Extracted

• • Target

    shooting the oops.exe

  • Size

    39KB

  • MD5

    c9bd74622a8a1531b93a03ac9c3ba67d

  • SHA1

    b0354cf79ae41e2320d888a38d1c62915bb79445

  • SHA256

    c750a86768228dbb5143efaf9bf1fc980129ed2b51be5bb40ef1db2dd41e9c05

  • SHA512

    6bacb2e43ac5c3d8d2922091f1e263ccfaae3317b0eaae80f973e1344fcb3ce07091712edaa5ab0f9518d08b963c39b13ef085592dc6410509a21fefcab52263

  • SSDEEP

    768:vifC8qTvhE58LEIDPiKuukR7LH3tTfFWPt9eE56cOMh+alE:viTqTvhOeEIbiKuumnNFe9eE56cOME3

  Score

  10^/10

  xwormexecutionpersistencerattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence
  behavioral1behavioral2