Manalyze report for cfd01ca6bce83d110365883be797ce22ab6ee436d8bc1cbfb4f91732a24b1e3d

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2025-Nov-19 22:39:18
Detected languages	Russian - Russia
CompanyName	Online-Fix.Me
FileDescription	Online-Fix Steamclient
FileVersion	`1.3.4.0`
LegalCopyright	Copyright (C) 2021-2025, 0xdeadc0de
ProductVersion	`1.3.4.0`

Plugin Output

Suspicious	The PE is possibly packed.	`Unusual section name found: .fptable` `Unusual section name found: .ofme0` `Unusual section name found: .ofme1` `Unusual section name found: .ofme2` `The PE only has 6 import(s).`
Suspicious	The PE contains functions most legitimate programs don't use.	`Leverages the raw socket API to access the Internet: ioctlsocket`
Malicious	VirusTotal score: 43/71 (Scanned on 2026-04-09 19:45:02)	`ALYac: Trojan.GenericKD.77845154` `AVG: Win64:Evo-gen [Trj]` `AhnLab-V3: HackTool/Win.Generic.R760605` `Antiy-AVL: RiskWare/Win32.Agent` `Arcabit: Trojan.Generic.D4A3D2A2` `Avast: Win64:Evo-gen [Trj]` `BitDefender: Trojan.GenericKD.77845154` `Bkav: W64.AIDetectMalware` `CAT-QuickHeal: Trojan.GameHack` `CTX: dll.trojan.crack` `CrowdStrike: win/malicious_confidence_70% (D)` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `ESET-NOD32: Win64/HackTool.Crack.AA potentially unsafe application` `Elastic: malicious (high confidence)` `Emsisoft: Trojan.GenericKD.77845154 (B)` `Fortinet: Riskware/Crack` `GData: Trojan.GenericKD.77845154` `Google: Detected` `Gridinsoft: Trojan.Heur!.022120A2` `Ikarus: Trojan-Spy.Agent` `K7AntiVirus: Unwanted-Program ( 005d025d1 )` `K7GW: Unwanted-Program ( 005d025d1 )` `Lionic: Trojan.Win32.Crack.4!c` `Malwarebytes: RiskWare.GameHack` `MaxSecure: Trojan.Malware.646670199.susgen` `MicroWorld-eScan: Trojan.GenericKD.77845154` `Microsoft: HackTool:Win32/Crack!MSR` `Paloalto: generic.ml` `Panda: PUP/Crack` `Sangfor: Trojan.Win32.Save.a` `SentinelOne: Static AI - Suspicious PE` `Skyhigh: BehavesLike.Win64.Dropper.wc` `Sophos: Generic Reputation PUA (PUA)` `Symantec: ML.Attribute.HighConfidence` `TrellixENS: Artemis!9EE80BF36A62` `TrendMicro-HouseCall: TROJ_GEN.R002H09KN25` `VIPRE: Trojan.GenericKD.77845154` `Varist: W64/ABApplication.STUG-4120` `Webroot: W32.Hack.Tool` `Yandex: PUP.Crack!cqMRWeRL6pw` `alibabacloud: HackTool:Win/Crack.AM`

Hashes

MD5	`9ee80bf36a62e022de8ea7ed0e7f3ba6`
SHA1	`1469e9cd8a260949b899981d57558c7da907026f`
SHA256	`cfd01ca6bce83d110365883be797ce22ab6ee436d8bc1cbfb4f91732a24b1e3d`
SHA3	`3b16578a8e5abf647368e6cea490323206f44e3cf9cafcf669e1aff513bec98c`
SSDeep	`196608:j+Q/IEsbemkpcKjV1uQ5hVd7YXgkiK1SFCupxPq+oJEIUEQ1PiA/8kxWC:oE8bgJV7D1YXwFV7iVDQ1PNEY`
Imports Hash	`10c1b70987e42d05f256c6e82924ec7e`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`10`
TimeDateStamp	2025-Nov-19 22:39:18
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x1bb800`
SizeOfInitializedData	`0xff600`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00000000013AF080 (Section: .ofme2)`
BaseOfCode	`0x1000`
ImageBase	`0x180000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x14ff000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x1bb610`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`

.rdata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x946a8`
VirtualAddress	`0x1bd000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`

.data

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x4e900`
VirtualAddress	`0x252000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.pdata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x13f2c`
VirtualAddress	`0x2a1000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`

.fptable

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x100`
VirtualAddress	`0x2b5000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.ofme0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x6756e3`
VirtualAddress	`0x2b6000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`

.ofme1

MD5	`367ca4c3390c02d57f191fb1aabf4a4d`
SHA1	`af4eaf55b39665d13bf973d3fe7ca33347f25edf`
SHA256	`308ee3ea10982627bff6a683a4e5de929d2a8e7cd23f27ecb97552444e7ce7e2`
SHA3	`b7159334b854eb2d1ff4bbef41bd72c5d1ad7ecddd27d410dc764c644b5964e3`
VirtualSize	`0x98`
VirtualAddress	`0x92c000`
SizeOfRawData	`0x200`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.369417`

.ofme2

MD5	`3aebae3bb91bfd5d9720d72b77a7300c`
SHA1	`23334ff07873a130841e3810ada46024c622b377`
SHA256	`e3ce8bf76087ee5a0874bddf878b1b59c0d22c16f71781bea71c7f57e13422cd`
SHA3	`fdb5c01f63cdfc79ede42ca068bba63b6b16bdd5564f74642f651764813e2cc4`
VirtualSize	`0xbcf980`
VirtualAddress	`0x92d000`
SizeOfRawData	`0xbcfa00`
PointerToRawData	`0x600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`7.68665`

.rsrc

MD5	`e776717a5be73722628156924a28e1ee`
SHA1	`d758d78c8078e0d60c828b61b7bbbfb5fa11603b`
SHA256	`edb00cd7f2db9b441ebe56ea2c73ded29a146a4f6bf5f42ce96a9376e70ee2f2`
SHA3	`ab79ca3bd15fbeaf1d4ac44ccdb9a2826bde56ecd795a362c52eb42bab012599`
VirtualSize	`0x298`
VirtualAddress	`0x14fd000`
SizeOfRawData	`0x400`
PointerToRawData	`0xbd0000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.31124`

.reloc

MD5	`671d4260381a68d6c8a66e254fa0ff6e`
SHA1	`e72af7eb8974a6209628dc7c58ee936a26359947`
SHA256	`49a0e43616ff1363868ff284bb183dbef969ade56718d438d1659a9a72e22c5a`
SHA3	`19d633462d880028788e246e9661a32aaba00b6e364a100441d471de67be1273`
VirtualSize	`0xb0`
VirtualAddress	`0x14fe000`
SizeOfRawData	`0x200`
PointerToRawData	`0xbd0400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`1.89085`

Imports

KERNEL32.dll	`GetModuleHandleA`
USER32.dll	`GetUserObjectInformationW`
SHELL32.dll	`SHGetSpecialFolderPathA`
WS2_32.dll	`ioctlsocket`
WLDAP32.dll	`#27`
ADVAPI32.dll	`RegisterEventSourceW`

Delayed Imports

Breakpad_SteamMiniDumpInit

Ordinal	`1`
Address	`0x60770`

Breakpad_SteamSendMiniDump

Ordinal	`2`
Address	`0x60780`

Breakpad_SteamSetAppID

Ordinal	`3`
Address	`0x60790`

Breakpad_SteamSetSteamID

Ordinal	`4`
Address	`0x607a0`

Breakpad_SteamWriteMiniDumpSetComment

Ordinal	`5`
Address	`0x607b0`

Breakpad_SteamWriteMiniDumpUsingExceptionInfoWithBuildId

Ordinal	`6`
Address	`0x607c0`

CreateInterface

Ordinal	`7`
Address	`0x603b0`

OnlineFix

Ordinal	`8`
Address	`0x60140`

ShellExecuteA

Ordinal	`9`
Address	`0x60150`

ShellExecuteW

Ordinal	`10`
Address	`0x601b0`

Steam_BConnected

Ordinal	`11`
Address	`0x607d0`

Steam_BGetCallback

Ordinal	`12`
Address	`0x60210`

Steam_BLoggedOn

Ordinal	`13`
Address	`0x607e0`

Steam_BReleaseSteamPipe

Ordinal	`14`
Address	`0x607f0`

Steam_ConnectToGlobalUser

Ordinal	`15`
Address	`0x60800`

Steam_CreateGlobalUser

Ordinal	`16`
Address	`0x60810`

Steam_CreateLocalUser

Ordinal	`17`
Address	`0x60820`

Steam_CreateSteamPipe

Ordinal	`18`
Address	`0x60830`

Steam_FreeLastCallback

Ordinal	`19`
Address	`0x60360`

Steam_GSBLoggedOn

Ordinal	`20`
Address	`0x60850`

Steam_GSBSecure

Ordinal	`21`
Address	`0x60860`

Steam_GSGetSteam2GetEncryptionKeyToSendToNewClient

Ordinal	`22`
Address	`0x60870`

Steam_GSGetSteamID

Ordinal	`23`
Address	`0x60880`

Steam_GSLogOff

Ordinal	`24`
Address	`0x60890`

Steam_GSLogOn

Ordinal	`25`
Address	`0x608a0`

Steam_GSRemoveUserConnect

Ordinal	`26`
Address	`0x608b0`

Steam_GSSendSteam2UserConnect

Ordinal	`27`
Address	`0x608c0`

Steam_GSSendSteam3UserConnect

Ordinal	`28`
Address	`0x608d0`

Steam_GSSendUserDisconnect

Ordinal	`29`
Address	`0x608e0`

Steam_GSSendUserStatusResponse

Ordinal	`30`
Address	`0x608f0`

Steam_GSSetServerType

Ordinal	`31`
Address	`0x60900`

Steam_GSSetSpawnCount

Ordinal	`32`
Address	`0x60910`

Steam_GSUpdateStatus

Ordinal	`33`
Address	`0x60920`

Steam_GetAPICallResult

Ordinal	`34`
Address	`0x60310`

Steam_GetGSHandle

Ordinal	`35`
Address	`0x60840`

Steam_InitiateGameConnection

Ordinal	`36`
Address	`0x60930`

Steam_IsKnownInterface

Ordinal	`37`
Address	`0x60940`

Steam_LogOff

Ordinal	`38`
Address	`0x60950`

Steam_LogOn

Ordinal	`39`
Address	`0x60960`

Steam_NotifyMissingInterface

Ordinal	`40`
Address	`0x60970`

Steam_ReleaseThreadLocalMemory

Ordinal	`41`
Address	`0x60980`

Steam_ReleaseUser

Ordinal	`42`
Address	`0x60990`

Steam_SetLocalIPBinding

Ordinal	`43`
Address	`0x609a0`

Steam_TerminateGameConnection

Ordinal	`44`
Address	`0x609b0`

1

Type	`RT_VERSION`
Language	Russian - Russia
Codepage	UNKNOWN
Size	`0x240`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.39902`
MD5	`2f6e0f39e76bb19c61dd1fbaf5f63177`
SHA1	`530c3dbd4441f9e31dff9839f38043dd9b92409c`
SHA256	`c67c6239f655ed5013c74dc78bf57e4b4d4938d4a78c87fddb84889e648453c6`
SHA3	`6fd0c010bcf063193f78b7330613bd6832cc739b7e38eae192bf450d441a6c98`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.3.4.0
ProductVersion	1.3.4.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_DLL`
Language	UNKNOWN
CompanyName	Online-Fix.Me
FileDescription	Online-Fix Steamclient
FileVersion (#2)	1.3.4.0
LegalCopyright	Copyright (C) 2021-2025, 0xdeadc0de
ProductVersion (#2)	1.3.4.0

Resource LangID	Russian - Russia

TLS Callbacks

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x180299280`

RICH Header

Errors

[!] Error: Could not reach the TLS callback table.
[*] Warning: Section .text has a size of 0!
[*] Warning: Section .rdata has a size of 0!
[*] Warning: Section .data has a size of 0!
[*] Warning: Section .pdata has a size of 0!
[*] Warning: Section .fptable has a size of 0!
[*] Warning: Section .ofme0 has a size of 0!

Leave a comment

No comments yet.