xworm | b485b0b51b8307c750b3452a7965e538d9576f76ccab3b6e4a086201e854ef7f

Analysis

max time kernel
93s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Output.exe
Size

2.0MB
MD5

cb426d21428bc8468cf85d260f0b35b3
SHA1

1c719bb607925916fc2446002f2c1f8ced2adf3f
SHA256

b485b0b51b8307c750b3452a7965e538d9576f76ccab3b6e4a086201e854ef7f
SHA512

23c2691731665a5d1ebc908a8b52f684c68fe7e9253dbedd59deae683d3ffe0b24db1d2f74a692e957e2b931558a662af38821d9412eb7428dab623fa2e30ac6
SSDEEP

49152:K2ooOms+N4tFHLO9LCiGxyLp9UaqNU3skJVPA78Cj:K0K7LOwifLp9K1sVE8

Score

10^/10

xworm pyinstaller rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

qxXFT7Xfzgf1uMiL

Attributes

Install_directory
%AppData%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/MNJM1De2

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023cdb-29.dat	family_xworm
behavioral2/memory/3536-37-0x0000000000780000-0x00000000007A8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	Output.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	VelocitySupportTool.exe

Executes dropped EXE 64 IoCs

pid	Process
1152	FixVelocity.exe
5244	VelocitySupportTool.exe
4988	VelocitySupportTool.exe
3536	VelocitySupport.exe
544	VelocitySupportTool.exe
4736	VelocitySupport.exe
6076	VelocitySupportTool.exe
3712	VelocitySupport.exe
4184	VelocitySupportTool.exe
5692	VelocitySupport.exe
2476	VelocitySupportTool.exe
5860	VelocitySupport.exe
4528	VelocitySupportTool.exe
4888	VelocitySupport.exe
1584	VelocitySupportTool.exe
1300	VelocitySupport.exe
4296	VelocitySupportTool.exe
4264	VelocitySupport.exe
772	VelocitySupportTool.exe
1496	VelocitySupport.exe
1396	VelocitySupportTool.exe
1920	VelocitySupport.exe
820	VelocitySupportTool.exe
4216	VelocitySupport.exe
5956	VelocitySupportTool.exe
5588	VelocitySupport.exe
1788	VelocitySupportTool.exe
2084	VelocitySupport.exe
5420	VelocitySupportTool.exe
1516	VelocitySupport.exe
5332	VelocitySupportTool.exe
5812	VelocitySupport.exe
4304	VelocitySupportTool.exe
5040	VelocitySupport.exe
2492	VelocitySupportTool.exe
2712	VelocitySupport.exe
660	VelocitySupportTool.exe
5288	VelocitySupport.exe
1296	VelocitySupportTool.exe
4836	VelocitySupport.exe
3672	VelocitySupportTool.exe
1044	VelocitySupport.exe
5732	VelocitySupportTool.exe
1768	VelocitySupport.exe
5944	VelocitySupportTool.exe
1764	VelocitySupport.exe
5936	VelocitySupportTool.exe
3928	VelocitySupport.exe
3704	VelocitySupportTool.exe
3068	VelocitySupport.exe
4804	VelocitySupportTool.exe
4392	VelocitySupport.exe
4244	VelocitySupport.exe
3416	VelocitySupportTool.exe
4400	VelocitySupportTool.exe
4536	VelocitySupport.exe
4940	VelocitySupportTool.exe
3864	VelocitySupport.exe
2476	VelocitySupportTool.exe
5856	VelocitySupport.exe
1668	VelocitySupportTool.exe
4228	VelocitySupport.exe
2092	VelocitySupport.exe
468	VelocitySupportTool.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x000c000000023c2d-6.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3536	VelocitySupport.exe
Token: SeDebugPrivilege	4736	VelocitySupport.exe
Token: SeDebugPrivilege	3712	VelocitySupport.exe
Token: SeDebugPrivilege	5692	VelocitySupport.exe
Token: SeDebugPrivilege	5860	VelocitySupport.exe
Token: SeDebugPrivilege	4888	VelocitySupport.exe
Token: SeDebugPrivilege	1300	VelocitySupport.exe
Token: SeDebugPrivilege	4264	VelocitySupport.exe
Token: SeDebugPrivilege	1496	VelocitySupport.exe
Token: SeDebugPrivilege	1920	VelocitySupport.exe
Token: SeDebugPrivilege	4216	VelocitySupport.exe
Token: SeDebugPrivilege	5588	VelocitySupport.exe
Token: SeDebugPrivilege	2084	VelocitySupport.exe
Token: SeDebugPrivilege	1516	VelocitySupport.exe
Token: SeDebugPrivilege	5812	VelocitySupport.exe
Token: SeDebugPrivilege	5040	VelocitySupport.exe
Token: SeDebugPrivilege	2712	VelocitySupport.exe
Token: SeDebugPrivilege	5288	VelocitySupport.exe
Token: SeDebugPrivilege	4836	VelocitySupport.exe
Token: SeDebugPrivilege	1044	VelocitySupport.exe
Token: SeDebugPrivilege	1768	VelocitySupport.exe
Token: SeDebugPrivilege	1764	VelocitySupport.exe
Token: SeDebugPrivilege	3928	VelocitySupport.exe
Token: SeDebugPrivilege	3068	VelocitySupport.exe
Token: SeDebugPrivilege	4392	VelocitySupport.exe
Token: SeDebugPrivilege	4244	VelocitySupport.exe
Token: SeDebugPrivilege	4536	VelocitySupport.exe
Token: SeDebugPrivilege	3864	VelocitySupport.exe
Token: SeDebugPrivilege	5856	VelocitySupport.exe
Token: SeDebugPrivilege	4228	VelocitySupport.exe
Token: SeDebugPrivilege	2092	VelocitySupport.exe
Token: SeDebugPrivilege	1560	VelocitySupport.exe
Token: SeDebugPrivilege	3332	VelocitySupport.exe
Token: SeDebugPrivilege	5224	VelocitySupport.exe
Token: SeDebugPrivilege	3424	VelocitySupport.exe
Token: SeDebugPrivilege	4708	VelocitySupport.exe
Token: SeDebugPrivilege	372	VelocitySupport.exe
Token: SeDebugPrivilege	1204	VelocitySupport.exe
Token: SeDebugPrivilege	4240	VelocitySupport.exe
Token: SeDebugPrivilege	3108	VelocitySupport.exe
Token: SeDebugPrivilege	3412	VelocitySupport.exe
Token: SeDebugPrivilege	624	VelocitySupport.exe
Token: SeDebugPrivilege	5228	VelocitySupport.exe
Token: SeDebugPrivilege	3552	VelocitySupport.exe
Token: SeDebugPrivilege	2088	VelocitySupport.exe
Token: SeDebugPrivilege	5952	VelocitySupport.exe
Token: SeDebugPrivilege	1952	VelocitySupport.exe
Token: SeDebugPrivilege	3812	VelocitySupport.exe
Token: SeDebugPrivilege	4740	VelocitySupport.exe
Token: SeDebugPrivilege	4528	VelocitySupport.exe
Token: SeDebugPrivilege	5420	VelocitySupport.exe
Token: SeDebugPrivilege	3932	VelocitySupport.exe
Token: SeDebugPrivilege	1616	VelocitySupport.exe
Token: SeDebugPrivilege	4252	VelocitySupport.exe
Token: SeDebugPrivilege	4360	VelocitySupport.exe
Token: SeDebugPrivilege	4428	VelocitySupport.exe
Token: SeDebugPrivilege	3312	VelocitySupport.exe
Token: SeDebugPrivilege	3464	VelocitySupport.exe
Token: SeDebugPrivilege	5272	VelocitySupport.exe
Token: SeDebugPrivilege	5412	VelocitySupport.exe
Token: SeDebugPrivilege	3548	VelocitySupport.exe
Token: SeDebugPrivilege	2016	VelocitySupport.exe
Token: SeDebugPrivilege	1040	VelocitySupport.exe
Token: SeDebugPrivilege	6064	VelocitySupport.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5844 wrote to memory of 1152	5844	Output.exe	84
PID 5844 wrote to memory of 1152	5844	Output.exe	84
PID 5844 wrote to memory of 5244	5844	Output.exe	86
PID 5844 wrote to memory of 5244	5844	Output.exe	86
PID 5244 wrote to memory of 4988	5244	VelocitySupportTool.exe	88
PID 5244 wrote to memory of 4988	5244	VelocitySupportTool.exe	88
PID 5244 wrote to memory of 3536	5244	VelocitySupportTool.exe	89
PID 5244 wrote to memory of 3536	5244	VelocitySupportTool.exe	89
PID 4988 wrote to memory of 544	4988	VelocitySupportTool.exe	90
PID 4988 wrote to memory of 544	4988	VelocitySupportTool.exe	90
PID 4988 wrote to memory of 4736	4988	VelocitySupportTool.exe	91
PID 4988 wrote to memory of 4736	4988	VelocitySupportTool.exe	91
PID 544 wrote to memory of 6076	544	VelocitySupportTool.exe	93
PID 544 wrote to memory of 6076	544	VelocitySupportTool.exe	93
PID 544 wrote to memory of 3712	544	VelocitySupportTool.exe	94
PID 544 wrote to memory of 3712	544	VelocitySupportTool.exe	94
PID 6076 wrote to memory of 4184	6076	VelocitySupportTool.exe	95
PID 6076 wrote to memory of 4184	6076	VelocitySupportTool.exe	95
PID 6076 wrote to memory of 5692	6076	VelocitySupportTool.exe	96
PID 6076 wrote to memory of 5692	6076	VelocitySupportTool.exe	96
PID 4184 wrote to memory of 2476	4184	VelocitySupportTool.exe	153
PID 4184 wrote to memory of 2476	4184	VelocitySupportTool.exe	153
PID 4184 wrote to memory of 5860	4184	VelocitySupportTool.exe	98
PID 4184 wrote to memory of 5860	4184	VelocitySupportTool.exe	98
PID 2476 wrote to memory of 4528	2476	VelocitySupportTool.exe	203
PID 2476 wrote to memory of 4528	2476	VelocitySupportTool.exe	203
PID 2476 wrote to memory of 4888	2476	VelocitySupportTool.exe	100
PID 2476 wrote to memory of 4888	2476	VelocitySupportTool.exe	100
PID 4528 wrote to memory of 1584	4528	VelocitySupportTool.exe	101
PID 4528 wrote to memory of 1584	4528	VelocitySupportTool.exe	101
PID 4528 wrote to memory of 1300	4528	VelocitySupportTool.exe	103
PID 4528 wrote to memory of 1300	4528	VelocitySupportTool.exe	103
PID 1584 wrote to memory of 4296	1584	VelocitySupportTool.exe	104
PID 1584 wrote to memory of 4296	1584	VelocitySupportTool.exe	104
PID 1584 wrote to memory of 4264	1584	VelocitySupportTool.exe	105
PID 1584 wrote to memory of 4264	1584	VelocitySupportTool.exe	105
PID 4296 wrote to memory of 772	4296	VelocitySupportTool.exe	106
PID 4296 wrote to memory of 772	4296	VelocitySupportTool.exe	106
PID 4296 wrote to memory of 1496	4296	VelocitySupportTool.exe	107
PID 4296 wrote to memory of 1496	4296	VelocitySupportTool.exe	107
PID 772 wrote to memory of 1396	772	VelocitySupportTool.exe	109
PID 772 wrote to memory of 1396	772	VelocitySupportTool.exe	109
PID 772 wrote to memory of 1920	772	VelocitySupportTool.exe	110
PID 772 wrote to memory of 1920	772	VelocitySupportTool.exe	110
PID 1396 wrote to memory of 820	1396	VelocitySupportTool.exe	161
PID 1396 wrote to memory of 820	1396	VelocitySupportTool.exe	161
PID 1396 wrote to memory of 4216	1396	VelocitySupportTool.exe	112
PID 1396 wrote to memory of 4216	1396	VelocitySupportTool.exe	112
PID 820 wrote to memory of 5956	820	VelocitySupportTool.exe	113
PID 820 wrote to memory of 5956	820	VelocitySupportTool.exe	113
PID 820 wrote to memory of 5588	820	VelocitySupportTool.exe	114
PID 820 wrote to memory of 5588	820	VelocitySupportTool.exe	114
PID 5956 wrote to memory of 1788	5956	VelocitySupportTool.exe	115
PID 5956 wrote to memory of 1788	5956	VelocitySupportTool.exe	115
PID 5956 wrote to memory of 2084	5956	VelocitySupportTool.exe	116
PID 5956 wrote to memory of 2084	5956	VelocitySupportTool.exe	116
PID 1788 wrote to memory of 5420	1788	VelocitySupportTool.exe	205
PID 1788 wrote to memory of 5420	1788	VelocitySupportTool.exe	205
PID 1788 wrote to memory of 1516	1788	VelocitySupportTool.exe	118
PID 1788 wrote to memory of 1516	1788	VelocitySupportTool.exe	118
PID 5420 wrote to memory of 5332	5420	VelocitySupportTool.exe	119
PID 5420 wrote to memory of 5332	5420	VelocitySupportTool.exe	119
PID 5420 wrote to memory of 5812	5420	VelocitySupportTool.exe	120
PID 5420 wrote to memory of 5812	5420	VelocitySupportTool.exe	120

C:\Users\Admin\AppData\Local\Temp\Output.exe
"C:\Users\Admin\AppData\Local\Temp\Output.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5844
- C:\Users\Admin\AppData\Roaming\FixVelocity.exe
  "C:\Users\Admin\AppData\Roaming\FixVelocity.exe"
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
  "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5244
- - C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
    "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
      "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:544
    - - C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:6076
      - C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5956
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5420
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5332
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        18⤵
        Executes dropped EXE
        
        PID:4304
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2492
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:660
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1296
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3672
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5732
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5944
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5936
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3704
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4804
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3416
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4400
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4940
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2476
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        32⤵
        Executes dropped EXE
        
        PID:1668
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:468
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        34⤵
        Checks computer location settings
        
        PID:3088
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        35⤵
        Checks computer location settings
        
        PID:5048
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        36⤵
        Checks computer location settings
        
        PID:3624
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        37⤵
        
        PID:5568
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        38⤵
        Checks computer location settings
        
        PID:2916
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        39⤵
        Checks computer location settings
        
        PID:4168
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        40⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        41⤵
        Checks computer location settings
        
        PID:4360
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        42⤵
        Checks computer location settings
        
        PID:1500
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        43⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        44⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        45⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        46⤵
        Checks computer location settings
        
        PID:3808
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        47⤵
        Checks computer location settings
        
        PID:3136
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        48⤵
        Checks computer location settings
        
        PID:3996
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        49⤵
        Checks computer location settings
        
        PID:3520
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        50⤵
        Checks computer location settings
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        51⤵
        Checks computer location settings
        
        PID:5520
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        52⤵
        Checks computer location settings
        
        PID:2096
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        53⤵
        Checks computer location settings
        
        PID:2788
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        54⤵
        Checks computer location settings
        
        PID:640
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        55⤵
        Checks computer location settings
        
        PID:3964
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        56⤵
        Checks computer location settings
        
        PID:808
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        57⤵
        Checks computer location settings
        
        PID:4884
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        58⤵
        Checks computer location settings
        
        PID:4868
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        59⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        60⤵
        Checks computer location settings
        
        PID:5576
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        61⤵
        Checks computer location settings
        
        PID:5860
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        62⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        63⤵
        Checks computer location settings
        
        PID:5948
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        64⤵
        Checks computer location settings
        
        PID:2784
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        65⤵
        Checks computer location settings
        
        PID:3996
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        66⤵
        Checks computer location settings
        
        PID:2308
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        67⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        68⤵
        Checks computer location settings
        
        PID:5932
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        69⤵
        Checks computer location settings
        
        PID:748
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        70⤵
        Checks computer location settings
        
        PID:4568
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        71⤵
        Checks computer location settings
        
        PID:1672
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        72⤵
        Checks computer location settings
        
        PID:808
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        73⤵
        Checks computer location settings
        
        PID:2512
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        74⤵
        Checks computer location settings
        
        PID:4456
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        75⤵
        
        PID:5144
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        76⤵
        Checks computer location settings
        
        PID:4372
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        77⤵
        Checks computer location settings
        
        PID:1340
        
        C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
        78⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        78⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        77⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        76⤵
        
        PID:5804
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        75⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        74⤵
        
        PID:5724
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5724 -s 1532
        75⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        73⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        72⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        71⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        70⤵
        
        PID:5736
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        69⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        68⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        67⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        66⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6064
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        65⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        64⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        63⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3548
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        62⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5412
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        61⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5272
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        60⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3464
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        59⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3312
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        58⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4428
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        57⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4360
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        56⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4252
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        55⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        54⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3932
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        53⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5420
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        52⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4528
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        51⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        50⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3812
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3812 -s 1636
        51⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        49⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        48⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5952
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        47⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        46⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3552
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        45⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5228
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        44⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 624 -s 1556
        45⤵
        
        PID:5944
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        43⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3412
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        42⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3108
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        41⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4240
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        40⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        39⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:372
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        38⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4708
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        37⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3424
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        36⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5224
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        35⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3332
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        34⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4228
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5856
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3864
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4536
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4244
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4392
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3928
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4836
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5288
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5040
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5812
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5588
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4216
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4264
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1300
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4888
        
        C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5860
      - C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5692
    - - C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3712
  - - C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
      "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4736
- - C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
    "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3536

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 484 -p 4888 -ip 4888
1⤵
PID:820

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 4228 -ip 4228
1⤵
PID:5100

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 4708 -ip 4708
1⤵
PID:5048

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 1616 -ip 1616
1⤵
PID:468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:3412

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:5932

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 6064 -ip 6064
1⤵
PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\VelocitySupportTool.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Roaming\FixVelocity.exe

Filesize
1.6MB

MD5
94438728ecda8452ce32d2e972d62a3d

SHA1
732827a71f08f19a891a72095333424b064b1144

SHA256
4b59460b0da9c218627e33d35175bc8ce1e6f08b71bd99f92ee0310a970458a5

SHA512
b6bb05fc8effbc9eeebb03a1167177f4ff65f4f341bc80911e4cbcd6c3f716329ed1ab6df72fe8a39a6c7b621ede6066e3f490d0c081f38ccb5ea52771437a0c

Download Submit
C:\Users\Admin\AppData\Roaming\VelocitySupport.exe

Filesize
138KB

MD5
a705df8248ae95c4c123793b6235821a

SHA1
4eab0a8288be174489b3858ecb7ef1cb673c2799

SHA256
4ee52b38617c54e3445e3bfadbca1776d577ff50f88169c3613852d16eb39ba2

SHA512
5b41d3ef942c0e5ae137d7dcac59aaa782697e9de35f9a7a8a096f27e3a9c88ba16307ec24caf1d26c7db7f50f3f4568b48f01b9542ea0551db416e43d94bef0

Download Submit
C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe

Filesize
409KB

MD5
89c1e3a7ec9d20a6a19d33733ddfb45d

SHA1
92e295c1a64cb1a7cff25da640d427d494913ea6

SHA256
de4e0c559892f2e6532a81f41f2dc7881abcb21f10cef2f0b8e1c08f028ed274

SHA512
8a0db537fb949c274db4bc0ddf1b8e1075fe9a944c72e0f2790846288844a81870afdd549dfe2850deabf34aebfeca38faddf49128f3a25ce99660421858998d

Download Submit
memory/3536-37-0x0000000000780000-0x00000000007A8000-memory.dmp

Filesize
160KB

Download
memory/5244-21-0x0000000000790000-0x00000000007FC000-memory.dmp

Filesize
432KB

Download
memory/5244-23-0x00007FFADE2E0000-0x00007FFADEDA1000-memory.dmp

Filesize
10.8MB

Download
memory/5244-38-0x00007FFADE2E0000-0x00007FFADEDA1000-memory.dmp

Filesize
10.8MB

Download
memory/5844-0-0x00007FFADE2E3000-0x00007FFADE2E5000-memory.dmp

Filesize
8KB

Download
memory/5844-1-0x00000000004E0000-0x00000000006F0000-memory.dmp

Filesize
2.1MB

Download