Manalyze report for 83a7a45816af8876fee46bff83f61b007b99199c505aa2e3b951d842ab28a5c4

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2024-Apr-11 20:13:56
Detected languages	English - United States
CompanyName	GSE
FileDescription	GSE
FileVersion	`1, 0, 0, 2`
InternalName	GSE
LegalCopyright	Copyright (C) 2021 GSE
OriginalFilename	steam.exe
ProductName	GSE
ProductVersion	`1, 0, 0, 2`

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to SHA256`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryW GetProcAddress LoadLibraryExW` `Code injection capabilities: CreateRemoteThread VirtualAllocEx WriteProcessMemory` `Can access the registry: RegSetValueExA RegQueryValueExW RegOpenKeyExW RegDeleteKeyA RegCreateKeyExW RegCloseKey RegSetValueExW` `Possibly launches other programs: CreateProcessW` `Manipulates other processes: WriteProcessMemory`
Suspicious	The file contains overlay data.	`165376 bytes of data starting at offset 0x42848.`
Malicious	VirusTotal score: 7/71 (Scanned on 2026-05-17 03:46:54)	`CrowdStrike: win/malicious_confidence_100% (D)` `Cylance: Unsafe` `Symantec: Heur.AdvML.L` `Trapmine: suspicious.low.ml.score` `TrellixENS: Artemis!C3C1FD26E55F` `VBA32: BScope.Trojan.Wacatac` `Webroot: W32.Malware.Gen`

Hashes

MD5	`c3c1fd26e55f7391585ed27ac92d4516`
SHA1	`9f39b7f71be1aa410aa965308a5938ad9e9f1ca2`
SHA256	`83a7a45816af8876fee46bff83f61b007b99199c505aa2e3b951d842ab28a5c4`
SHA3	`28a7faa10c0548d85573471046a2dd66fd05b0b477d96279e68e777025e1fb19`
SSDeep	`6144:KXqLosRWR8R5Ny03BwlUrY9aSuh8dzIH4Z6:KXqLBR5w0HrcuqjZ6`
Imports Hash	`9b236ab5a4f51fe4e729f54bac353b38`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2024-Apr-11 20:13:56
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`14.0`
SizeOfCode	`0x30a00`
SizeOfInitializedData	`0x4aa00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0001377B (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x32000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x7f000`
SizeOfHeaders	`0x400`
Checksum	`0x798f1`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`9eb699c21939628797925de2414da815`
SHA1	`df938debead653e3bc5eb4e1b062e51afab6d3ea`
SHA256	`db23700a91beeeb9e5bd5896b6c4bf16c1fb6a114c1ddc57b398cebfe0fa0146`
SHA3	`8a031228c69b05feed3ac34e30855bc050f406ac8f2f272322530784570dac4b`
VirtualSize	`0x3098e`
VirtualAddress	`0x1000`
SizeOfRawData	`0x30a00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.57365`

.rdata

MD5	`5040c67febec16b11a40db2db41fd5a8`
SHA1	`e94a94285c65cc75aac3b11bd9b45f5066693e50`
SHA256	`15129dcb9244a23febc8ef012d26de611c97f3e1393f021801fe9a5d0ba5b730`
SHA3	`84f05d3c13dd04e8132a52ed546fd39823011d6f4ed711ce08bca83228aa9c60`
VirtualSize	`0xd100`
VirtualAddress	`0x32000`
SizeOfRawData	`0xd200`
PointerToRawData	`0x30e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.96104`

.data

MD5	`292eaaf5e34264bf7f23593ddf02b99f`
SHA1	`860919a16248246d1a6c948735ae84d55e618b28`
SHA256	`21331838b0e5041551295d5e6576670924a5231afca87b082ecf8cc8b3047923`
SHA3	`d05105884a23fea5ffd4172bcd0f3b9cb970788feba92fae8cde6f2e58f8a43a`
VirtualSize	`0x12338`
VirtualAddress	`0x40000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x3e000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.19285`

.rsrc

MD5	`9ff20287d2b49ab0183b01d191538f91`
SHA1	`4e86ee2faa1999389e290aa18f3a8a3ba6ea1344`
SHA256	`cd077f6d128a424897f5358669814ed5ce557f9d08abd6f77096bb5990f4aa8c`
SHA3	`bb7d7b5768c12fc0942d61b3900c293afb9d4f1b9ed3fffe949eb44598faf217`
VirtualSize	`0x28c7c`
VirtualAddress	`0x53000`
SizeOfRawData	`0x28e00`
PointerToRawData	`0x3f400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.91832`

.reloc

MD5	`1b77ab354c3561cb98cf6944f3a59340`
SHA1	`87f7cf4d1663c0bb017067e3378b7b2d0b646883`
SHA256	`348d5699f88e6b316d717f17abcd83dc5d702a5858d333e5bd385a2e3525f48e`
SHA3	`28ff1860d74a495ca3f306d7ed4c7473c81cbdcbfde9f2f1f6c28606a29798c2`
VirtualSize	`0x25dc`
VirtualAddress	`0x7c000`
SizeOfRawData	`0x2600`
PointerToRawData	`0x68200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`6.60867`

Imports

KERNEL32.dll	`GetModuleHandleW` `GetPrivateProfileStringW` `SetLastError` `CreateRemoteThread` `VirtualAllocEx` `CreateProcessW` `VirtualFreeEx` `GetModuleFileNameW` `LoadLibraryW` `FormatMessageA` `WriteConsoleW` `HeapSize` `SetStdHandle` `ResumeThread` `TerminateProcess` `GetCurrentProcessId` `WaitForSingleObject` `GetLastError` `CloseHandle` `WriteProcessMemory` `SetEnvironmentVariableW` `LocalFree` `GetLocaleInfoEx` `QueryPerformanceCounter` `QueryPerformanceFrequency` `Sleep` `GetCurrentThreadId` `WideCharToMultiByte` `MultiByteToWideChar` `GetStringTypeW` `GetCurrentDirectoryW` `CreateFileW` `FindClose` `FindFirstFileW` `FindFirstFileExW` `FindNextFileW` `GetFileAttributesExW` `GetFullPathNameW` `AreFileApisANSI` `GetProcAddress` `GetFileInformationByHandleEx` `ReleaseSRWLockExclusive` `AcquireSRWLockExclusive` `TryAcquireSRWLockExclusive` `EnterCriticalSection` `LeaveCriticalSection` `InitializeCriticalSectionEx` `DeleteCriticalSection` `GetSystemTimeAsFileTime` `WakeAllConditionVariable` `SleepConditionVariableSRW` `EncodePointer` `DecodePointer` `LCMapStringEx` `GetCPInfo` `IsProcessorFeaturePresent` `IsDebuggerPresent` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `GetStartupInfoW` `GetCurrentProcess` `InitializeSListHead` `RaiseException` `RtlUnwind` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `FreeLibrary` `LoadLibraryExW` `GetModuleHandleExW` `ExitProcess` `GetStdHandle` `WriteFile` `HeapFree` `GetFileType` `GetFileSizeEx` `SetFilePointerEx` `HeapAlloc` `LCMapStringW` `GetLocaleInfoW` `IsValidLocale` `GetUserDefaultLCID` `EnumSystemLocalesW` `FlushFileBuffers` `GetConsoleOutputCP` `GetConsoleMode` `ReadFile` `ReadConsoleW` `HeapReAlloc` `IsValidCodePage` `GetACP` `GetOEMCP` `GetCommandLineA` `GetCommandLineW` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `GetProcessHeap` `SetEndOfFile`
USER32.dll	`MessageBoxA` `MessageBoxW`
ADVAPI32.dll	`RegSetValueExA` `RegQueryValueExW` `RegOpenKeyExW` `RegDeleteKeyA` `RegCreateKeyExW` `RegCloseKey` `RegSetValueExW`

Delayed Imports

SOURCE_CONTROL_ID

Type	`SCID`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x7`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.95021`
MD5	`b4f6bc541faccef222d975874c899b50`
SHA1	`58e0e5df12c1279c1a2f6a610f3de274d3ae8cb5`
SHA256	`07b46b5ce9d2dc257fcbd24a26c8d1146d73e1f4f1e0439076d11183ab931a98`
SHA3	`ec80b28420a1acca1406fdcde0e8176fc28a7006244e02d5d0cf5a37a1d61c94`

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.14832`
MD5	`88d236a4ae82fd86ae710856a980e983`
SHA1	`0ca986edf9d279c2469c7152f15bba49b013920d`
SHA256	`d967943e058c0fbd882558da4f557a6233fe98c79022f4dbe8b6581aa364ff6b`
SHA3	`099aea4b506e8cffe42e78466241b819c52dcb71bb3efb49000f7dbfd7088bc1`

2

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x988`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.96818`
MD5	`40adddc8310b78160dea524d634ef2c1`
SHA1	`140ce9196d57126454e33a9b8bd7bcfa52c37584`
SHA256	`95effdd025ba719b873af15ac961d20e88ad7053c1d1edc70b31af1b081bf8f9`
SHA3	`21bb47dc32ef8dd264347ee9ad004239626021cbc019ecf29325297bb81e6be8`

3

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.55559`
MD5	`150b40fc5b032f8ae4b61c6ffc8d9cbe`
SHA1	`2c9a74f69f4ba141f3dad110bc29674f1e25d129`
SHA256	`8ed47850f17829a52d866848a78e7f0b5aa1c7af9fc4fa6cab6c110cb807e3bd`
SHA3	`5056b3a5e448c7ac651f3b152a2450a191b19e78de85a605e8707469ab63796a`

4

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.83068`
MD5	`5491b0665ca7219f5fa2e11cb96c5de6`
SHA1	`565cf89ec8bdac88cc7868f039b4bbd7d229cede`
SHA256	`6611686039092ba615c029a7274c02743adabe28eeaa1d9c0aa70ec455a258b0`
SHA3	`54e99dfb9727c4bfc20949c9d76ea28cd2ce87dd8a288914e2c4f59f42ad08a6`

5

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x4228`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.70503`
MD5	`b4911d27cc96b809d4e4b225ae259a31`
SHA1	`0ff58b908fce30785b9442c41b1502a761dce4c9`
SHA256	`e6c4450e8656ab4de000651362353ae85ae55ba73edb4a090ebe47350d1b7cf6`
SHA3	`10cd9041bb9b9707346a8927eba41b29f8356ff10267dff9336181cc891d180e`

6

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x5488`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.53428`
MD5	`b4bbf0bcbd5c55f2a608befabfce759e`
SHA1	`a04698f5d8159fbf73c79bdf5d1861f599cbd728`
SHA256	`4ca32c818da788cfa0048b80e627d0a5ddd834091f3d67fea91d07dd5a8d4297`
SHA3	`a2f84390ca69284af6028926c97dc008769989f6f3e7335b5351064fe70d52e5`

7

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x94a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.32303`
MD5	`3b190682dd839ad626d0cbad29b3ef82`
SHA1	`e343f5e19bfca57ed9e8e815a909862b91df4ff8`
SHA256	`08e54ce44e1d71dc01fbdd97806bd6bb6af626025c732a6472ccf6816d7edcbf`
SHA3	`aa79183378b68de31394e6feb534a1b78c31040e20d9473a3e4fd0b97ee06b42`

8

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x10828`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0.982515`
MD5	`e525903917d715bb1ed6ce9e9d2537ae`
SHA1	`cfe08e0f1b55e4e24d2467f22622b1173ef53322`
SHA256	`622c019e74054d77c3130ad624145190e6dcd522ac0389cf9cd1c431080e7e1e`
SHA3	`baa9ac20f3c43405d43aae2aded76bf18a26aee7ff198d7e4f86ccf375b2fd4f`

9

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0xbd0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.42419`
Detected Filetype	PNG graphic file
MD5	`c266a459528abf38f0543e778e98ba2c`
SHA1	`5da8c2b204039912c9cd8d87d7419b633bb70a10`
SHA256	`ba5a422ab3bac8f39a41012c51b9cb9e607d5b996f49dbc1929601e2e658434c`
SHA3	`e7b47b08541937da3edfb906330fcb5bf3bd6e67e029911b7b29472dfd95e7be`

OMORI

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x84`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.03466`
Detected Filetype	Icon file
MD5	`c7e57b1954e31b75abd4a010088f4a9c`
SHA1	`95e737910133cee87749525718fdd36b8ea27102`
SHA256	`71d227fd469a894e8cb3b64b61fd332b284257fd2bd54a60643af3a761d7d902`
SHA3	`6890ba56f722b9c8e5a7ec2cfacea0fa348d86bc1844f8184198e8c02174df92`

1 (#2)

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x2d4`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.42838`
MD5	`a1f5f147793156411b56285f31c6e37f`
SHA1	`3abed2a4bdbca3c91ddef3814f0818c34e01a46e`
SHA256	`49ca75e7c6f7f660e79573da61a76c78e6da3942ddd00c2c0128622cfd8b9d90`
SHA3	`98767959dc9c40718e8f40a5d27b315ee011cf4f6094e9cb04858be58acc7ccc`

1 (#3)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x288`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.32137`
MD5	`7f5710f272d616aa9a40b65cecd5c1cc`
SHA1	`9c4d1459be754f3c18a9d1f931e32c996b23d9e5`
SHA256	`917aec2cabe0f29377d328d7e7e956c0ab2065565c1ddfa46b24ebf682856103`
SHA3	`fa28470225ae684dad80adbba635b23a697638d67d1a34c048526d26b31b10f6`

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2024-Apr-11 20:13:56
Version	`0.0`
SizeofData	`964`
AddressOfRawData	`0x3cad4`
PointerToRawData	`0x3b8d4`

TLS Callbacks

StartAddressOfRawData	`0x43cea8`
EndAddressOfRawData	`0x43ceb0`
AddressOfIndex	`0x45172c`
AddressOfCallbacks	`0x432244`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_4BYTES`
Callbacks	`(EMPTY)`

Load Configuration

Size	`0xc0`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x440100`
SEHandlerTable	`0x43c628`
SEHandlerCount	`69`

RICH Header

Errors

[*] Warning: The WIN_CERTIFICATE appears to be invalid.
[*] Warning: Multiple nodes using the name Version Info in a dictionary.

Leave a comment

No comments yet.