PUP.MSIL.Gamehack.BBA

Analysis Report

General information

Family Name: PUP.MSIL.Gamehack.BBA
Signature status: No Signature

Known Samples

MD5: 1741681c78a3908674a1cab823826cb5
SHA1: 59f776390b7ca40e6fae7266ee2d7ead2e9e51b3
SHA256: 326F3660304C5A9E523CA61232E41B99DDF1255DA1870B9A25EAD0C0CD791A3E
File Size: 157.22 KB, 157222 bytes
MD5: a40dd5af0e1f54c5e0c4c81ea2e00edd
SHA1: fde94e62921e4fa9c39e90870c061b6f6841f9c6
SHA256: B6FBBB2A1A26F239D071ECA0671AE49AAA800E328FF9A3D03B6B6A564B8A7583
File Size: 1.01 MB, 1010688 bytes
MD5: 13dee2006b96be1d0e42d500a025e31f
SHA1: ee5ad857808834778ea6e597e682ce4ece28cfe8
SHA256: 298F29CECA93F377B11B1BE44AB42B27DE3EDA37C374456FD4ABF03D51805966
File Size: 47.10 KB, 47104 bytes
MD5: 49e8f62771a5eeec479417162bb7c910
SHA1: 4f7c9d3ca9b174d857930c5f4a1a74def91cb020
SHA256: 787AD9473C3064245CFD424BBF8394326A3C08E3122B7169B51DFE25FAAC5896
File Size: 406.53 KB, 406528 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File is .NET application
  • File is 32-bit executable
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is not packed
Show More
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

Windows PE Version Information

Name Value
Assembly Version
  • 1.2.28.0
  • 1.0.0.0
Comments
  • Data Structures
  • Read and Write to process memory. Make PC cheat trainers easily!
Company Name
  • AotForms
  • Client
  • Meta.Core
  • New Age Software LLC
File Description
  • AotForms
  • Client
  • Memory
  • Meta.Core
File Version
  • 1.2.28.0
  • 1.0.0.0
Internal Name
  • AotForms.dll
  • Client.dll
  • Memory.dll
  • Meta.Core.dll
Original Filename
  • AotForms.dll
  • Client.dll
  • Memory.dll
  • Meta.Core.dll
Product Name
  • AotForms
  • Client
  • Memory.dll
  • Meta.Core
Product Version
  • 1.2.28+8d1ddd938c5a9d71add8088a6b77cb8cd7690806
  • 1.0.0

File Traits

  • .NET
  • dll
  • HighEntropy
  • ntdll
  • WriteProcessMemory
  • x64
  • x86

Block Information

Total Blocks: 576
Potentially Malicious Blocks: 180
Whitelisted Blocks: 308
Unknown Blocks: 88

Visual Map

0 0 0 0 x x x x x 0 x x x 0 x x x 0 x x x x x x x ? x x ? x ? x x x x ? x x x x x x x x x x x x x x 0 x ? x x 0 0 0 0 0 0 x 0 0 x 0 0 0 0 0 0 0 0 x x x x x 0 0 x x x x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 x x x 0 x x 0 0 x 0 x x 0 x 0 x x 0 0 x x x 0 x x 0 0 x 0 0 0 0 0 0 0 0 x 0 x x x x x x x x x x x x x x x x x x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x 0 0 0 x 0 0 0 0 0 x 0 0 0 x x x x x 0 x x x x x x 0 0 x x x x 0 x x 0 x x 0 x x x x 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x 0 x x x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x x x x x x x x x 0 x x x 0 0 0 0 0 0 0 0 x 0 x x x 0 0 0 0 0 0 x x x x x 0 0 x 0 x x x x x x x x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 ? ? ? ? ? 0 ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? 0 x 0 x ? 0 0 ? ? 0 0 ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ? ? 0 0 0 0 0 0 ? ? ? ? ? 0 ? 0 ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? 0 ? ? ? 0 ? x ? ? ? ? ? ? ? x ? ? ? ? x ? ? 0 0 ? ? ? ? ? ? 0 ? 0 0 0 ? x 0 ? ? x 0 0 ? 0 ? ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 ? ? x
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtDuplicateToken
Show More
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • UNKNOWN
  • win32u.dll!NtGdiBitBlt
  • win32u.dll!NtGdiCreateBitmap
  • win32u.dll!NtGdiCreateCompatibleDC
  • win32u.dll!NtGdiCreateDIBitmapInternal
  • win32u.dll!NtGdiCreateSolidBrush
  • win32u.dll!NtGdiDeleteObjectApp
  • win32u.dll!NtGdiExtGetObjectW
  • win32u.dll!NtGdiGetDCforBitmap
  • win32u.dll!NtGdiGetDCObject
  • win32u.dll!NtGdiGetDeviceCaps
  • win32u.dll!NtGdiRestoreDC
  • win32u.dll!NtGdiSaveDC
  • win32u.dll!NtGdiSelectBitmap
  • win32u.dll!NtGdiSetDIBitsToDeviceInternal
  • win32u.dll!NtUserBuildHwndList
  • win32u.dll!NtUserCallTwoParam
  • win32u.dll!NtUserCreateEmptyCursorObject
  • win32u.dll!NtUserCreateWindowEx
  • win32u.dll!NtUserDestroyWindow
  • win32u.dll!NtUserFindExistingCursorIcon
  • win32u.dll!NtUserGetAncestor
  • win32u.dll!NtUserGetClassInfoEx
  • win32u.dll!NtUserGetClassName
  • win32u.dll!NtUserGetDC
  • win32u.dll!NtUserGetGUIThreadInfo
  • win32u.dll!NtUserGetIconInfo
  • win32u.dll!NtUserGetIconSize
  • win32u.dll!NtUserGetImeInfoEx
  • win32u.dll!NtUserGetKeyboardLayout
  • win32u.dll!NtUserGetObjectInformation
  • win32u.dll!NtUserGetProcessWindowStation
  • win32u.dll!NtUserGetProp
  • win32u.dll!NtUserGetThreadDesktop
  • win32u.dll!NtUserGetThreadState
  • win32u.dll!NtUserGetWindowCompositionAttribute
  • win32u.dll!NtUserIsNonClientDpiScalingEnabled
  • win32u.dll!NtUserIsTopLevelWindow
  • win32u.dll!NtUserMessageCall
  • win32u.dll!NtUserRegisterClassExWOW
  • win32u.dll!NtUserRegisterWindowMessage
  • win32u.dll!NtUserReleaseDC
  • win32u.dll!NtUserRemoveProp
  • win32u.dll!NtUserSelectPalette
  • win32u.dll!NtUserSetCursorIconData
  • win32u.dll!NtUserSetWindowFNID

3 additional items are not displayed above.

Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
Anti Debug
  • NtQuerySystemInformation

Shell Command Execution

C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\ee5ad857808834778ea6e597e682ce4ece28cfe8_0000047104.,LiQMAxHB

Trending

Most Viewed

Loading...