File name:

Fortnite Hack.exe

Full analysis: https://app.any.run/tasks/07bb9776-85ee-452e-ab39-7fba2631d0bc
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: July 15, 2024, 00:32:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
xworm
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

690B6178F5201B2AE4C6A004DA7ADF51

SHA1:

A088C5F9CEC5368993BF261A94154A4B0ECC79EF

SHA256:

226D0F9514ED305D80B63870F816C257E0C37CF3492895BBCC112B80590801DF

SSDEEP:

3072:SkQYxW5zyWIhY+czb8Pc3IVv7pR6Qli086DB4:SkQYAzylYx8Ptp7po

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Fortnite Hack.exe (PID: 3432)
      • Hack Store.exe (PID: 3164)

    • Create files in the Startup directory

      • taskhost.exe (PID: 3216)

    • Adds path to the Windows Defender exclusion list

      • Fortnite Store.exe (PID: 2428)
      • cmd.exe (PID: 3652)

    • XWORM has been detected (YARA)

      • taskhost.exe (PID: 3216)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Fortnite Hack.exe (PID: 3432)
      • Hack Store.exe (PID: 3412)
      • Hack Store.exe (PID: 3164)

    • Reads the Internet Settings

      • Fortnite Hack.exe (PID: 3432)
      • Hack Store.exe (PID: 3412)
      • Hack Store.exe (PID: 3164)
      • powershell.exe (PID: 3364)

    • Executable content was dropped or overwritten

      • Fortnite Hack.exe (PID: 3432)
      • Hack Store.exe (PID: 3164)

    • The process creates files with name similar to system file names

      • Fortnite Hack.exe (PID: 3432)

    • Application launched itself

      • Hack Store.exe (PID: 3412)

    • Starts CMD.EXE for commands execution

      • Fortnite Store.exe (PID: 2428)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 3652)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 3652)

    • Using PowerShell to operate with local accounts

      • powershell.exe (PID: 3364)

    • Connects to unusual port

      • taskhost.exe (PID: 3216)

  • INFO

    • Reads the computer name

      • Fortnite Hack.exe (PID: 3432)
      • Hack Store.exe (PID: 3412)
      • taskhost.exe (PID: 3216)
      • Hack Store.exe (PID: 3164)

    • Reads the machine GUID from the registry

      • Fortnite Hack.exe (PID: 3432)
      • taskhost.exe (PID: 3216)
      • Hack Store.exe (PID: 3412)
      • Hack Store.exe (PID: 3164)

    • Checks supported languages

      • Fortnite Hack.exe (PID: 3432)
      • Hack Store.exe (PID: 3412)
      • taskhost.exe (PID: 3216)
      • Hack Store.exe (PID: 3164)
      • Fortnite Store.exe (PID: 2428)

    • Create files in a temporary directory

      • Fortnite Hack.exe (PID: 3432)
      • Hack Store.exe (PID: 3164)

    • Creates files or folders in the user directory

      • taskhost.exe (PID: 3216)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3364)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(3216) taskhost.exe
C2uk-compete.gl.at.ply.gg:41845
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameUSB.exe
MutexWI3v4CDxfkCfZqgk
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (64.5)
.dll | Win32 Dynamic Link Library (generic) (13.6)
.exe | Win32 Executable (generic) (9.3)
.exe | Win16/32 Executable Delphi generic (4.2)
.exe | Generic Win/DOS Executable (4.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:05:15 06:00:58+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 88064
InitializedDataSize: 33280
UninitializedDataSize: -
EntryPoint: 0x2400a
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.2.0.9
ProductVersionNumber: 3.2.0.9
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Instagram : Sotre Hack
FileDescription: Store Hacker For Game
FileVersion: 3.2.0.9
InternalName: Fortnite Hack.exe
LegalCopyright: Copyright (C) 2020
OriginalFileName: Fortnite Hack.exe
ProductName: Store Hack Fortnite for all Chapters
ProductVersion: 3.2.0.9
AssemblyVersion: 3.2.0.9
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
8
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start fortnite hack.exe hack store.exe no specs #XWORM taskhost.exe hack store.exe fortnite store.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2428"C:\Users\admin\AppData\Local\Temp\Fortnite Store.exe" C:\Users\admin\AppData\Local\Temp\Fortnite Store.exeHack Store.exe
User:
admin
Company:
Instagram : Sotre Hack
Integrity Level:
HIGH
Description:
Store Hacker For Game
Exit code:
3221225786
Version:
3.2.0.9
Modules
Images
c:\users\admin\appdata\local\temp\fortnite store.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3164"C:\Users\admin\AppData\Local\Temp\Hack Store.exe" C:\Users\admin\AppData\Local\Temp\Hack Store.exe
Hack Store.exe
User:
admin
Company:
Instagram : Sotre Hack
Integrity Level:
HIGH
Description:
Store Hacker For Game
Exit code:
0
Version:
3.2.0.9
Modules
Images
c:\users\admin\appdata\local\temp\hack store.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3216"C:\Users\admin\AppData\Local\Temp\taskhost.exe" C:\Users\admin\AppData\Local\Temp\taskhost.exe
Fortnite Hack.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\taskhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
XWorm
(PID) Process(3216) taskhost.exe
C2uk-compete.gl.at.ply.gg:41845
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameUSB.exe
MutexWI3v4CDxfkCfZqgk
3364powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Local\Temp\taskhost.exe'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3412"C:\Users\admin\AppData\Local\Temp\Hack Store.exe" C:\Users\admin\AppData\Local\Temp\Hack Store.exeFortnite Hack.exe
User:
admin
Company:
Instagram : Sotre Hack
Integrity Level:
MEDIUM
Description:
Store Hacker For Game
Exit code:
0
Version:
3.2.0.9
Modules
Images
c:\users\admin\appdata\local\temp\hack store.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3432"C:\Users\admin\AppData\Local\Temp\Fortnite Hack.exe" C:\Users\admin\AppData\Local\Temp\Fortnite Hack.exe
explorer.exe
User:
admin
Company:
Instagram : Sotre Hack
Integrity Level:
MEDIUM
Description:
Store Hacker For Game
Exit code:
0
Version:
3.2.0.9
Modules
Images
c:\users\admin\appdata\local\temp\fortnite hack.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3652C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Local\Temp\taskhost.exe'"C:\Windows\System32\cmd.exeFortnite Store.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3936C:\Windows\system32\cmd.exe /c clsC:\Windows\System32\cmd.exeFortnite Store.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
12 252
Read events
12 220
Write events
32
Delete events
0

Modification events

(PID) Process:(3432) Fortnite Hack.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3432) Fortnite Hack.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3432) Fortnite Hack.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3432) Fortnite Hack.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3412) Hack Store.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3412) Hack Store.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3412) Hack Store.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3412) Hack Store.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3164) Hack Store.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3164) Hack Store.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
3
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3432Fortnite Hack.exeC:\Users\admin\AppData\Local\Temp\Hack Store.exeexecutable
MD5:EE36797C89C2DA5B08C29CF413C95378
SHA256:002721D876E2BEF274958976E481564560B91240E155F94C8D214F6E0D866C5A
3216taskhost.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskhost.lnkbinary
MD5:180C96FCD9ECFD301289F22DBF74FB2F
SHA256:F41BD2F8E656E10E98A07813FF5F6427C9D81F691306688AC8C2184C14EAB25E
3432Fortnite Hack.exeC:\Users\admin\AppData\Local\Temp\taskhost.exeexecutable
MD5:E248FE85AC55B289AC8EB79183EFA854
SHA256:70171E6B5A338DAA730B4BE04DD84DF43B5ADA322357B0EA7F5D5CC10EB461BF
3364powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
3164Hack Store.exeC:\Users\admin\AppData\Local\Temp\Fortnite Store.exeexecutable
MD5:1A7144B53D2C1402759E730E2CECE8BC
SHA256:39475E2D7B8F90FD9226A41FC39E2B8AD7AA291AD3C9BFC4CF89FC42075D4C99
3364powershell.exeC:\Users\admin\AppData\Local\Temp\kvjyp1lm.rri.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
3364powershell.exeC:\Users\admin\AppData\Local\Temp\ytirviut.bz4.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
18
DNS requests
7
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
US
whitelisted
1060
svchost.exe
GET
304
2.19.126.163:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fbe613066ac7852b
DE
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2564
svchost.exe
239.255.255.250:3702
whitelisted
1060
svchost.exe
224.0.0.252:5355
whitelisted
1372
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
3216
taskhost.exe
147.185.221.16:41845
uk-compete.gl.at.ply.gg
PLAYIT-GG
US
malicious
1372
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1372
svchost.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
1372
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.46
whitelisted
uk-compete.gl.at.ply.gg
  • 147.185.221.16
malicious
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
  • 2.19.126.163
  • 2.19.126.137
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

PID
Process
Class
Message
1060
svchost.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Fortnite Hack.exe