Multi-License Discount Quote

Change Region

English
Threat Database Potentially Unwanted Programs PUP.Gamehack.HQE

PUP.Gamehack.HQE

By CagedTech in Potentially Unwanted Programs

Analysis Report

General information

Family Name: PUP.Gamehack.HQE
Signature status: No Signature

Known Samples

MD5: a4ff6471f4d184d5596dafc8afd928d0
SHA1: 6e3884a974fe58dab5cff74d884fb5d903cc983b
SHA256: DEAEB961BA4BF1C863886759320D464A91DB15E48EB20D98E543F5363FE79F89
File Size: 541.58 KB, 541582 bytes
MD5: 244eecb27e3ff4bdfc188a1c957e4f6d
SHA1: 5ea5a7aa6f284e3e1a33aed8dd5b2f7d4b05e145
SHA256: E2413D028FB60A7AADC12B8A6392DEE6A48F3B14A70FACC6E7520C7791A7E103
File Size: 386.05 KB, 386048 bytes
MD5: 731ddae971f26bc1c5b992ce1e8ce9f5
SHA1: 17aa50cc04e64a3822af43570c6ead14a637aca7
SHA256: 97023C5454B598314958373288094BC14F550031A38DA7AB426E88509DF518D2
File Size: 2.40 MB, 2398208 bytes
MD5: 07ac4b24588a23c97bdad01e5f026c8c
SHA1: 6a105c15daf5fa5924b89ad52b3cdec3ac3759e3
SHA256: DE05FA4DE1EE65ABA0ED4649D0052505FCA0959DA8D9040E12C85DCED4DBE3ED
File Size: 299.98 KB, 299975 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have resources
  • File doesn't have security information
  • File has exports table
  • File has TLS information
  • File is 32-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
Show More
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name Synaptics
File Description Synaptics Pointing Device Driver
File Version 1.0.0.4
Product Name Synaptics Pointing Device Driver
Product Version 1.0.0.0

File Traits

  • 2+ executable sections
  • big overlay
  • dll
  • HighEntropy
  • No Version Info
  • ntdll
  • WriteProcessMemory
  • x86

Block Information

Total Blocks: 33
Potentially Malicious Blocks: 24
Whitelisted Blocks: 7
Unknown Blocks: 2

Visual Map

x x x x 0 0 x x 0 0 0 ? ? x x x x x x x x x x x x x x 0 x x 0 x x
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Gamehack.HQE

Files Modified

File Attributes
\device\namedpipe\gmdasllogger Generic Write,Read Attributes
c:\program files\common files\system\symsrv.dll Generic Write,Read Attributes
c:\programdata\synaptics Synchronize,Write Attributes
c:\programdata\synaptics\rcx8189.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\programdata\synaptics\synaptics.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\programdata\synaptics\synaptics.exe Synchronize,Write Attributes
c:\programdata\synaptics\synaptics.exe Synchronize,Write Data
c:\users\user\appdata\local\temp\qpydz9n.ini Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\winsl Synchronize,Write Attributes
c:\users\user\appdata\roaming\winsl\l4\23\2026 Generic Read,Write Data,Write Attributes,Write extended,Append data
Show More
c:\users\user\downloads\._cache_17aa50cc04e64a3822af43570c6ead14a637aca7_0002398208 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\downloads\._cache_17aa50cc04e64a3822af43570c6ead14a637aca7_0002398208 Synchronize,Write Attributes
c:\users\user\downloads\6a105c15daf5fa5924b89ad52b3cdec3ac3759e3_0000299975logini Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\windows\[crack-soft.net].cmd Generic Write,Read Attributes
c:\windows\[crack-soft.net].cmd Synchronize,Write Attributes
c:\windows\[crack-soft.net].exe Generic Write,Read Attributes
c:\windows\[crack-soft.net].exe Synchronize,Write Attributes
c:\windows\[crack-soft.net].ini Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\windows\__tmp_rar_sfx_access_check_153183218 Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ₿娶斘ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
Show More
HKCU\software\microsoft\windows\currentversion\explorer::slowcontextmenuentries RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::synaptics pointing device driver C:\ProgramData\Synaptics\Synaptics.exe RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 鳪ȁ 砍yਪˣ鈯ˣ遙̃豤̃偫~অˣ炑̃龡^濖̃賬̃攘ťE獖}$偫~$엦1 鰚²਷ˣ邯̃뫯ʃe"ꙥž֢ᐊ엦1-¶fꙥžg֢h RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey

Windows API Usage

Category API
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
User Data Access
  • GetUserObjectInformation
Keyboard Access
  • GetKeyState
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
  • ShellExecuteEx
  • WriteConsole
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
Show More
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenMutant
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForMultipleObjects
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • UNKNOWN
Other Suspicious
  • AdjustTokenPrivileges
Service Control
  • OpenSCManager
  • OpenService
  • StartServiceCtrlDispatcher
Process Terminate
  • TerminateProcess
Network Winsock2
  • WSAStartup
  • WSAttemptAutodialName
Network Winhttp
  • WinHttpOpen
Network Wininet
  • InternetOpen
  • InternetOpenUrl
  • InternetReadFile
Network Winsock
  • bind
  • closesocket
  • gethostbyname
  • getsockname
  • socket

Shell Command Execution

(NULL) C:\Windows\[crack-soft.net].cmd
WriteConsole:
WriteConsole: C:\Windows>
WriteConsole: [crack-soft.net]
WriteConsole: -i
Show More
WriteConsole:
C:\Windows\[crack-soft.net].exe [crack-soft.net].exe -i
WriteConsole: Global Injector v1.0
WriteConsole:
WriteConsole: 09216990 001758 SysMain -> Install: CreateService failed with 87!
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\5ea5a7aa6f284e3e1a33aed8dd5b2f7d4b05e145_0000386048.,LiQMAxHB
runas c:\users\user\downloads\._cache_17aa50cc04e64a3822af43570c6ead14a637aca7_0002398208
runas C:\ProgramData\Synaptics\Synaptics.exe InjUpdate
WriteConsole: -I: Install as a service
WriteConsole: -U: Uninstall the service

Trending

Most Viewed

Loading...