File name: | TF2+XHack.zip |
Full analysis: | https://app.any.run/tasks/b7f8c05f-00cc-41d4-84de-18399e1ad014 |
Verdict: | Malicious activity |
Analysis date: | May 20, 2019, 11:16:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v1.0 to extract |
MD5: | 6D72B32A304C968033819BCD8F7039F6 |
SHA1: | 78B6CD8B699D73CF0D92CF90FC43FF9BA7209937 |
SHA256: | 37024F8A28E3822BB6E0F775CF2F4297896558021D25679AC8FB9AAF895531C7 |
SSDEEP: | 24576:kgYK2hbI9nT2hSyJTaXIY4Tm2aEQEMcNY144742QeCvv4lc4reh9uHMi/:pd9n6hSfXIx0i+484iCn4lbO9OMi |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | TF2 XHack/ |
---|---|
ZipUncompressedSize: | - |
ZipCompressedSize: | - |
ZipCRC: | 0x00000000 |
ZipModifyDate: | 2018:07:06 15:29:15 |
ZipCompression: | None |
ZipBitFlag: | - |
ZipRequiredVersion: | 10 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3364 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\TF2+XHack.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2820 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb3364.1809\TF2 XHack\Extreme Injector v3.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb3364.1809\TF2 XHack\Extreme Injector v3.exe | — | WinRAR.exe |
User: admin Company: master131 Integrity Level: MEDIUM Description: Extreme Injector Exit code: 0 Version: 3.7.3.0 | ||||
2768 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb3364.1809\TF2 XHack\Extreme Injector v3.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb3364.1809\TF2 XHack\Extreme Injector v3.exe | Extreme Injector v3.exe | |
User: admin Company: master131 Integrity Level: HIGH Description: Extreme Injector Exit code: 0 Version: 3.7.3.0 | ||||
2548 | "C:\Users\admin\Desktop\Extreme Injector v3.exe" | C:\Users\admin\Desktop\Extreme Injector v3.exe | — | explorer.exe |
User: admin Company: master131 Integrity Level: MEDIUM Description: Extreme Injector Exit code: 0 Version: 3.7.3.0 | ||||
4024 | "C:\Users\admin\Desktop\Extreme Injector v3.exe" | C:\Users\admin\Desktop\Extreme Injector v3.exe | Extreme Injector v3.exe | |
User: admin Company: master131 Integrity Level: HIGH Description: Extreme Injector Version: 3.7.3.0 | ||||
832 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
2296 | "C:\Users\admin\AppData\Local\Temp\ez25op3y.zoa\dxwebsetup.exe" | C:\Users\admin\AppData\Local\Temp\ez25op3y.zoa\dxwebsetup.exe | Extreme Injector v3.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: DirectX 9.0 Web setup Exit code: 2852126720 Version: 9.29.1974.0 | ||||
4052 | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | dxwebsetup.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: DirectX Setup Exit code: 2852126720 Version: 4.9.0.0904 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3364 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3364.4787\TF2 XHack\X-HACK TF2.dll | — | |
MD5:— | SHA256:— | |||
4052 | dxwsetup.exe | C:\Windows\system32\directx\websetup\SETDD77.tmp | — | |
MD5:— | SHA256:— | |||
4052 | dxwsetup.exe | C:\Windows\system32\directx\websetup\SETDD78.tmp | — | |
MD5:— | SHA256:— | |||
3364 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3364.1809\TF2 XHack\Read ME.txt | text | |
MD5:23C867EDAC59D5D6CA73BAFF10040282 | SHA256:13417E4D3B3E19A82B7F6A55BC9119F8CD6A7DA0B6E053671E681182880E66F3 | |||
4052 | dxwsetup.exe | C:\Windows\Logs\DirectX.log | text | |
MD5:73B907C1E887490805CE6C13B7DC5E28 | SHA256:E6495C2E08D456E94E53E606621DBE43F5EBFD73E4C2E269E31B5ECFBD1F1052 | |||
4052 | dxwsetup.exe | C:\Windows\INF\setupapi.app.log | text | |
MD5:B08FB1F019363CB1833069EF53DBA586 | SHA256:BC61319354A4D3DBCEAA8AD8DF94C9893F221A23FD7B21EAD74735A226B325F7 | |||
4052 | dxwsetup.exe | C:\Windows\Temp\OLD4E33.tmp | — | |
MD5:— | SHA256:— | |||
3364 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3364.1809\TF2 XHack\X-HACK TF2.dll | executable | |
MD5:6D31CD45202DA09A69055694CE654130 | SHA256:D402B9C95DB2787D71D296FFA65067830FF2E50F71675C1F7EA1B93B63F5D8CA | |||
4024 | Extreme Injector v3.exe | C:\Users\admin\Desktop\settings.xml | xml | |
MD5:7A19A8DBB127DEC0BBD5BD7CC609B14A | SHA256:05C9AB2D51F7100477D97316605FA7D976AAD5C687746C1FA77DD7731173EF75 | |||
2768 | Extreme Injector v3.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3364.1809\TF2 XHack\settings.xml | xml | |
MD5:87EA78350088549E7BF529C6BD2397D7 | SHA256:7091DAB01D68AE1979313D53F6580B0415C26BB2047A96A23FBEB29C5F6F7905 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4024 | Extreme Injector v3.exe | 151.101.0.133:443 | raw.githubusercontent.com | Fastly | US | malicious |
4024 | Extreme Injector v3.exe | 23.210.249.93:443 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
4024 | Extreme Injector v3.exe | 2.21.36.168:443 | download.microsoft.com | GTT Communications Inc. | FR | malicious |
2768 | Extreme Injector v3.exe | 151.101.64.133:443 | raw.githubusercontent.com | Fastly | US | suspicious |
2768 | Extreme Injector v3.exe | 151.101.0.133:443 | raw.githubusercontent.com | Fastly | US | malicious |
Domain | IP | Reputation |
---|---|---|
raw.githubusercontent.com |
| shared |
www.microsoft.com |
| whitelisted |
download.microsoft.com |
| whitelisted |
Process | Message |
---|---|
dxwsetup.exe | DLL_PROCESS_ATTACH |
dxwsetup.exe | DLL_PROCESS_ATTACH |
dxwsetup.exe | Invalid parameter passed to C runtime function.
|
dxwsetup.exe | Invalid parameter passed to C runtime function.
|
dxwsetup.exe | DLL_PROCESS_DETACH |
dxwsetup.exe | DLL_PROCESS_DETACH |