93f6611c4efad8483ce1c42800d8aa8f

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2024-Apr-16 04:35:12
Debug artifacts D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb
CompanyName SteamAppImportPro
FileDescription SteamAppImportPro
FileVersion 1.0.9.1
InternalName SteamAppImportPro.dll
LegalCopyright
OriginalFilename SteamAppImportPro.dll
ProductName SteamAppImportPro
ProductVersion 1.0.0+d3ff45fd6f35568aba1327796dfac5614474157a
Assembly Version 1.0.9.1

Plugin Output

Info Matching compiler(s): Microsoft Visual C# v7.0 / Basic .NET
.NET DLL -> Microsoft
Suspicious Strings found in the binary may indicate undesirable behavior: Contains references to system / monitoring tools:
  • sc.exe
 Contains another PE executable:
  • This program cannot be run in DOS mode.
 Miscellaneous malware strings:
  • virus
 Contains domain names:
  • Octokit.net
  • api.github.com
  • cacerts.digicert.com
  • crl.microsoft.com
  • crl3.digicert.com
  • crl4.digicert.com
  • digicert.com
  • docs.microsoft.com
  • gitee.com
  • github.com
  • go.microsoft.com
  • http://cacerts.digicert.com
  • http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
  • http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
  • http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
  • http://crl.microsoft.com
  • http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0
  • http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
  • http://crl3.digicert.com
  • http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
  • http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
  • http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
  • http://crl3.digicert.com/sha2-assured-ts.crl02
  • http://crl4.digicert.com
  • http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
  • http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0K
  • http://crl4.digicert.com/sha2-assured-ts.crl0
  • http://ocsp.digicert.com0C
  • http://ocsp.digicert.com0K
  • http://ocsp.digicert.com0N
  • http://ocsp.digicert.com0O
  • http://schemas.microsoft.com
  • http://schemas.microsoft.com/SMI/2005/WindowsSettings
  • http://www.digicert.com
  • http://www.digicert.com/CPS0
  • http://www.microsoft.com
  • http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0
  • http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
  • http://www.microsoft.com/pkiops/Docs/Repository.htm0
  • http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0
  • http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010
  • http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a
  • http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010
  • http://www.microsoft.com/pkiops/docs/primarycps.htm0
  • http://www.microsoft.com0
  • https://aka.ms
  • https://api.github.com
  • https://api.github.com/
  • https://docs.microsoft.com
  • https://docs.microsoft.com/dotnet/api/system.text.json.serialization.jsonnumberhandling
  • https://fracerqueira.github.io
  • https://fracerqueira.github.io/PromptPlus
  • https://gitee.com
  • https://github.com
  • https://go.microsoft.com
  • https://go.microsoft.com/fwlink/?linkid
  • https://tinyurl.com
  • https://www.digicert.com
  • https://www.digicert.com/CPS0
  • https://www.sqlite.org
  • https://www.sqlite.org/rescode.html
  • microsoft.com
  • microsoft.net
  • octokit.net
  • schemas.microsoft.com
  • sqlite.org
  • tinyurl.com
  • www.digicert.com
  • www.microsoft.com
  • www.sqlite.org
Info Cryptographic algorithms detected in the binary: Uses constants related to MD5
Uses constants related to SHA1
Uses constants related to SHA256
Uses constants related to SHA512
Uses constants related to AES
Uses constants related to Blowfish
Uses constants related to RC5 or RC6
Uses constants related to Twofish
Uses constants related to TEA
Info The PE contains common functions which appear in legitimate applications. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
  • LoadLibraryA
 Can access the registry:
  • RegOpenKeyExW
  • RegGetValueW
  • RegCloseKey
 Possibly launches other programs:
  • ShellExecuteW
Suspicious The file contains overlay data. 7765498 bytes of data starting at offset 0x24800.
Overlay data amounts for 98.1111% of the executable.
Suspicious VirusTotal score: 2/73 (Scanned on 2024-09-26 06:57:05) Antiy-AVL: GrayWare[AdWare]/Win32.Puwaders
Ikarus: PUA.MSIL.Dllinject

Hashes

MD5 93f6611c4efad8483ce1c42800d8aa8f
SHA1 d2be54c5c16cde188150a89907a1dd04679d445b
SHA256 ddfe97869da7f1a3bca74c5236eb22976e71cd694e81bd1b592d666ae3f165f8
SHA3 3d930726a4857c2082868a0b32c0a886c7fbdb8f5475b87c330817ad2896b598
SSDeep 98304:GfyHa5j4QT3Cw+PTzwNlobr7UIyuqDI8uNistqX5:GfyHddw+Pfw6CDI8uNist65
Imports Hash 6dbf27f4c70fe2c8ed3e0122ba75d641

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 7
TimeDateStamp 2024-Apr-16 04:35:12
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0x18400
SizeOfInitializedData 0xcc00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000000000013C60 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x2b000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x180000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 0a11f732cbe48283e2e6549421819adc
SHA1 c5cb1aefaad6966861c1593b481dc6e8fed82372
SHA256 55b187364a6cf01ac803214aeedb96c9588da715fa3ac29a596b879d29c59774
SHA3 3b9124a69f6481bf950dde188713e6039d1377cfc28db5e279fe76747d3bbeba
VirtualSize 0x1821c
VirtualAddress 0x1000
SizeOfRawData 0x18400
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.32025

.rdata

MD5 2dc680b892a9a282d665479da8eac2ec
SHA1 6314504d78b43c819a00af5694869d723ee85e8e
SHA256 4f11361d0c9c61d0f5815580f13c6443b4b4c54c5dda2c0d759ffb835014466a
SHA3 97217df1a61ec15dcb0b3db7aaf9a49b5f0414505c951284cc856993935b8d1f
VirtualSize 0x9302
VirtualAddress 0x1a000
SizeOfRawData 0x9400
PointerToRawData 0x18800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.52606

.data

MD5 5972b7f0aa146caa1257e5142df768d6
SHA1 da4e7974136d3039717104c667af909a91941301
SHA256 6f9af9fd6410ecf5da848d5c8ed6ac62e2a5ded9e4ddc260296946225387dccb
SHA3 415cdac71e3bd1aad7429bebf8282eb86c0178026628eb4e4f97d4a939c7e1a7
VirtualSize 0x14f8
VirtualAddress 0x24000
SizeOfRawData 0xa00
PointerToRawData 0x21c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.49753

.pdata

MD5 6a2868947463d3292323bc1a5bca8733
SHA1 2338807f0d382e29efb2c3a60f3b13fd29f19fdc
SHA256 872fada299f9a72839e8f338a941422b92108ff391d3e877bd5b91cde2bbc9a0
SHA3 5f1b5d4cbc29dd8f37e3f4caebc05de07a941eebb28c7c59788c02fb4b05b3e1
VirtualSize 0x1440
VirtualAddress 0x26000
SizeOfRawData 0x1600
PointerToRawData 0x22600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.7227

_RDATA

MD5 0a880db69ef3d95f9e9e17c8465b574f
SHA1 8c0233ee3e7781c46c243eb9c9d34d6018a32e5a
SHA256 a2883e2f291e5a0efb77a5a2caf278041459695021b5b35f867fb1a93853f789
SHA3 7d6ead6313f0fe7c807dc795dbebf5e5145023647e5a5a89fd5e79e5e7c6177e
VirtualSize 0xf4
VirtualAddress 0x28000
SizeOfRawData 0x200
PointerToRawData 0x23c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 2.41185

.reloc

MD5 541be3271e778d705125ef64917f1dc4
SHA1 fa285b25439b88de9d303d95d4cad3cf5e3bb74d
SHA256 d908c0f796c74b16b48dbe64c40d90df7afde69eaa10f3fc72fe5fd0a3eb0b24
SHA3 27e3b8dc62cdbc1f5daa3041d57c6cdd2090aee26d572520c05e12350c3377b7
VirtualSize 0x318
VirtualAddress 0x29000
SizeOfRawData 0x400
PointerToRawData 0x23e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 4.69305

.rsrc

MD5 3e00fe01a68da186a4c68e46e8c5862f
SHA1 afe83b8c37b9225e04410247494a6bed3757366d
SHA256 f5fcdc33c07c3718e9b984e49ce6a90478a78b9ca1196a1ba78265e6c73f200b
SHA3 d64f07c0a418f80b66f788a328fa7aea2f743e96d9a8d092686c656a471fde0a
VirtualSize 0x5f0
VirtualAddress 0x2a000
SizeOfRawData 0x600
PointerToRawData 0x24200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.33039

Imports

KERNEL32.dll FindNextFileW
GetCurrentProcess
GetModuleHandleExW
GetModuleFileNameW
LeaveCriticalSection
InitializeCriticalSection
GetEnvironmentVariableW
FindClose
MultiByteToWideChar
GetLastError
GetFileAttributesExW
GetFullPathNameW
GetProcAddress
DeleteCriticalSection
WideCharToMultiByte
IsWow64Process
LoadLibraryExW
FreeLibrary
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
EnterCriticalSection
FindFirstFileExW
OutputDebugStringW
LoadLibraryA
GetModuleHandleW
InitializeCriticalSectionAndSpinCount
SetLastError
RaiseException
RtlPcToFileHeader
RtlUnwindEx
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
LCMapStringEx
DecodePointer
EncodePointer
InitializeCriticalSectionEx
GetStringTypeW
USER32.dll MessageBoxW
SHELL32.dll ShellExecuteW
ADVAPI32.dll RegOpenKeyExW
RegGetValueW
DeregisterEventSource
RegisterEventSourceW
ReportEventW
RegCloseKey
api-ms-win-crt-runtime-l1-1-0.dll _exit
__p___argc
_initterm_e
_initterm
_get_initial_wide_environment
_invalid_parameter_noinfo_noreturn
_initialize_wide_environment
_configure_wide_argv
_initialize_onexit_table
_set_app_type
__p___wargv
_seh_filter_exe
_register_onexit_function
_cexit
terminate
_errno
exit
abort
_crt_atexit
_c_exit
_register_thread_local_exe_atexit_callback
api-ms-win-crt-stdio-l1-1-0.dll setvbuf
fflush
_wfopen
__stdio_common_vswprintf
__stdio_common_vfwprintf
_set_fmode
__stdio_common_vsprintf_s
__acrt_iob_func
fputwc
fputws
__p__commode
api-ms-win-crt-heap-l1-1-0.dll _set_new_mode
_callnewh
free
malloc
calloc
api-ms-win-crt-string-l1-1-0.dll wcsnlen
strcpy_s
_wcsdup
strcspn
wcsncmp
toupper
api-ms-win-crt-convert-l1-1-0.dll _wtoi
wcstoul
api-ms-win-crt-locale-l1-1-0.dll setlocale
___lc_locale_name_func
localeconv
_unlock_locales
_lock_locales
___mb_cur_max_func
_configthreadlocale
__pctype_func
___lc_codepage_func
api-ms-win-crt-math-l1-1-0.dll frexp
__setusermatherr
api-ms-win-crt-time-l1-1-0.dll _gmtime64_s
_time64
wcsftime

Delayed Imports

1

Type RT_VERSION
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x364
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.40133
MD5 cae7c7582c6ed71bff410d593e832ecd
SHA1 16d5d1c6f5b04efee4fb2c22c79ed81b5cd31070
SHA256 9770c9a18c1440e68469d06ad4b74301c37f59c7e1501d340b3f3ebea3321dd7
SHA3 fb69d01d7f0548b3ecd56e86d7986e6584d64c541e60f1ac72cd9fd09a122e0d

1 (#2)

Type RT_MANIFEST
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x1ea
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.00112
MD5 b7db84991f23a680df8e95af8946f9c9
SHA1 cac699787884fb993ced8d7dc47b7c522c7bc734
SHA256 539dc26a14b6277e87348594ab7d6e932d16aabb18612d77f29fe421a9f1d46a
SHA3 4f72877413d13a67b52b292a8524e2c43a15253c26aaf6b5d0166a65bc615cff

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 1.0.9.1
ProductVersion 1.0.0.0
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
FileType VFT_APP
Language UNKNOWN
CompanyName SteamAppImportPro
FileDescription SteamAppImportPro
FileVersion (#2) 1.0.9.1
InternalName SteamAppImportPro.dll
LegalCopyright
OriginalFilename SteamAppImportPro.dll
ProductName SteamAppImportPro
ProductVersion (#2) 1.0.0+d3ff45fd6f35568aba1327796dfac5614474157a
Assembly Version 1.0.9.1
Resource LangID UNKNOWN

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2024-Apr-16 05:05:32
Version 0.0
SizeofData 109
AddressOfRawData 0x1fba0
PointerToRawData 0x1e3a0
Referenced File D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2024-Apr-16 05:05:32
Version 0.0
SizeofData 20
AddressOfRawData 0x1fc10
PointerToRawData 0x1e410

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2024-Apr-16 05:05:32
Version 0.0
SizeofData 944
AddressOfRawData 0x1fc24
PointerToRawData 0x1e424

TLS Callbacks

StartAddressOfRawData 0x14001fff8
EndAddressOfRawData 0x140020008
AddressOfIndex 0x1400254e0
AddressOfCallbacks 0x14001a4d0
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_8BYTES
Callbacks (EMPTY)

Load Configuration

Size 0x138
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x140024020
GuardCFCheckFunctionPointer 5368816648
GuardCFDispatchFunctionPointer 0
GuardCFFunctionTable 0
GuardCFFunctionCount 0
GuardFlags (EMPTY)
CodeIntegrity.Flags 0
CodeIntegrity.Catalog 0
CodeIntegrity.CatalogOffset 0
CodeIntegrity.Reserved 0
GuardAddressTakenIatEntryTable 0
GuardAddressTakenIatEntryCount 0
GuardLongJumpTargetTable 0
GuardLongJumpTargetCount 0

RICH Header

XOR Key 0x2ef29682
Unmarked objects 0
C objects (30034) 12
ASM objects (30034) 10
C++ objects (30034) 77
Imports (VS2008 SP1 build 30729) 16
Imports (29395) 9
Total imports 162
C++ objects (LTCG) (30154) 10
Linker (30154) 1

Errors

<-- -->