PUP.MSIL.Gamehack.CCD
Table of Contents
Analysis Report
General information
| Family Name: | PUP.MSIL.Gamehack.CCD |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
f674e7ec482a85ee366ec7992ca627ed
SHA1:
94f5d3219ae76ee755d35b757dba59c64cdd23ca
SHA256:
078DEC6851B89EFC7E69C53946C6D56438AA68BB98011EFC9E216FE28867E308
File Size:
1.56 MB, 1555968 bytes
|
|
MD5:
ce30181f90e3e49e1f231ba99043bc6a
SHA1:
253540c0c15d004958a4aa7dcdd1856d9e7e543a
SHA256:
F09F2B0A249CC073D379E70D0E2D0F61423B4E07CB8823FC495A0FA2A1595DFF
File Size:
5.24 MB, 5244416 bytes
|
|
MD5:
d63f2a63175bc518301cd9fd74f03b57
SHA1:
68e710b0681d125692cb9ac8fb25b7aaa2548613
SHA256:
0252022FBAAFE99FDA028272A33BA05213F96CF492AFEE88E2F4B8E190C965BA
File Size:
2.61 MB, 2607616 bytes
|
|
MD5:
696fb4452eaf8cee8f2056a7aab78551
SHA1:
840316dc8ac382d7a90a399d408d71f99ec4e900
SHA256:
D56D30516BE87FEC5B40C75104F5732CCF65B083FCA60CC00B0071A9DEC1939B
File Size:
2.04 MB, 2044416 bytes
|
|
MD5:
16c3baa1b9c722070c9c12b746f2270e
SHA1:
6704500072fb09eb9bdd7346ff61d5c6b8382144
SHA256:
30409A2ECC8080DA0093E0A43B56E41C3ED33C998C48B9050BBC17EE89CD25DD
File Size:
590.85 KB, 590848 bytes
|
Show More
|
MD5:
d81dec997bbe623769b6192dd109b40c
SHA1:
fd1f95dd497435ec6d4b1b9bd23e2330370f2923
SHA256:
F11E33317DBEFB25ACBD803FB59113870459A0DD8E1FCE439E172AB940936ACB
File Size:
1.65 MB, 1649664 bytes
|
|
MD5:
afee41274603c228c33866c834d2ffa9
SHA1:
7073f6586d04aa6ded1e78f8ef997d6efded61b1
SHA256:
000E55E389E50C9565C69A759023EBD30529B399DEC76F7FBD2FFC39EDA3F5DD
File Size:
336.38 KB, 336384 bytes
|
|
MD5:
893171eabe140f17fbcb8026eeae40c1
SHA1:
b5fd4bbb85ade541bb90fef231eb14d822c16524
SHA256:
A5894FFA94BD24C5BE1074ECC8730D7814147950BFE4DB078A6C92CEB92F17A9
File Size:
1.56 MB, 1555456 bytes
|
|
MD5:
49dee0d65db97d7a5b13cd85175d0fba
SHA1:
42171090353769b1162bfe642ff86b83f4b52e27
SHA256:
05BD6AF16F42CDC984EB2DE26340FDBA848BBD0FDB0B60B65A688418BF40F3A2
File Size:
9.21 MB, 9213440 bytes
|
|
MD5:
939dd7e32bb9133333fb7e4b560a6157
SHA1:
e29ad3bb06a765c49d6054e1d75cd06bf2d411c0
SHA256:
9B1E347020F0A89CCB0E3018C4B437E7216854CF33CBD43823153FE432748C95
File Size:
1.78 MB, 1777664 bytes
|
|
MD5:
a43593e3be4823dcaafe8b010119b568
SHA1:
31a7fe7c8e91dba8b4339be63c840fa6715dc0b4
SHA256:
65AB91D168C76EF26805405CAB4D6029AE652B3C08552663EAF70BADDD057165
File Size:
1.65 MB, 1649664 bytes
|
|
MD5:
2c7892105b50355fdd978f6aedb3f05b
SHA1:
b8010160ccf04ba1950da66c093c9a07ffce637c
SHA256:
C1D043397DEDCD15209FE8A71C40AB7C8B3AAC8A1A706B5BC15DD2A95A98C486
File Size:
1.39 MB, 1391104 bytes
|
|
MD5:
7b9a4d01da78111a05bbc634abdcd73e
SHA1:
9d30c74a840cdf206484083b90395c1513b8dff3
SHA256:
24E2C9DE432227777BA2C452F5E20B4AC3BECE77DC40FEB350A4BC64DD4089CC
File Size:
453.12 KB, 453120 bytes
|
|
MD5:
7be6a43349c6f7bec4701b6ccdc1ed18
SHA1:
708fd9ffb54586c69cd1cb499320cfec0ae223c5
SHA256:
6AA2B14CD5D1D7AC5904BE43A841297E652C458AD3F5BC512BC84D30C70636F6
File Size:
1.86 MB, 1859072 bytes
|
|
MD5:
c1299e51b8cabc377d884c2cd7159bc0
SHA1:
219f2e7046cb54584c5697f1c68a1ae02eb1c51f
SHA256:
974C30C3EAA281680A3E69FD03C549C15ADFD75C14AFD67594BE15691070C607
File Size:
589.82 KB, 589824 bytes
|
|
MD5:
9e655b31cfbec481fd0885d8ccb0e1d0
SHA1:
883fa579cc22a06dc4920c9e2f0e5299c511e853
SHA256:
647044C5B6BB109CD30813763EA1B6A3564B8F18D4FF232BD9388D6F8E549898
File Size:
441.86 KB, 441856 bytes
|
|
MD5:
e78f13ec35345011adba3580f47ac980
SHA1:
28b24b2e428f723208b3ae623b101c12ad8f8bc5
SHA256:
28D8AD1CAC07051B576E302536D9EE1F31C7280C19C0AB5DA8597B1AB69B722D
File Size:
480.26 KB, 480256 bytes
|
|
MD5:
415c0000cbfea3fc3fbb2b163960eff3
SHA1:
b4472509ec98733e217b865e819db0dd207ee2b4
SHA256:
CBF1088E2E95863C8DEA6DBA2E9349EDD92EA41725995C98F85140F6BCADE796
File Size:
1.86 MB, 1856512 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File is .NET application
- File is 32-bit executable
- File is 64-bit executable
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
- File is either console or GUI application
Show More
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Assembly Version |
Show More
|
| Comments | Softland.Email.ConfiguracionSistema - Lee la configuraci�n de empresa y realiza el env�o de correos segun esa configuraci�n |
| Company Name |
|
| File Description |
|
| File Version |
Show More
|
| Internal Name |
|
| Legal Copyright |
|
| Legal Trademarks | Softland Chile Ltda. |
| Original Filename |
|
| Product Name |
|
| Product Version |
Show More
|
File Traits
- .NET
- dll
- ntdll
- RijndaelManaged
- x64
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 1,192 |
|---|---|
| Potentially Malicious Blocks: | 36 |
| Whitelisted Blocks: | 894 |
| Unknown Blocks: | 262 |
Visual Map
x
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
?
?
0
0
0
0
0
0
?
?
0
?
0
0
0
0
?
?
?
?
?
0
0
0
0
0
?
0
0
0
0
0
?
0
?
0
0
?
0
?
0
0
0
?
?
?
?
?
0
?
?
?
0
0
0
?
0
0
?
0
0
0
0
0
0
0
?
0
?
?
0
?
?
?
?
?
0
0
0
0
?
?
?
?
0
x
0
0
?
0
?
?
?
0
?
0
?
0
?
0
0
0
?
0
0
0
?
?
0
0
?
?
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
0
0
0
0
0
0
0
0
x
0
0
0
?
0
0
x
?
?
?
?
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
?
?
?
?
?
0
0
0
0
0
0
0
0
0
0
?
0
0
0
?
?
?
?
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
?
?
?
?
?
?
0
x
0
0
0
0
0
0
0
0
0
?
?
?
?
?
?
0
0
0
0
0
0
0
?
?
?
?
0
0
0
0
0
?
?
?
?
0
0
0
0
0
0
0
0
0
?
0
0
?
0
?
?
?
0
0
?
0
0
?
0
0
0
0
0
x
?
0
0
0
0
0
0
0
0
0
0
?
?
0
0
0
0
0
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
?
0
0
?
0
0
0
?
0
0
?
0
?
0
?
0
0
?
0
?
?
0
0
?
0
0
0
?
0
?
0
?
?
?
?
?
?
0
0
0
0
0
0
0
0
?
?
?
?
0
0
0
0
0
?
?
?
?
?
?
?
?
x
?
?
?
?
?
?
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
?
?
?
?
?
0
0
0
0
0
0
0
?
?
?
?
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
?
?
?
0
?
?
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
0
?
0
0
0
0
0
0
0
0
0
0
0
?
?
?
?
?
0
0
0
0
0
0
x
?
?
?
0
x
0
0
0
0
0
0
0
0
0
0
x
?
?
0
x
0
0
0
0
0
0
0
0
x
?
?
0
x
0
0
0
0
0
0
0
0
x
?
?
?
?
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
0
0
0
0
0
0
0
0
0
?
?
0
0
0
0
0
0
?
?
?
?
?
?
?
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
?
0
?
0
?
0
0
0
?
?
?
0
?
?
?
?
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
?
?
0
0
0
0
0
0
0
0
?
x
?
?
?
?
?
?
0
?
0
0
0
0
0
0
0
0
0
?
0
0
?
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
?
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
?
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
?
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
?
0
0
0
x
?
?
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
x
?
?
0
x
0
0
0
0
0
0
0
0
0
?
?
?
?
0
0
0
0
0
0
0
0
0
0
?
?
?
0
x
0
0
0
0
0
?
0
0
0
0
?
?
0
0
?
?
x
0
?
0
0
0
0
0
x
?
?
0
x
0
0
0
0
0
0
0
0
0
0
x
?
?
?
?
0
0
0
0
0
?
?
0
0
0
x
x
0
0
0
0
0
x
0
0
0
0
0
0
0
?
0
0
0
?
0
0
0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- MSIL.Agent.FSDA
- MSIL.Gamehack.CCD
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
3 additional items are not displayed above. |
| Process Manipulation Evasion |
|
| Process Shell Execute |
|
| Anti Debug |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\219f2e7046cb54584c5697f1c68a1ae02eb1c51f_0000589824.,LiQMAxHB
|
