File name:

FULLOPTION CRACK BY SLUMZICK V2.1.exe

Full analysis: https://app.any.run/tasks/3e2bf29c-4461-4ee3-97a1-ac576b7b3271
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: October 25, 2024, 00:57:07
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
xworm
antivm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

C277EC9206AC5AAAF6324B3DDC1C7FCC

SHA1:

55F70235F9C19A26A0674B37EF521E447F1E778A

SHA256:

6046CEA23197FE186B384E054FE6523D1251E667BECB26A7822BAC3D2573F50F

SSDEEP:

98304:8fiqnM3i4+mKoARsepagrnKMBangdNJWPNvKsLYqw4z0BoiqjqJaHofMvD4Vk1rj:9/fLL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • svchost.exe.exe (PID: 3916)

    • XWORM has been detected (YARA)

      • svchost.exe.exe (PID: 3916)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • FULLOPTION CRACK BY SLUMZICK V2.1.exe (PID: 6300)

    • Reads the date of Windows installation

      • FULLOPTION CRACK BY SLUMZICK V2.1.exe (PID: 6300)

    • The process creates files with name similar to system file names

      • FULLOPTION CRACK BY SLUMZICK V2.1.exe (PID: 6300)

    • Executable content was dropped or overwritten

      • FULLOPTION CRACK BY SLUMZICK V2.1.exe (PID: 6300)
      • svchost.exe.exe (PID: 3916)

    • Checks for external IP

      • svchost.exe (PID: 2172)
      • svchost.exe.exe (PID: 3916)

    • Connects to unusual port

      • svchost.exe.exe (PID: 3916)

    • There is functionality for VM detection VirtualBox (YARA)

      • FULLOPTION CRACK BY SLUMZICK V2.1.exe (PID: 6436)

    • The process executes via Task Scheduler

      • XClient.exe (PID: 1008)

  • INFO

    • Reads the computer name

      • FULLOPTION CRACK BY SLUMZICK V2.1.exe (PID: 6300)
      • svchost.exe.exe (PID: 3916)

    • Reads the machine GUID from the registry

      • FULLOPTION CRACK BY SLUMZICK V2.1.exe (PID: 6300)
      • svchost.exe.exe (PID: 3916)

    • Creates files or folders in the user directory

      • FULLOPTION CRACK BY SLUMZICK V2.1.exe (PID: 6300)
      • svchost.exe.exe (PID: 3916)

    • Checks supported languages

      • FULLOPTION CRACK BY SLUMZICK V2.1.exe (PID: 6300)
      • svchost.exe.exe (PID: 3916)

    • Process checks computer location settings

      • FULLOPTION CRACK BY SLUMZICK V2.1.exe (PID: 6300)

    • Disables trace logs

      • svchost.exe.exe (PID: 3916)

    • Reads Environment values

      • svchost.exe.exe (PID: 3916)

    • The process uses the downloaded file

      • FULLOPTION CRACK BY SLUMZICK V2.1.exe (PID: 6300)

    • Checks proxy server information

      • svchost.exe.exe (PID: 3916)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(3916) svchost.exe.exe
C2127.0.0.1,185.84.160.182:7000
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.6
Mutex7XTNYlPdTiPQHpBL
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:10:15 08:31:14+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 4155392
InitializedDataSize: 120320
UninitializedDataSize: -
EntryPoint: 0x3f872e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 1.0.0.0
InternalName: FULLOPTION CRACK BY SLUMZICK V2.1.exe
LegalCopyright:
OriginalFileName: FULLOPTION CRACK BY SLUMZICK V2.1.exe
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
8
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start fulloption crack by slumzick v2.1.exe #XWORM svchost.exe.exe fulloption crack by slumzick v2.1.exe no specs THREAT fulloption crack by slumzick v2.1.exe svchost.exe schtasks.exe no specs conhost.exe no specs xclient.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1008"C:\Users\admin\AppData\Roaming\XClient.exe"C:\Users\admin\AppData\Roaming\XClient.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\xclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1572\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2172C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3744"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "XClient" /tr "C:\Users\admin\AppData\Roaming\XClient.exe"C:\Windows\System32\schtasks.exesvchost.exe.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3916"C:\Users\admin\AppData\Roaming\svchost.exe.exe" C:\Users\admin\AppData\Roaming\svchost.exe.exe
FULLOPTION CRACK BY SLUMZICK V2.1.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\svchost.exe.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
XWorm
(PID) Process(3916) svchost.exe.exe
C2127.0.0.1,185.84.160.182:7000
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.6
Mutex7XTNYlPdTiPQHpBL
6300"C:\Users\admin\Desktop\FULLOPTION CRACK BY SLUMZICK V2.1.exe" C:\Users\admin\Desktop\FULLOPTION CRACK BY SLUMZICK V2.1.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\fulloption crack by slumzick v2.1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6436"C:\Users\admin\AppData\Roaming\FULLOPTION CRACK BY SLUMZICK V2.1.exe" C:\Users\admin\AppData\Roaming\FULLOPTION CRACK BY SLUMZICK V2.1.exe
FULLOPTION CRACK BY SLUMZICK V2.1.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\roaming\fulloption crack by slumzick v2.1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\d3d11.dll
6768"C:\Users\admin\AppData\Roaming\FULLOPTION CRACK BY SLUMZICK V2.1.exe" C:\Users\admin\AppData\Roaming\FULLOPTION CRACK BY SLUMZICK V2.1.exeFULLOPTION CRACK BY SLUMZICK V2.1.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\roaming\fulloption crack by slumzick v2.1.exe
c:\windows\system32\ntdll.dll
Total events
2 164
Read events
2 163
Write events
1
Delete events
0

Modification events

(PID) Process:(3916) svchost.exe.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:XClient
Value:
C:\Users\admin\AppData\Roaming\XClient.exe
Executable files
3
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6300FULLOPTION CRACK BY SLUMZICK V2.1.exeC:\Users\admin\AppData\Roaming\FULLOPTION CRACK BY SLUMZICK V2.1.exeexecutable
MD5:2F6E9C0DD1C6859A9D6E7ACEA1DB9AC0
SHA256:122E3CB0F2AD233D1A364911D433667E7778F00D9A7D10B954C994F4E8093D1F
3916svchost.exe.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkbinary
MD5:489E8C9185862681B1D278CE2A544315
SHA256:7EDB088909FC8F39F08CAC8B3966D2206C7F62D3417789468459C37225A13079
3916svchost.exe.exeC:\Users\admin\AppData\Roaming\XClient.exeexecutable
MD5:DF9EAFD43B7F4173E0593B24CFE09547
SHA256:BD33EEAAE39CCA278C4DF17A17B1C672CACBA0DF00D6302DC71C54408EA64C1C
6300FULLOPTION CRACK BY SLUMZICK V2.1.exeC:\Users\admin\AppData\Roaming\svchost.exe.exeexecutable
MD5:DF9EAFD43B7F4173E0593B24CFE09547
SHA256:BD33EEAAE39CCA278C4DF17A17B1C672CACBA0DF00D6302DC71C54408EA64C1C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
56
DNS requests
18
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3916
svchost.exe.exe
GET
404
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.209.149:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4360
SearchApp.exe
2.23.209.149:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4020
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
816
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3916
svchost.exe.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
shared
7028
svchost.exe
40.126.32.134:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
www.bing.com
  • 2.23.209.149
  • 2.23.209.182
  • 2.23.209.187
  • 2.23.209.140
  • 2.23.209.130
  • 2.23.209.133
whitelisted
google.com
  • 142.250.186.46
whitelisted
ip-api.com
  • 208.95.112.1
shared
login.live.com
  • 40.126.32.134
  • 20.190.160.17
  • 20.190.160.20
  • 40.126.32.133
  • 40.126.32.68
  • 40.126.32.74
  • 40.126.32.72
  • 40.126.32.138
whitelisted
go.microsoft.com
  • 184.30.17.189
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
  • 2a01:111:f100:a000::4134:4847
whitelisted
18.31.95.13.in-addr.arpa
unknown
7.4.8.4.4.3.1.4.0.0.0.0.0.0.0.0.0.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa
unknown

Threats

PID
Process
Class
Message
2172
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2172
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
3916
svchost.exe.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
3916
svchost.exe.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
FULLOPTION CRACK BY SLUMZICK V2.1.exe