Multi-License Discount Quote

Change Region

English
Threat Database Worms Worm.RunOnce

Worm.RunOnce

By CagedTech in Worms

Threat Scorecard

Popularity Rank: 12,277
Threat Level: 50 % (Medium)
Infected Computers: 5,808
First Seen: September 4, 2014
Last Seen: February 4, 2026
OS(es) Affected: Windows

SpyHunter Detects & Remove Worm.RunOnce

File System Details

Worm.RunOnce may create the following file(s):
Expand All | Collapse All
# File Name MD5 Detections
1. 54bc7038533d4f34690e8a17cc2a3fa57d2336f7a847dacd00cab08fb5e9ffb4.exe 53f7ee22e8d85933522a38eff6c5a61f 4
2. file.exe 7f70eea7245eaa6e4e121b6a3cf25365 0
3. readme.eml da53e42e8d0b3628860b0240eaaca9ba 0

Analysis Report

General information

Family Name: Worm.RunOnce
Signature status: No Signature

Known Samples

MD5: 2b29c85a6749ad62562607e2efddb057
SHA1: 05a42892bb4d7c955e8ce27b70c7ec607d98ca1a
File Size: 10.75 KB, 10748 bytes
MD5: 7e96b2ab8ce5159583d12f9837589002
SHA1: d05c4487ca9cbf3b75f18ad4f878f1d3d975c8e2
SHA256: B43FC54BCA55EC57E23743370DA8C96B5ACE57F394F5509A405EDD00C72CD4E1
File Size: 664.06 KB, 664064 bytes
MD5: 5fa44d6dfe45b6d85d248ecbece0fabd
SHA1: 907f25cf50400cc6123c71f1dda75fb1d336daab
SHA256: 436494DBADABBDC117991D0CEA5B57C0DA52D526E9AE53FEB5FD032D1BB181AF
File Size: 40.96 KB, 40956 bytes
MD5: dc757c431484b98f49b666589783f629
SHA1: 7f4a80637dfb05bfc95c046857448941d4dc96da
SHA256: 689742AFC1D797DEDD87BE185EB20D2686FEDC2CDC037213D0DB8650B5EE47ED
File Size: 461.82 KB, 461820 bytes
MD5: 0975bb32140c63c8901449d06ba8b126
SHA1: 319243cbebef9b8f5ec43dcf2fc3d07133b4615b
SHA256: CEFA0F84EF844BD5014DDF770A7EF7747CE72B3741C4D14E786A32854DF34A48
File Size: 287.91 KB, 287908 bytes
Show More
MD5: 522209946755f680968be7fd610320b0
SHA1: f62704436b78836032c378307885edc379bd9e73
SHA256: B0AD3C777BD59A6FC59B5FA732DF63A05AD54A1670EE6C6211137DB43F8942BF
File Size: 540.67 KB, 540668 bytes
MD5: 3a078654e0333550d1d3088eb2b9a4b9
SHA1: 3d49bae65fd01431f59c388efb83ddb0ff279ea6
SHA256: B894E338FA47BC15584E2C9ACBE0ACB8FBE4146E67E777A1A9DBB37D29DDB5F2
File Size: 2.38 MB, 2383076 bytes
MD5: ab554aa7d62a5876d7e561bdc03e405f
SHA1: 8147673d42c22c19f1d1a0623a4a24c1972114c4
SHA256: 434101EAF0C82DF36C77EE12FF90EC85A34F223B8A23EE0E5AE4C2B450406CB2
File Size: 540.67 KB, 540668 bytes
MD5: afe6f333453ae6c56d293b2f71afdfc4
SHA1: 8d252dddedc595d0717d8e53729a953a911bd7f0
SHA256: 6B5620FACFA87765D958802A5BB6551C58DCF634A04DB89351EA973C4AB23D2E
File Size: 1.08 MB, 1083404 bytes
MD5: 2906c9214e57f2f1de5df10ff83ab75a
SHA1: c28adc05e991618af6bfd452586986722336d22c
SHA256: C3D9457FAE3F413E5991C894D1252E84F85BAAC7A1EDADF6B6B495FB9D344CAB
File Size: 27.71 KB, 27708 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have resources
  • File doesn't have security information
  • File has exports table
  • File has TLS information
  • File is 32-bit executable
  • File is either console or GUI application
Show More
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name
  • Microsoft Corporation
  • WORK PRODUCT, INC.
Company Short Name WORK PRODUCT, INC.
File Description
  • Copilot Update
  • File Folder
  • KMPLoading
  • Microsoft OneDrive
  • OneBrowser
File Version
  • 109.0.5414.120
  • 17.3.4604.0120
  • 1.3.211.7
  • 1.0.0.0
Internal Name
  • chrome_pwa_launcher
  • Client Application
  • CopilotUpdate.exe
Last Change 168eebf2055fd26ca8c71787b7b3f9fe7c90d13d-refs/branch-heads/5414@{#1459}
Legal Copyright
  • Copyright 2023 WORK PRODUCT, INC. All rights reserved.
  • Copyright Microsoft Corporation
  • © Microsoft Corporation. All rights reserved.
Official Build 1
Original Filename
  • chrome_pwa_launcher.exe
  • CopilotUpdate.exe
  • OneDrive.exe
Product Name
  • Copilot Update
  • KMPLoading
  • Microsoft OneDrive
  • OneBrowser
Product Short Name OneBrowser
Product Version
  • 109.0.5414.120
  • 17.3.4604.0120
  • 1.3.211.7
  • 1.0.0.0
Program I D com.embarcadero.KMPLoading

Digital Signatures

Signer Root Status
Microsoft Corporation Microsoft Code Signing PCA Hash Mismatch
Microsoft Corporation Microsoft Code Signing PCA 2011 Hash Mismatch
WORK PRODUCT, INC. SSL.com EV Code Signing Intermediate CA RSA R3 Hash Mismatch
Pandora TV Co., Ltd. thawte Primary Root CA Hash Mismatch

File Traits

  • 2+ executable sections
  • HighEntropy
  • No Version Info
  • WriteProcessMemory
  • x86

Block Information

Total Blocks: 60
Potentially Malicious Blocks: 52
Whitelisted Blocks: 7
Unknown Blocks: 1

Visual Map

? x x x x x x x x x 0 x x x 0 x x 0 x x x 0 x x x x x x x x x x x 0 x x x x 0 x x x x x x x x x x x x x x 0 x x x x x x
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.DSS
  • Autoit
  • BadJoke.XA
  • Banker.F
  • Banker.FA
Show More
  • Banker.GF
  • Banload.XG
  • Banload.XH
  • Banload.XJ
  • Bitcoinminer.BDA
  • Bitcoinminer.BDB
  • Bitcoinminer.DJE
  • Danabot.DI
  • Detplock.A
  • Injector.KPP
  • Lamer.B
  • Malat.A
  • Ropalidia.D
  • Rugmi.T
  • Runouce.A

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\explorer::slowcontextmenuentries RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\content::cacheprefix RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\cookies::cacheprefix Cookie: RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\history::cacheprefix Visited: RegNtPreCreateKey
HKCU\software\microsoft\edge\blbeacon::failed_count RegNtPreCreateKey
HKCU\software\microsoft\edge\blbeacon::state  RegNtPreCreateKey
HKCU\software\microsoft\edge\thirdparty::statuscodes (NULL) RegNtPreCreateKey
HKCU\software\microsoft\edge\thirdparty::statuscodes  RegNtPreCreateKey
HKCU\software\microsoft\edge\blbeacon::state  RegNtPreCreateKey

Windows API Usage

Category API
User Data Access
  • GetComputerName
  • GetUserObjectInformation
Process Shell Execute
  • ShellExecute
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtOpenFile
Show More
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetValueKey
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • UNKNOWN
  • win32u.dll!NtUserGetKeyboardLayout
  • win32u.dll!NtUserGetThreadState

Shell Command Execution

open http://jdl.sun.com/webapps/getjava/BrowserRedirect?locale=pt_BR&host=www.java.com:80

Trending

Most Viewed

Loading...