitsInternal
  • win32u.dll!NtGdiGetEntry

99 additional items are not displayed above.

Process Shell Execute
  • CreateProcess
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
User Data Access
  • GetUserObjectInformation
Process Terminate
  • TerminateProcess
Process Manipulation Evasion
  • NtUnmapViewOfSection

Shell Command Execution

C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\34bf9bbbb6b5a2ac6135bad72014e6738fb84816_0001116160.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\9c6b066f87545b7430ece59a0941f0f74bba0fa8_0001348608.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\aa7aa99aa1d18f3d5e753a322c381087cb236ed1_0001437696.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\69ad39147b1a1ebd01761f173e7a9970d4449b2c_0001065472.,LiQMAxHB

Trending

Most Viewed

Loading...