| File name: | XWorm V6.0.7z |
| Full analysis: | https://app.any.run/tasks/76e06137-5bcb-4aae-9390-de83842c1808 |
| Verdict: | Malicious activity |
| Threats: | XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. |
| Analysis date: | July 04, 2025, 13:37:13 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-7z-compressed |
| File info: | 7-zip archive data, version 0.4 |
| MD5: | 41484B3861D3134E93DE13F9AAAACFA4 |
| SHA1: | B4B707EF3AFF4361ABA77F2F9B42F964BAA23DEE |
| SHA256: | 0C0FE862FCC63516531E2642FE2BC0792D0322F72724F8D667B89C56F546450E |
| SSDEEP: | 98304:NKeVVL6wSsgu9NflKDLQMQ2V63aesK2wsYod+c9ZAa8WmkgH/5OJQ3Qns7ciIjNm:/fOP7FPgfwP5aurBRrZh9V8CZWXy40sh |
MALICIOUS
XWORM has been detected (YARA)
- XWorm V6.0.exe (PID: 2180)
- XWORM.exe (PID: 2512)
Uses Task Scheduler to run other applications
- XWORM.exe (PID: 2512)
XWORM has been detected (SURICATA)
- XWORM.exe (PID: 2512)
PHISHING has been detected (SURICATA)
- svchost.exe (PID: 2200)
Changes the autorun value in the registry
- XWORM.exe (PID: 2512)
SUSPICIOUS
Process drops legitimate windows executable
- WinRAR.exe (PID: 2848)
The process creates files with name similar to system file names
- WinRAR.exe (PID: 2848)
Reads security settings of Internet Explorer
- XWorm V6.0.exe (PID: 2180)
- XWORM.exe (PID: 2512)
The process checks if it is being run in the virtual environment
- XWorm V6.0.exe (PID: 2180)
Found regular expressions for crypto-addresses (YARA)
- XWorm V6.0.exe (PID: 2180)
There is functionality for taking screenshot (YARA)
- XWorm V6.0.exe (PID: 2180)
Executable content was dropped or overwritten
- vbc.exe (PID: 7108)
- XWORM.exe (PID: 2512)
Checks for external IP
- svchost.exe (PID: 2200)
- XWORM.exe (PID: 2512)
Likely accesses (executes) a file from the Public directory
- schtasks.exe (PID: 2836)
- WinServ.exe (PID: 5712)
Reads the date of Windows installation
- XWORM.exe (PID: 2512)
Contacting a server suspected of hosting an CnC
- XWORM.exe (PID: 2512)
The process executes via Task Scheduler
- WinServ.exe (PID: 5712)
Connects to unusual port
- XWORM.exe (PID: 2512)
There is functionality for capture public ip (YARA)
- XWorm V6.0.exe (PID: 2180)
INFO
Executable content was dropped or overwritten
- WinRAR.exe (PID: 2848)
Checks supported languages
- XWorm V6.0.exe (PID: 2180)
- cvtres.exe (PID: 504)
- XWORM.exe (PID: 2512)
- identity_helper.exe (PID: 3964)
- vbc.exe (PID: 7108)
- WinServ.exe (PID: 5712)
Reads the computer name
- XWorm V6.0.exe (PID: 2180)
- identity_helper.exe (PID: 3964)
- XWORM.exe (PID: 2512)
- WinServ.exe (PID: 5712)
Manual execution by a user
- XWorm V6.0.exe (PID: 2180)
- XWORM.exe (PID: 2512)
- msedge.exe (PID: 6680)
Checks proxy server information
- XWorm V6.0.exe (PID: 2180)
- slui.exe (PID: 1100)
- XWORM.exe (PID: 2512)
Reads the machine GUID from the registry
- XWorm V6.0.exe (PID: 2180)
- XWORM.exe (PID: 2512)
- vbc.exe (PID: 7108)
- WinServ.exe (PID: 5712)
Reads the software policy settings
- slui.exe (PID: 1100)
Create files in a temporary directory
- cvtres.exe (PID: 504)
- XWorm V6.0.exe (PID: 2180)
- vbc.exe (PID: 7108)
Application launched itself
- msedge.exe (PID: 6680)
Reads Environment values
- identity_helper.exe (PID: 3964)
- XWORM.exe (PID: 2512)
Disables trace logs
- XWORM.exe (PID: 2512)
Process checks computer location settings
- XWORM.exe (PID: 2512)
Launching a file from a Registry key
- XWORM.exe (PID: 2512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .7z | | | 7-Zip compressed archive (v0.4) (57.1) |
|---|---|---|
| .7z | | | 7-Zip compressed archive (gen) (42.8) |
EXIF
ZIP
| FileVersion: | 7z v0.04 |
|---|
Total processes
190
Monitored processes
42
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 236 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=5548,i,5278500189840472028,3872136600607383838,262144 --variations-seed-version --mojo-platform-channel-handle=136 /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 133.0.3065.92 Modules
| |||||||||||||||
| 504 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES7CF6.tmp" "C:\Users\admin\AppData\Local\Temp\vbcBCCF1D3F78654A2E8AEAEEEA3C82E16.TMP" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe | — | vbc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 14.32.31326.0 Modules
| |||||||||||||||
| 1100 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1356 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=2248,i,5278500189840472028,3872136600607383838,262144 --variations-seed-version --mojo-platform-channel-handle=2476 /prefetch:3 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | msedge.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 133.0.3065.92 Modules
| |||||||||||||||
| 1520 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=3436,i,5278500189840472028,3872136600607383838,262144 --variations-seed-version --mojo-platform-channel-handle=4036 /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 133.0.3065.92 Modules
| |||||||||||||||
| 1564 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=6208,i,5278500189840472028,3872136600607383838,262144 --variations-seed-version --mojo-platform-channel-handle=5748 /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 133.0.3065.92 Modules
| |||||||||||||||
| 1964 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=7008,i,5278500189840472028,3872136600607383838,262144 --variations-seed-version --mojo-platform-channel-handle=6820 /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 133.0.3065.92 Modules
| |||||||||||||||
| 2148 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --disable-quic --onnx-enabled-for-ee --string-annotations --always-read-main-dll --field-trial-handle=6096,i,5278500189840472028,3872136600607383838,262144 --variations-seed-version --mojo-platform-channel-handle=3560 /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 133.0.3065.92 Modules
| |||||||||||||||
| 2180 | "C:\Users\admin\Desktop\XWorm V6.0\XWorm V6.0.exe" | C:\Users\admin\Desktop\XWorm V6.0\XWorm V6.0.exe | explorer.exe | ||||||||||||
User: admin Company: t.me XCoderTools Integrity Level: MEDIUM Description: XWorm V6.0 Version: 6.0.0.0 Modules
| |||||||||||||||
| 2200 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
17 334
Read events
17 178
Write events
153
Delete events
3
Modification events
| (PID) Process: | (2848) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface |
| Operation: | write | Name: | ShowPassword |
Value: 0 | |||
| (PID) Process: | (2848) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (2848) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (2848) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (2848) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\XWorm V6.0.7z | |||
| (PID) Process: | (2848) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2848) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2848) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (2848) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (2848) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin |
| Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000 | |||
Executable files
80
Suspicious files
612
Text files
116
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2848 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2848.6679\XWorm V6.0\Icons\icon (14).ico | image | |
MD5:0C24EDEC606ABDA7C6570B7DCF439298 | SHA256:8FC693238AFC49A8098DAC1762BFAE891E818BB84749C6EEF5F1B0C6C8FFDDB2 | |||
| 2848 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2848.6679\XWorm V6.0\Background.png | image | |
MD5:C93EE3ABEFF4AC24936471F80B36EC7A | SHA256:2F691CAFF7E1980CFB069D2608B6470B3A06CDB90467CE47820E8602115A0C5B | |||
| 2848 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2848.6679\XWorm V6.0\GeoIP.dat | binary | |
MD5:8EF41798DF108CE9BD41382C9721B1C9 | SHA256:BC07FF22D4EE0B6FAFCC12482ECF2981C172A672194C647CEDF9B4D215AD9740 | |||
| 2848 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2848.6679\XWorm V6.0\Icons\icon (10).ico | image | |
MD5:AD1740CB3317527AA1ACAE6E7440311E | SHA256:7A97547954AAAD629B0563CC78BCA75E3339E8408B70DA2ED67FA73B4935D878 | |||
| 2848 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2848.6679\XWorm V6.0\Icons\icon (12).ico | image | |
MD5:4EA9AB789F5AE96766E3F64C8A4E2480 | SHA256:84B48CA52DFCD7C74171CF291D2EF1247C3C7591A56B538083834D82857FEE50 | |||
| 2848 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2848.6679\XWorm V6.0\Icons\icon (17).ico | image | |
MD5:167425A3FA7114B1800AA903ADC35B2A | SHA256:12F600B09C0DB00877684A950FC14936ECC28DF8F0DDC6821D68E4B82077AD92 | |||
| 2848 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2848.6679\XWorm V6.0\Icons\icon (13).ico | image | |
MD5:E6FEC4185B607E01A938FA405E0A6C6C | SHA256:2E2F17B7DD15007192E7CBBD0019355F8BE58068DC5042323123724B99AE4B44 | |||
| 2848 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2848.6679\XWorm V6.0\Icons\icon (16).ico | image | |
MD5:14465D8D0F4688A4366C3BF163BA0A17 | SHA256:3F3C5CE486E5B9FA88DC60B60916053E8808C69167DF1A11287FD3CD6DB1CA6E | |||
| 2848 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2848.6679\XWorm V6.0\Icons\icon (2).ico | image | |
MD5:F1463F4E1A6EF6CC6E290D46830D2DA1 | SHA256:142B529799268A753F5214265C53A26A7A6F8833B31640C90A69A4FF94CEE5EC | |||
| 2848 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2848.6679\XWorm V6.0\Icons\icon (11).ico | image | |
MD5:1C2CEA154DEEDC5A39DAEC2F1DADF991 | SHA256:3B64B79E4092251EBF090164CD2C4815390F34849BBD76FB51085B6A13301B6D | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
121
DNS requests
112
Threats
33
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1268 | svchost.exe | GET | 200 | 23.48.23.156:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 2.23.181.156:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5444 | svchost.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
5824 | SIHClient.exe | GET | 200 | 2.23.181.156:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
5824 | SIHClient.exe | GET | 200 | 2.23.181.156:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
2940 | svchost.exe | GET | 200 | 2.23.197.184:80 | http://x1.c.lencr.org/ | unknown | — | — | whitelisted |
1356 | msedge.exe | GET | 200 | 150.171.27.11:80 | http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:ASSM6ReCS4B5KH9PQvTG89c2AalI8-gfiIsgxuP12fE&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 | unknown | — | — | whitelisted |
1148 | svchost.exe | HEAD | 200 | 2.16.168.108:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/bf8090eb-6e5c-4c51-9250-5bf9b46cf160?P1=1752100002&P2=404&P3=2&P4=dVDtk2nOW2xwHko5Xz9YztqmbWKsH2MP5vAfVCFjMMxiCFRdd5kkd0NmD28iEul3mNyonGXFsXbYCPffrgfzSw%3d%3d | unknown | — | — | whitelisted |
1148 | svchost.exe | GET | 206 | 2.16.168.108:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/bf8090eb-6e5c-4c51-9250-5bf9b46cf160?P1=1752100002&P2=404&P3=2&P4=dVDtk2nOW2xwHko5Xz9YztqmbWKsH2MP5vAfVCFjMMxiCFRdd5kkd0NmD28iEul3mNyonGXFsXbYCPffrgfzSw%3d%3d | unknown | — | — | whitelisted |
1148 | svchost.exe | GET | 206 | 2.16.168.108:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/bf8090eb-6e5c-4c51-9250-5bf9b46cf160?P1=1752100002&P2=404&P3=2&P4=dVDtk2nOW2xwHko5Xz9YztqmbWKsH2MP5vAfVCFjMMxiCFRdd5kkd0NmD28iEul3mNyonGXFsXbYCPffrgfzSw%3d%3d | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1268 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5720 | RUXIMICS.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1268 | svchost.exe | 23.48.23.156:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1268 | svchost.exe | 2.23.181.156:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
5444 | svchost.exe | 20.190.159.73:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5444 | svchost.exe | 2.17.190.73:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
2336 | svchost.exe | 172.211.123.248:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1356 | msedge.exe | Potentially Bad Traffic | ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io) |
1356 | msedge.exe | Potentially Bad Traffic | ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io) |
1356 | msedge.exe | Potentially Bad Traffic | ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io) |
1356 | msedge.exe | Potentially Bad Traffic | ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io) |
1356 | msedge.exe | Misc activity | ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io) |
1356 | msedge.exe | Potentially Bad Traffic | ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io) |
1356 | msedge.exe | Potentially Bad Traffic | ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io) |
1356 | msedge.exe | Potentially Bad Traffic | ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io) |
1356 | msedge.exe | Potentially Bad Traffic | ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io) |
1356 | msedge.exe | Potentially Bad Traffic | ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io) |
Process | Message |
|---|---|
XWorm V6.0.exe | Obfuscated!
|