xworm | hxxps://store3[.]gofile[.]io/download/web/5a35b2f7-ceb4-48da-ad15-58a49c55c739/VelocitySupportTool[.]exe

Analysis

max time kernel
126s
max time network
127s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
06/03/2025, 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://store3.gofile.io/download/web/5a35b2f7-ceb4-48da-ad15-58a49c55c739/VelocitySupportTool.exe

Score

10^/10

xworm defense_evasion discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

tTke5rVlOvz3zHAt

Attributes

Install_directory
%AppData%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/MNJM1De2

aes.plain

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
USB.exe
pastebin_url
https://pastebin.com/raw/izCnqikF

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x001c00000002aee3-127.dat	family_xworm
behavioral1/files/0x001f00000002af96-143.dat	family_xworm
behavioral1/memory/3040-147-0x00000000001B0000-0x00000000001D8000-memory.dmp	family_xworm
behavioral1/memory/4780-146-0x0000000000440000-0x0000000000488000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4060	powershell.exe
2888	powershell.exe
388	powershell.exe
328	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
6	2780	msedge.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	XClient.exe

Executes dropped EXE 5 IoCs

pid	Process
3744	VelocitySupportTool.exe
4780	Velocity Fixer.exe
3040	XClient.exe
4216	svchost.exe
3036	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	XClient.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 31 IoCs

Web Service

T1102

flow	ioc
36	pastebin.com
58	pastebin.com
55	pastebin.com
30	pastebin.com
33	pastebin.com
35	pastebin.com
45	pastebin.com
52	pastebin.com
56	pastebin.com
16	pastebin.com
32	pastebin.com
46	pastebin.com
47	pastebin.com
50	pastebin.com
60	pastebin.com
53	pastebin.com
57	pastebin.com
42	pastebin.com
31	pastebin.com
34	pastebin.com
39	pastebin.com
40	pastebin.com
43	pastebin.com
51	pastebin.com
29	pastebin.com
44	pastebin.com
48	pastebin.com
54	pastebin.com
37	pastebin.com
41	pastebin.com
61	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ip-api.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\VelocitySupportTool.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 966484.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\VelocitySupportTool.exe:Zone.Identifier	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1332	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2780	msedge.exe
2780	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
2056	msedge.exe
2056	msedge.exe
1784	identity_helper.exe
1784	identity_helper.exe
1216	msedge.exe
1216	msedge.exe
2888	powershell.exe
2888	powershell.exe
2888	powershell.exe
388	powershell.exe
388	powershell.exe
388	powershell.exe
328	powershell.exe
328	powershell.exe
328	powershell.exe
4060	powershell.exe
4060	powershell.exe
4060	powershell.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4780	Velocity Fixer.exe
Token: SeDebugPrivilege	3040	XClient.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	388	powershell.exe
Token: SeDebugPrivilege	328	powershell.exe
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeDebugPrivilege	4216	svchost.exe
Token: SeDebugPrivilege	3036	svchost.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 1496	1172	msedge.exe	78
PID 1172 wrote to memory of 1496	1172	msedge.exe	78
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 4648	1172	msedge.exe	79
PID 1172 wrote to memory of 2780	1172	msedge.exe	80
PID 1172 wrote to memory of 2780	1172	msedge.exe	80
PID 1172 wrote to memory of 4100	1172	msedge.exe	81
PID 1172 wrote to memory of 4100	1172	msedge.exe	81
PID 1172 wrote to memory of 4100	1172	msedge.exe	81
PID 1172 wrote to memory of 4100	1172	msedge.exe	81
PID 1172 wrote to memory of 4100	1172	msedge.exe	81
PID 1172 wrote to memory of 4100	1172	msedge.exe	81
PID 1172 wrote to memory of 4100	1172	msedge.exe	81
PID 1172 wrote to memory of 4100	1172	msedge.exe	81
PID 1172 wrote to memory of 4100	1172	msedge.exe	81
PID 1172 wrote to memory of 4100	1172	msedge.exe	81
PID 1172 wrote to memory of 4100	1172	msedge.exe	81
PID 1172 wrote to memory of 4100	1172	msedge.exe	81
PID 1172 wrote to memory of 4100	1172	msedge.exe	81
PID 1172 wrote to memory of 4100	1172	msedge.exe	81
PID 1172 wrote to memory of 4100	1172	msedge.exe	81
PID 1172 wrote to memory of 4100	1172	msedge.exe	81
PID 1172 wrote to memory of 4100	1172	msedge.exe	81
PID 1172 wrote to memory of 4100	1172	msedge.exe	81
PID 1172 wrote to memory of 4100	1172	msedge.exe	81
PID 1172 wrote to memory of 4100	1172	msedge.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://store3.gofile.io/download/web/5a35b2f7-ceb4-48da-ad15-58a49c55c739/VelocitySupportTool.exe
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd255c3cb8,0x7ffd255c3cc8,0x7ffd255c3cd8
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,7724153794974518684,3254538217580994832,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,7724153794974518684,3254538217580994832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,7724153794974518684,3254538217580994832,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7724153794974518684,3254538217580994832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7724153794974518684,3254538217580994832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7724153794974518684,3254538217580994832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,7724153794974518684,3254538217580994832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3852 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7724153794974518684,3254538217580994832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7724153794974518684,3254538217580994832,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7724153794974518684,3254538217580994832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7724153794974518684,3254538217580994832,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,7724153794974518684,3254538217580994832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,7724153794974518684,3254538217580994832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7724153794974518684,3254538217580994832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7724153794974518684,3254538217580994832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:1
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,7724153794974518684,3254538217580994832,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6064 /prefetch:8
  2⤵
  PID:484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,7724153794974518684,3254538217580994832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6328 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,7724153794974518684,3254538217580994832,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3016 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2464

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4652

C:\Users\Admin\Downloads\VelocitySupportTool.exe
"C:\Users\Admin\Downloads\VelocitySupportTool.exe"
1⤵
- Executes dropped EXE
PID:3744
- C:\Users\Admin\AppData\Roaming\Velocity Fixer.exe
  "C:\Users\Admin\AppData\Roaming\Velocity Fixer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4780
- C:\Users\Admin\AppData\Roaming\XClient.exe
  "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:328
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4060
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1332

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8baaf6c583536c9e6327e9d4fddb4cc

SHA1
0c1436d1a870038a6cb0195704658ef59ef78906

SHA256
7cea1717ca57c727378be31a2046e1b4be05ceaff81e76d45b5b3fb1a0b09507

SHA512
6cdb5d74ebf3c2f398c2032e6047f32b342db6f28f997c9c3df2351e307b316a6d66127a3ba6f0b1a721e5afd50a5578ec9835ea25708fcd49850ec4ba64dd67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5332d65d7c50eee952b71eda55782f27

SHA1
9039a05b96d6f5fc532a4ddb304ec01aa2fe5879

SHA256
b677f0eeb2f0c049f48cc35d484ead2ba5434a74e4264e64d7f426fe45f2ff0e

SHA512
eeff99092be3b0bcf81e9ba0f2a72d592938ef90952e533f903707d1e0af2138db62a4b491476f499a0909bf52fc7aada7aa832c73aa882d40f488afe5b29b27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
8e5a33b227d9c1edbc501bce935f46ac

SHA1
d47516c0dd2b2b2d41c64d0edc77e8a78a20cd4c

SHA256
51649d2ea1c212f269e71b809ec341eb8dd4dab645aa4c6d22ba9ebdcc1ed4c8

SHA512
3c36e16d2489228e6aaeed79ed497203a6ba5ade79195a2db964efe213a29a77fc0ae5a07de8d96d56d0dfe58754d179851826e4b031e6ac304446d9f0059d76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
0f6d48d28f3398c4f70388657884288f

SHA1
296a46a341d8fa303970053f713b27277ba0f139

SHA256
023d03a2f36fac62c6a15b3cbb3c419a1299f32446831e615eefd08303674cf6

SHA512
a26af5692fa87154e2e2cbb15b307eb1a9cf4f11ef0881d55a3bb36da4c19d85917887098c3b801d61f0fae9e5731aa56d339a44397a8a0299ec4811d8e94f64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
17f139895be96a175c15e135dd5bb9ee

SHA1
7133f0af477beedb3479aec81c94c07814b6c490

SHA256
69c5f77b07481cac46e9a77921bb7eeb02903b799e06592dd2c8ef210dca3104

SHA512
8265770c6d5b07bd369d539afefef2c85984bcd09b62f6c539541331c34d1ffb59577704b938b569a1fe3f7c41c5b105d5e35173bedd1937579f83e1b3ce0796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
85833515995a37943f92a6a66663241d

SHA1
ebafaa46a69cc2cdb1eae6f42eaa761c021acad2

SHA256
5b393bf4f8deeb8b333112255100c7dc6aa8eed3d79eb34b62de81268729fb60

SHA512
d3ccf9b568d6204e53a1f0689ca43a0631ed8ff86c57788b21a68c40a44c4fbd65eaced3f07b322b9bec0076b95abdf63a51f5f1774c1269d2c342133e5fdd44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d8d2774f44d3e196e011c8503c5ce4e2

SHA1
5a157140f041b67f20c82d08a00ffd0cc1ba8882

SHA256
03fffae1e6dc106d94b80ce4efebc2cda61a2317c5e9bc99baf82d94a7f9ac43

SHA512
5fb446e3ded4e3a53eba97334484a736a559abf02b28870dfdc37e0699eb3d5c12303811f9c70ea5f9c2102cd8239b0d761b44e74be1f5faa2dd33a1318b55a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ca780d4787f6e507977a6ff9a9fbdfc1

SHA1
d6743ea8852a19985fc9ce17d1b8cc212e50d270

SHA256
33538028b70288e9f161c976e29369c3283087e309a9ea55b135127c51ded2a3

SHA512
6e3242cfd49cd412254d8b848ee49e909e06b473fbbac94d42dc8c3c500c7db19fc0786f858bfa5af34d3a846b768e9fca4f7c779d5004c31824eda8f507abd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4093e5ab3812960039eba1a814c2ffb0

SHA1
b5e4a98a80be72fccd3cc910e93113d2febef298

SHA256
c0794e2b7036ce5612446a8b15e0c8387773bbc921f63cf8849f8a1f4ef3878c

SHA512
f3555b45aa1a1dd5214716dc81a05905c4ecd5a3e1276d35e08c65623ab1d14d469b3b576a5d9638264c1222d73889d2cc1ee43fb579d9ca3fcddd9f557cac7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
051a74485331f9d9f5014e58ec71566c

SHA1
4ed0256a84f2e95609a0b4d5c249bca624db8fe4

SHA256
3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888

SHA512
1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_elz0drao.xho.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Velocity Fixer.exe

Filesize
263KB

MD5
7a8aec43738451e03f7302cb6f9eb8f0

SHA1
3ba245017e74d31dc32a6a9c6214ede293aa62ea

SHA256
4a3a259929b2470c22eaa7ebd87b0d9fb28d9dc8b09a3498f7d4f694f97cf5cb

SHA512
7cd4389202c2d8e364537bed214986e6d22ae4d024a22ac64610739f88b5d1a3234fb703c1a2463f6b7c8d28b04b00ca4fc5ddb8098165ec8d7f096f898cc370

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
137KB

MD5
3a48e35679c9ca68d67f4f953400ea42

SHA1
b8aabd5ddfbb79b49c1ed4be7a72160d724d12ad

SHA256
95dcf46bed45d69acc10186864b2fd7593bd9013aa0b32d05c76626e21cee6a3

SHA512
be6c29115bfcf53db1370ca8239aaa5fb4c6f4c4ec4c6fb0abfccb129162ebb87ccba4b04cbfb2070bec32e174ce9171134ca113b9713eb5b52037b31c21f8d4

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 966484.crdownload

Filesize
410KB

MD5
9cb6b1f77a007eee5ab4a9d549ad6cb1

SHA1
23d85d4bb7178b1936d83e0c2888a72c5b7c16c3

SHA256
8164a868e78635a5cf0408d4ffe76dee9a3e0b85890d5afb34662715d3290a67

SHA512
755fd59177849d1bb881a3b46da9da5e49ab82de948c650a64de67cbf37e080926004595289f2f1454bdc4a31da84877afee1b142a1327b7af5da67cea9a9b02

Download Submit
C:\Users\Admin\Downloads\VelocitySupportTool.exe:Zone.Identifier

Filesize
166B

MD5
1bec797d9dc1df574f01c5d1982d5b39

SHA1
940d4c56223a21f65b17a652a7f20fd90a4147f7

SHA256
143bb277f89672a9618422c04ac07b8b0bfdfc1cc4b5070b834d1c47445be8f3

SHA512
b816e3cd08375d56300caf4199d05233adf69628cf8812e7f33d46ad818a6d71833f57d900a6d9385988e232c7c92b3d1cadb1e8a166a688efae4f578c889e6a

Download Submit
memory/328-182-0x0000028BEC760000-0x0000028BEC7AB000-memory.dmp

Filesize
300KB

Download
memory/388-171-0x0000024A6DBC0000-0x0000024A6DC0B000-memory.dmp

Filesize
300KB

Download
memory/2888-159-0x00000299E9CA0000-0x00000299E9CEB000-memory.dmp

Filesize
300KB

Download
memory/2888-153-0x00000299D1780000-0x00000299D17A2000-memory.dmp

Filesize
136KB

Download
memory/3040-147-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/3744-122-0x0000000000B30000-0x0000000000B9C000-memory.dmp

Filesize
432KB

Download
memory/4060-193-0x000001C9E69B0000-0x000001C9E69FB000-memory.dmp

Filesize
300KB

Download
memory/4780-146-0x0000000000440000-0x0000000000488000-memory.dmp

Filesize
288KB

Download