be6c7b0c87bdb9426bbbab27b7574d3bcd435126b8130bbd2c2ce516e077e4e8

Resubmissions

09/07/2024, 18:56

240709-xltjmazbqn 9

09/07/2024, 16:59

240709-vhlcqstgpm 9

09/07/2024, 14:31

240709-rvwsfsybnk 8

Analysis

max time kernel
1799s
max time network
1703s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MWIII_IRIS_AIO_V3.5.exe
Size

10.9MB
MD5

dc43693ef7c1e53d46b0da91191597db
SHA1

aef31787fe96864a8ae38793d4974fc254cddf50
SHA256

be6c7b0c87bdb9426bbbab27b7574d3bcd435126b8130bbd2c2ce516e077e4e8
SHA512

d5190aa5c30e941908560709917ea59dc6400f4ba1bbf2aa15c4abaa08d62cc1f7aa4cd154dbea9c537ddc513005ec1b25146a2d7b8951da14cac2542861fb26
SSDEEP

196608:Or9iC3AAslutR6k0SxVCypmKEqEOdoFldQ+6XVizae1haPXM3dkIftIia9tkfc:+9ikAAsUvl0aH2qbdoLPae1hIc3TtIiu

Score

8^/10

evasion execution persistence

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 9 IoCs

pid	Process
5036	MWIII_IRIS_AIO_V3.5.exe
3736	MWIII_IRIS_AIO_V3.5.exe
4088	MWIII_IRIS_AIO_V3.5.exe
3052	MWIII_IRIS_AIO_V3.5.exe
5052	MWIII_IRIS_AIO_V3.5.exe
2040	MWIII_IRIS_AIO_V3.5.exe
4840	MWIII_IRIS_AIO_V3.5.exe
1788	MWIII_IRIS_AIO_V3.5.exe
4124	MWIII_IRIS_AIO_V3.5.exe

Loads dropped DLL 7 IoCs

pid	Process
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
4608	x64dbg.exe
4608	x64dbg.exe
4608	x64dbg.exe

Modifies system executable filetype association 2 TTPs 6 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\Debug with x64dbg\ = "Debug with x64dbg"	x96dbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\Debug with x64dbg\Command	x96dbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell	x96dbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\Debug with x64dbg	x96dbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\Debug with x64dbg\Command\ = "\"C:\\Users\\Admin\\Documents\\release\\x96dbg.exe\" \"%1\""	x96dbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\Debug with x64dbg\Icon = "\"C:\\Users\\Admin\\Documents\\release\\x96dbg.exe\",0"	x96dbg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
84	raw.githubusercontent.com
83	raw.githubusercontent.com

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2328 set thread context of 5036	2328	x64dbg.exe	208
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215
PID 2328 set thread context of 3736	2328	x64dbg.exe	215

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4080	sc.exe
3276	sc.exe
3500	sc.exe
1736	sc.exe
396	sc.exe
4536	sc.exe
3244	sc.exe
3444	sc.exe
1172	sc.exe
3496	sc.exe
388	sc.exe
2528	sc.exe
1604	sc.exe
1620	sc.exe
1564	sc.exe
1380	sc.exe
1632	sc.exe
388	sc.exe
3744	sc.exe
2128	sc.exe
1916	sc.exe
388	sc.exe
628	sc.exe
1756	sc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 48 IoCs

evasion

pid	Process
2208	taskkill.exe
972	taskkill.exe
1892	taskkill.exe
2780	taskkill.exe
4708	taskkill.exe
1460	taskkill.exe
1968	taskkill.exe
668	taskkill.exe
5072	taskkill.exe
4260	taskkill.exe
2156	taskkill.exe
972	taskkill.exe
876	taskkill.exe
2812	taskkill.exe
1548	taskkill.exe
3844	taskkill.exe
3728	taskkill.exe
3592	taskkill.exe
4652	taskkill.exe
4508	taskkill.exe
2000	taskkill.exe
3528	taskkill.exe
4088	taskkill.exe
2136	taskkill.exe
3772	taskkill.exe
2228	taskkill.exe
4028	taskkill.exe
5092	taskkill.exe
528	taskkill.exe
4936	taskkill.exe
4952	taskkill.exe
3404	taskkill.exe
3900	taskkill.exe
3304	taskkill.exe
2720	taskkill.exe
4000	taskkill.exe
5076	taskkill.exe
2976	taskkill.exe
3936	taskkill.exe
1488	taskkill.exe
2304	taskkill.exe
736	taskkill.exe
3152	taskkill.exe
5064	taskkill.exe
3312	taskkill.exe
3964	taskkill.exe
432	taskkill.exe
3996	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133650092239960672"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	x96dbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\shell\Debug with x64dbg\ = "Debug with x64dbg"	x96dbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	die.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	die.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	x64dbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	x64dbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	die.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	die.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	x64dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	x64dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	die.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	x64dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2	die.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	die.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202020202020202	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	die.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	die.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	x64dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14	die.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	NOTEPAD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\shell\Debug with x64dbg\Command\ = "\"C:\\Users\\Admin\\Documents\\release\\x96dbg.exe\" \"%1\""	x96dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings	x64dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	die.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Downloads"	die.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\SniffedFolderType = "Documents"	x64dbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "14"	die.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	die.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	x64dbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	die.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	die.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	die.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	die.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	die.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	die.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	x64dbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 000000000200000001000000ffffffff	die.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	x64dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	die.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	die.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	x64dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	x64dbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	die.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	die.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	x64dbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	x64dbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	x64dbg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	die.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	NOTEPAD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\shell\Debug with x64dbg\Icon = "\"C:\\Users\\Admin\\Documents\\release\\x96dbg.exe\",0"	x96dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	x64dbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	x64dbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	die.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202	x64dbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	x64dbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	x64dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\3	die.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	die.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	die.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4400	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
2328	x64dbg.exe
1928	die.exe
2356	die.exe
4608	x64dbg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3676	MWIII_IRIS_AIO_V3.5.exe
3676	MWIII_IRIS_AIO_V3.5.exe
4520	chrome.exe
4520	chrome.exe
4320	chrome.exe
4320	chrome.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
2328	x64dbg.exe
1928	die.exe
2356	die.exe
4608	x64dbg.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4260	taskkill.exe
Token: SeDebugPrivilege	2720	taskkill.exe
Token: SeDebugPrivilege	4028	taskkill.exe
Token: SeDebugPrivilege	3964	taskkill.exe
Token: SeDebugPrivilege	528	taskkill.exe
Token: SeDebugPrivilege	4000	taskkill.exe
Token: SeDebugPrivilege	5092	taskkill.exe
Token: SeDebugPrivilege	432	taskkill.exe
Token: SeDebugPrivilege	972	taskkill.exe
Token: SeDebugPrivilege	3936	taskkill.exe
Token: SeDebugPrivilege	3728	taskkill.exe
Token: SeDebugPrivilege	2976	taskkill.exe
Token: SeDebugPrivilege	2156	taskkill.exe
Token: SeDebugPrivilege	1892	taskkill.exe
Token: SeDebugPrivilege	2000	taskkill.exe
Token: SeDebugPrivilege	2780	taskkill.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
2328	x64dbg.exe
2328	x64dbg.exe
2328	x64dbg.exe
1928	die.exe
1928	die.exe
2328	x64dbg.exe
2328	x64dbg.exe
3052	MWIII_IRIS_AIO_V3.5.exe
2328	x64dbg.exe
2356	die.exe
2356	die.exe
2356	die.exe
2356	die.exe
2356	die.exe
2356	die.exe
2356	die.exe
2356	die.exe
4608	x64dbg.exe
4608	x64dbg.exe
4608	x64dbg.exe
4608	x64dbg.exe
4608	x64dbg.exe
4608	x64dbg.exe
4608	x64dbg.exe
4608	x64dbg.exe
4400	NOTEPAD.EXE
4124	MWIII_IRIS_AIO_V3.5.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 3524	3676	MWIII_IRIS_AIO_V3.5.exe	86
PID 3676 wrote to memory of 3524	3676	MWIII_IRIS_AIO_V3.5.exe	86
PID 3676 wrote to memory of 3468	3676	MWIII_IRIS_AIO_V3.5.exe	87
PID 3676 wrote to memory of 3468	3676	MWIII_IRIS_AIO_V3.5.exe	87
PID 3676 wrote to memory of 1784	3676	MWIII_IRIS_AIO_V3.5.exe	88
PID 3676 wrote to memory of 1784	3676	MWIII_IRIS_AIO_V3.5.exe	88
PID 3676 wrote to memory of 5016	3676	MWIII_IRIS_AIO_V3.5.exe	89
PID 3676 wrote to memory of 5016	3676	MWIII_IRIS_AIO_V3.5.exe	89
PID 3676 wrote to memory of 3960	3676	MWIII_IRIS_AIO_V3.5.exe	90
PID 3676 wrote to memory of 3960	3676	MWIII_IRIS_AIO_V3.5.exe	90
PID 3676 wrote to memory of 1884	3676	MWIII_IRIS_AIO_V3.5.exe	91
PID 3676 wrote to memory of 1884	3676	MWIII_IRIS_AIO_V3.5.exe	91
PID 3676 wrote to memory of 4868	3676	MWIII_IRIS_AIO_V3.5.exe	92
PID 3676 wrote to memory of 4868	3676	MWIII_IRIS_AIO_V3.5.exe	92
PID 1784 wrote to memory of 4260	1784	cmd.exe	93
PID 1784 wrote to memory of 4260	1784	cmd.exe	93
PID 3468 wrote to memory of 2720	3468	cmd.exe	96
PID 3468 wrote to memory of 2720	3468	cmd.exe	96
PID 5016 wrote to memory of 1632	5016	cmd.exe	94
PID 5016 wrote to memory of 1632	5016	cmd.exe	94
PID 3960 wrote to memory of 3964	3960	cmd.exe	95
PID 3960 wrote to memory of 3964	3960	cmd.exe	95
PID 3524 wrote to memory of 4028	3524	cmd.exe	97
PID 3524 wrote to memory of 4028	3524	cmd.exe	97
PID 4868 wrote to memory of 3724	4868	cmd.exe	98
PID 4868 wrote to memory of 3724	4868	cmd.exe	98
PID 3676 wrote to memory of 4204	3676	MWIII_IRIS_AIO_V3.5.exe	101
PID 3676 wrote to memory of 4204	3676	MWIII_IRIS_AIO_V3.5.exe	101
PID 3676 wrote to memory of 3276	3676	MWIII_IRIS_AIO_V3.5.exe	102
PID 3676 wrote to memory of 3276	3676	MWIII_IRIS_AIO_V3.5.exe	102
PID 3676 wrote to memory of 3800	3676	MWIII_IRIS_AIO_V3.5.exe	103
PID 3676 wrote to memory of 3800	3676	MWIII_IRIS_AIO_V3.5.exe	103
PID 3676 wrote to memory of 2352	3676	MWIII_IRIS_AIO_V3.5.exe	104
PID 3676 wrote to memory of 2352	3676	MWIII_IRIS_AIO_V3.5.exe	104
PID 3676 wrote to memory of 2168	3676	MWIII_IRIS_AIO_V3.5.exe	105
PID 3676 wrote to memory of 2168	3676	MWIII_IRIS_AIO_V3.5.exe	105
PID 3676 wrote to memory of 3228	3676	MWIII_IRIS_AIO_V3.5.exe	106
PID 3676 wrote to memory of 3228	3676	MWIII_IRIS_AIO_V3.5.exe	106
PID 3276 wrote to memory of 528	3276	cmd.exe	107
PID 3276 wrote to memory of 528	3276	cmd.exe	107
PID 2168 wrote to memory of 4000	2168	cmd.exe	109
PID 2168 wrote to memory of 4000	2168	cmd.exe	109
PID 4204 wrote to memory of 432	4204	cmd.exe	111
PID 4204 wrote to memory of 432	4204	cmd.exe	111
PID 3800 wrote to memory of 5092	3800	cmd.exe	108
PID 3800 wrote to memory of 5092	3800	cmd.exe	108
PID 2352 wrote to memory of 1172	2352	cmd.exe	110
PID 2352 wrote to memory of 1172	2352	cmd.exe	110
PID 3676 wrote to memory of 1240	3676	MWIII_IRIS_AIO_V3.5.exe	112
PID 3676 wrote to memory of 1240	3676	MWIII_IRIS_AIO_V3.5.exe	112
PID 3676 wrote to memory of 1288	3676	MWIII_IRIS_AIO_V3.5.exe	113
PID 3676 wrote to memory of 1288	3676	MWIII_IRIS_AIO_V3.5.exe	113
PID 3676 wrote to memory of 3768	3676	MWIII_IRIS_AIO_V3.5.exe	114
PID 3676 wrote to memory of 3768	3676	MWIII_IRIS_AIO_V3.5.exe	114
PID 3676 wrote to memory of 3284	3676	MWIII_IRIS_AIO_V3.5.exe	115
PID 3676 wrote to memory of 3284	3676	MWIII_IRIS_AIO_V3.5.exe	115
PID 3676 wrote to memory of 2740	3676	MWIII_IRIS_AIO_V3.5.exe	116
PID 3676 wrote to memory of 2740	3676	MWIII_IRIS_AIO_V3.5.exe	116
PID 3676 wrote to memory of 716	3676	MWIII_IRIS_AIO_V3.5.exe	117
PID 3676 wrote to memory of 716	3676	MWIII_IRIS_AIO_V3.5.exe	117
PID 3676 wrote to memory of 4740	3676	MWIII_IRIS_AIO_V3.5.exe	118
PID 3676 wrote to memory of 4740	3676	MWIII_IRIS_AIO_V3.5.exe	118
PID 3676 wrote to memory of 396	3676	MWIII_IRIS_AIO_V3.5.exe	119
PID 3676 wrote to memory of 396	3676	MWIII_IRIS_AIO_V3.5.exe	119

C:\Users\Admin\AppData\Local\Temp\MWIII_IRIS_AIO_V3.5.exe
"C:\Users\Admin\AppData\Local\Temp\MWIII_IRIS_AIO_V3.5.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4028
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2720
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4260
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1632
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3964
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:1884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\MWIII_IRIS_AIO_V3.5.exe" MD5
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\MWIII_IRIS_AIO_V3.5.exe" MD5
    3⤵
    PID:3724
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:432
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3276
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:528
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3800
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5092
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1172
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4000
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:3228
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1240
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3728
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1288
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:972
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3768
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1892
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:3284
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1736
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:2740
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2976
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:716
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4740
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2780
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:396
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3936
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4072
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2156
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2476
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:388
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:700
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:4948
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4324
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:876
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5076
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2208
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:392
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2136
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1872
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3496
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:2424
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:4088
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:4624
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3720
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:3592
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4700
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:4936
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3828
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:4708
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:4620
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:396
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:4056
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:972
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:3944
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3284
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1460
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5052
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:4952
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2444
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:3772
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:4204
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:4536
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:2812
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:1488
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:3276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff94375ab58,0x7ff94375ab68,0x7ff94375ab78
  2⤵
  PID:3112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1932,i,17006269313772037746,7845013408797975192,131072 /prefetch:2
  2⤵
  PID:676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1932,i,17006269313772037746,7845013408797975192,131072 /prefetch:8
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2244 --field-trial-handle=1932,i,17006269313772037746,7845013408797975192,131072 /prefetch:8
  2⤵
  PID:1432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=1932,i,17006269313772037746,7845013408797975192,131072 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3136 --field-trial-handle=1932,i,17006269313772037746,7845013408797975192,131072 /prefetch:1
  2⤵
  PID:212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3628 --field-trial-handle=1932,i,17006269313772037746,7845013408797975192,131072 /prefetch:1
  2⤵
  PID:4304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 --field-trial-handle=1932,i,17006269313772037746,7845013408797975192,131072 /prefetch:8
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 --field-trial-handle=1932,i,17006269313772037746,7845013408797975192,131072 /prefetch:8
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4908 --field-trial-handle=1932,i,17006269313772037746,7845013408797975192,131072 /prefetch:8
  2⤵
  PID:1148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4932 --field-trial-handle=1932,i,17006269313772037746,7845013408797975192,131072 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4288 --field-trial-handle=1932,i,17006269313772037746,7845013408797975192,131072 /prefetch:1
  2⤵
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4972 --field-trial-handle=1932,i,17006269313772037746,7845013408797975192,131072 /prefetch:1
  2⤵
  PID:1092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5076 --field-trial-handle=1932,i,17006269313772037746,7845013408797975192,131072 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=1588 --field-trial-handle=1932,i,17006269313772037746,7845013408797975192,131072 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2668 --field-trial-handle=1932,i,17006269313772037746,7845013408797975192,131072 /prefetch:8
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5568 --field-trial-handle=1932,i,17006269313772037746,7845013408797975192,131072 /prefetch:8
  2⤵
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5612 --field-trial-handle=1932,i,17006269313772037746,7845013408797975192,131072 /prefetch:8
  2⤵
  PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 --field-trial-handle=1932,i,17006269313772037746,7845013408797975192,131072 /prefetch:8
  2⤵
  PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4084 --field-trial-handle=1932,i,17006269313772037746,7845013408797975192,131072 /prefetch:8
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4876 --field-trial-handle=1932,i,17006269313772037746,7845013408797975192,131072 /prefetch:8
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5732 --field-trial-handle=1932,i,17006269313772037746,7845013408797975192,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=1876 --field-trial-handle=1932,i,17006269313772037746,7845013408797975192,131072 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1568 --field-trial-handle=1932,i,17006269313772037746,7845013408797975192,131072 /prefetch:8
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5184 --field-trial-handle=1932,i,17006269313772037746,7845013408797975192,131072 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 --field-trial-handle=1932,i,17006269313772037746,7845013408797975192,131072 /prefetch:8
  2⤵
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 --field-trial-handle=1932,i,17006269313772037746,7845013408797975192,131072 /prefetch:8
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5216 --field-trial-handle=1932,i,17006269313772037746,7845013408797975192,131072 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3972 --field-trial-handle=1932,i,17006269313772037746,7845013408797975192,131072 /prefetch:8
  2⤵
  PID:2636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=3276 --field-trial-handle=1932,i,17006269313772037746,7845013408797975192,131072 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=5860 --field-trial-handle=1932,i,17006269313772037746,7845013408797975192,131072 /prefetch:1
  2⤵
  PID:724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4672 --field-trial-handle=1932,i,17006269313772037746,7845013408797975192,131072 /prefetch:8
  2⤵
  PID:4124

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4144

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2296

C:\Users\Admin\Documents\release\x96dbg.exe
"C:\Users\Admin\Documents\release\x96dbg.exe"
1⤵
PID:4612
- C:\Users\Admin\Documents\release\x96dbg.exe
  "C:\Users\Admin\Documents\release\x96dbg.exe" ::install
  2⤵
  - Modifies system executable filetype association
  - Modifies registry class
  PID:3964

C:\Users\Admin\Documents\release\x96dbg.exe
"C:\Users\Admin\Documents\release\x96dbg.exe"
1⤵
PID:3796
- C:\Users\Admin\Documents\release\x64\x64dbg.exe
  "C:\Users\Admin\Documents\release\x64\x64dbg.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2328
- - C:\Users\Admin\Downloads\MWIII_IRIS_AIO_V3.5.exe
    "C:\Users\Admin\Downloads\MWIII_IRIS_AIO_V3.5.exe"
    3⤵
    - Executes dropped EXE
    PID:5036
- - C:\Users\Admin\Downloads\MWIII_IRIS_AIO_V3.5.exe
    "C:\Users\Admin\Downloads\MWIII_IRIS_AIO_V3.5.exe"
    3⤵
    - Executes dropped EXE
    PID:3736
- - C:\Users\Admin\Downloads\MWIII_IRIS_AIO_V3.5.exe
    "C:\Users\Admin\Downloads\MWIII_IRIS_AIO_V3.5.exe"
    3⤵
    - Executes dropped EXE
    PID:4088
- - C:\Users\Admin\Downloads\MWIII_IRIS_AIO_V3.5.exe
    "C:\Users\Admin\Downloads\MWIII_IRIS_AIO_V3.5.exe"
    3⤵
    - Executes dropped EXE
    PID:5052

C:\Users\Admin\Downloads\die_win64_portable_3.09_x64\die.exe
"C:\Users\Admin\Downloads\die_win64_portable_3.09_x64\die.exe"
1⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1928

C:\Users\Admin\Downloads\MWIII_IRIS_AIO_V3.5.exe
"C:\Users\Admin\Downloads\MWIII_IRIS_AIO_V3.5.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3052
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3476
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:3404
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2040
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2304
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4380
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1968
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1232
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3744
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:2116
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:2228
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:3688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Downloads\MWIII_IRIS_AIO_V3.5.exe" MD5
  2⤵
  PID:672
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\Downloads\MWIII_IRIS_AIO_V3.5.exe" MD5
    3⤵
    PID:4056
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1352
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:3528
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4112
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2812
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1080
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1548
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:3256
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2528
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:3344
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:736
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:3392
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4844
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:5076
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5040
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:5072
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:840
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:5064
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2000
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:4080
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:728
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:3152
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:4848
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4076
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:4652
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3772
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:3304
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3552
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:3900
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:3340
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:388
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:4700
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:668
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:4144

C:\Users\Admin\Downloads\die_win64_portable_3.09_x64\die.exe
"C:\Users\Admin\Downloads\die_win64_portable_3.09_x64\die.exe"
1⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2356

C:\Users\Admin\Documents\release\x64\x64dbg.exe
"C:\Users\Admin\Documents\release\x64\x64dbg.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4608
- C:\Users\Admin\Downloads\MWIII_IRIS_AIO_V3.5.exe
  "C:\Users\Admin\Downloads\MWIII_IRIS_AIO_V3.5.exe"
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Users\Admin\Downloads\MWIII_IRIS_AIO_V3.5.exe
  "C:\Users\Admin\Downloads\MWIII_IRIS_AIO_V3.5.exe"
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Users\Admin\Downloads\MWIII_IRIS_AIO_V3.5.exe
  "C:\Users\Admin\Downloads\MWIII_IRIS_AIO_V3.5.exe"
  2⤵
  - Executes dropped EXE
  PID:1788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Documents\release\x64\plugins\Scripts\on.bat" "
1⤵
PID:4612
- C:\Windows\system32\sc.exe
  sc start airhv
  2⤵
  - Launches sc.exe
  PID:1604
- C:\Windows\system32\sc.exe
  sc start HyperHideDrv
  2⤵
  - Launches sc.exe
  PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Documents\release\x64\plugins\Scripts\create.bat" "
1⤵
PID:4896
- C:\Windows\system32\sc.exe
  sc create airhv type= Kernel binpath= C:\Windows\system32\drivers\airhv.sys
  2⤵
  - Launches sc.exe
  PID:3244
- C:\Windows\system32\sc.exe
  sc create HyperHideDrv type= Kernel binpath= C:\Windows\system32\drivers\HyperHideDrv.sys
  2⤵
  - Launches sc.exe
  PID:3276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Documents\release\x64\plugins\Scripts\on.bat" "
1⤵
PID:2028
- C:\Windows\system32\sc.exe
  sc start airhv
  2⤵
  - Launches sc.exe
  PID:3500
- C:\Windows\system32\sc.exe
  sc start HyperHideDrv
  2⤵
  - Launches sc.exe
  PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Documents\release\x64\plugins\Scripts\on.bat" "
1⤵
PID:1796
- C:\Windows\system32\sc.exe
  sc start airhv
  2⤵
  - Launches sc.exe
  PID:1620
- C:\Windows\system32\sc.exe
  sc start HyperHideDrv
  2⤵
  - Launches sc.exe
  PID:1564

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" /p C:\Users\Admin\Documents\release\x64\plugins\Scripts\create.bat
1⤵
- Modifies registry class
- Opens file in notepad (likely ransom note)
- Suspicious use of SetWindowsHookEx
PID:4400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:64

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Documents\release\x64\plugins\Scripts\create.bat"
1⤵
PID:4456
- C:\Windows\system32\sc.exe
  sc create airhv type= Kernel binpath= C:\Windows\system32\drivers\airhv.sys
  2⤵
  - Launches sc.exe
  PID:1756
- C:\Windows\system32\sc.exe
  sc create HyperHideDrv type= Kernel binpath= C:\Windows\system32\drivers\HyperHideDrv.sys
  2⤵
  - Launches sc.exe
  PID:1916

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Documents\release\x64\plugins\Scripts\on.bat"
1⤵
PID:1724
- C:\Windows\system32\sc.exe
  sc start airhv
  2⤵
  - Launches sc.exe
  PID:1380
- C:\Windows\system32\sc.exe
  sc start HyperHideDrv
  2⤵
  - Launches sc.exe
  PID:3444

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:1204

C:\Users\Admin\Downloads\MWIII_IRIS_AIO_V3.5.exe
"C:\Users\Admin\Downloads\MWIII_IRIS_AIO_V3.5.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4124
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3252
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:3312
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3216
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:3844
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4932
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:3996
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1004
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2128
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:4552
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:4508
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:2564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Downloads\MWIII_IRIS_AIO_V3.5.exe" MD5
  2⤵
  PID:3864
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\Downloads\MWIII_IRIS_AIO_V3.5.exe" MD5
    3⤵
    PID:3704
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3064
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3760
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1760
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:3936
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:3668
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
91d9cb9d7d7e49f97c0e0ce64d9bc4f0

SHA1
75ba234da4bb135f8b26e3abc3e095dceb3165cf

SHA256
3ae5b0b2172f0236544cdc92940c2699327c60442e7c442d3422b033117b642b

SHA512
e84a20bc87c8e83f7be0fb2d9e9a9b93e235f91d357bfe652e8c932288f505d3d6a5ab60aa8a3d1a69f951835d8330ed11a1b71e2308a5dddfb6af3d1770644a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c3c326f65b5855633c965d4743fb7daa

SHA1
5ecf4d94144ba0bd9aa53c862be40d7c79143e90

SHA256
dce49fcc3fc9fb18b6304cd84567f65053f0c6a93251ca8262330e174024be9e

SHA512
c4532553188f9985c3dc61dcc10181c3ef0fc7597054615e80b961fb5e2b7a79365730e993b34f9042d3e6caa91d95971d2168b6249847f3977d4db18d00e88a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9642a179c954858bb8cba10189e67393

SHA1
b2d3d54b00c80aa70714aa255a1564ebb7e14908

SHA256
0ef1ac20324bfeaf7b3d95e6e8e1266b0c879adf1c468fd351fa7813a3cc00d5

SHA512
1699cd3265c90c612dbd43b451bab5949725f41d8d3a58c520ff34cf351b06d23c6ee7fa62050da8945a3fc950fee534f0ed0737377f28800eebf1fa4be2ab71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
77f935c95bffd77e42f3f6f035083130

SHA1
313950c59e8f5cccc1805b3e6705483707fa6a39

SHA256
52d71e7a7dec28dc4601df1c725a82d728278eb92ef87ed7f8048999d1fd783a

SHA512
d92f4bac1a5b16f6c8ba87ec11a713c2f6b8027fe18daf80584352a64b74fe8320653702df170b0e3bad723b7b8d2156ba41772f2670b7e5cb79e84958396729

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
073f37dea1f812c16524fa6bdca7f3cc

SHA1
adf978023f35e31af2d7db4ff301a1ce5a3498fd

SHA256
ba57fab702a64e58dcaf60bd0b6631e409865795ae919a6501adbe22b014d5f7

SHA512
810d73b8949892a233fea630cd6327204621da073f111e02e3200e814769c5f557d3c0f83267b380e74c6816e2c040b830239d52031ec2247030e844a69287bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
eae30fb88896b4da059b99d53cbeb9e8

SHA1
5d38f45c6e02fa14ed9be992a849c16ee2092545

SHA256
7269d50f40c5b29bd90d6762b71c14884c10faabc3216c7535c6e489e8048f4c

SHA512
e2de628343357bf94f6ca07d543d6e6968f9b5e6cd557df6d6210e0299c220754d1a4e9f4cff03bd1c98a0d8ac680ee725ff9c673c946d29d0385a2f2b616f78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cffbc31437f12d42c0936e3c14a2aba9

SHA1
2039aa17feedfcb016bd255ea2ca3ae7f05fa485

SHA256
c38f237cfb553db86deb51960d0249827973783d0a566744c570c57228e0e75f

SHA512
e1944748b7e4372957d15da389dedd8a2a2242f5bf10f8c03da61b48a42900f9272a93fded2ea83e742c98cdf04a2c11d3206c70772caa3038daf27abc48fdae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
bb430a2d01468bd2ddec49dfbc6d904f

SHA1
37a2e566cb66b4557476aa8d00ad6b9b47fc2be3

SHA256
a6235b1bb987c0a13ccf0a6b683be8e64eaa44737e0e26112e3a47e2ee064768

SHA512
b236b26cf7f429e55ed37b660732f7a97dd70254b1d76d6a924fcbceaedb1ce11c0c94059b5724b6d4950800f841aa3fe3ffe44f15dffc51546f08278086b1af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
284KB

MD5
01383c35a2d0fec08904225379a218ba

SHA1
e8548e8ee5f0f2a494edd269984dabc00499aba8

SHA256
755f636d80b2223bde19c59d1ac1d4b1108db2c42b4a8531fcb01f22a4cf4138

SHA512
ef21d80488fcddf9cd836f8295872192f596a9fd98e9ccc56053f44285472031f2193abc60efb79d3e84d398e6c794c960f8e694778e14745418fbf33e241196

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
284KB

MD5
281db28ec13fa6d89d569d0603a4dd54

SHA1
70148e4e3b4f2a1e8e6458964419c868d22ea82e

SHA256
f0e642c1349a014aa5c9a3adef005f9935391af27397bea59b02ada74b1ef74f

SHA512
363295e690b4c37f33725f9759ea21c776eb0429ff7332f7d779b320e14e178fdc2e486dc0b809e22900c036de7bc4466b697ce6a0effea38ded13dfb94aed9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
284KB

MD5
64eb77f6fc136b4b48bb40a430cb94be

SHA1
fe229b1401caf99156472b2cfea71ea559791a7f

SHA256
8366b047784cc76e6e1c5079a687b849c786d7fdda928a1bb0f2f0fbe515c86d

SHA512
f1666d887c3c88319e7f51ef92d834af6e7d980fd640ad82a7efa24925d951ea9bee9fddc029a10b567804deec6bfe5b6dd13e98c9bc2a179fcc1733a25dc28a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
94KB

MD5
3acf65d41150efd280e1f9302f5b671f

SHA1
b64bcee263c52b2eb0b0af7ba3d1833a29b39ecd

SHA256
17930fba26a50944316285360ba7355f6a8b9c2a6b3772b7253447956dacebbb

SHA512
c54773ac6ffab2e3dbf91b46eac88dcfbec2ce5c267a8c87bba10fb7a67e43153bce4ebda628ee31331b1874f9610d33a6ea9a2c271e3b7bce902794431b3b4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
97KB

MD5
7a4518e59056ed6830f471b29d51d533

SHA1
955fa473fc37705ede73ffdb35addd2b191557ae

SHA256
e9112d7dfdf89860f0df008425e0dd37f69656abd1216e3cb1976a24d0bc2514

SHA512
d28c1065c1ab253b0bc4ed83228161a0c1a67ffd87b90244ee67b195858140f8a9a637b1bb8e29880d5e289cc8d6800fed0e52e3d14a2c8405544958ccb0ca3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5918ce.TMP

Filesize
89KB

MD5
800bfa4633b661bdbfe32621025f4d4f

SHA1
1f4833f0446e91d745ea61b31e7da86ce0eedecc

SHA256
6b08ab3a8fcdf97b28bef01b77120293a610852e138462c5d90f40dc2f47dd40

SHA512
a31c7a8d2a6f8c223301e23da633a716722e068314b90745d83913170375bcaab6ad357172bba25593e8640e6ced2de24d43635fb610a183e0c3df792176dc41

Download Submit
C:\Users\Admin\Documents\release\x64\plugins\scylla_hide.ini

Filesize
7KB

MD5
657dac94d0c2a726f2d0d3d1db03f38c

SHA1
84db14e1085a35c7fceef4de1fb0c4fe8b9fcaf5

SHA256
46f8127743398f9b94735e1e28f3cb283ffc35efc01d617b70a9b154bb5c02fc

SHA512
96f24c6168af4defe58aa25fab7e741c52b8fef5d0350d59b8a7d003f58a4ca13a3a9bf07c2c3fcbbcc5d7fdfafb90ac888c1ca8202e9336c5b411027e250678

Download Submit
C:\Users\Admin\Documents\release\x64\x64dbg.ini

Filesize
48KB

MD5
9798c2bfd7a401a52245144324e5eea6

SHA1
665234904822b94fa7d26a24bacd92bee6893c9d

SHA256
08817880963cf848aa5c19f9c6a7cf6309f52960b212b4e09ef7219e403c8b3e

SHA512
d8ce3914e44802558cd923befac2b33e9a7fae33a2acb29abdf57253e61f9a3b75b15e21cc70356bfdf18968cd0142e376b6ebee138df76730234a1a9efd841c

Download Submit
C:\Users\Admin\Documents\release\x96dbg.ini

Filesize
122B

MD5
45c1e010baaeb6b086b93c73cbfa1433

SHA1
6570b66b77103aac30dc7cccfacde1e42413890a

SHA256
672875a23347e407ff4a54c6baa35090c7041fa45568437f12b86b50bc2fbebc

SHA512
6b00d4050ad80dc575b056e40b3fdae831e57d1b035fc7500c1523c70c7f03f344e8b53b070ec3c8482fcb7c300d401260502ba4c04076ee23db66c236d3ad50

Download Submit
C:\Users\Admin\Downloads\HyperHide.zip

Filesize
1.1MB

MD5
c9718e166d36b811b430a6d0e1227f38

SHA1
91bce80f2ee6df1cff2cf533049f630e7b2a5770

SHA256
d7a5c3c1340aa5cfa233064890da2fc2b3afdf226c9fca140d5d0591d9228186

SHA512
389bd3664f07fa6331894fdaad721ffa933d87317d2ff0dc452ad0aad49c027cc6f601f21d2f8dc60f23b76c5847367372523c52912f422f2022ed10cf6ee09f

Download Submit
C:\Users\Admin\Downloads\MWIII_IRIS_AIO_V3.5.exe

Filesize
10.9MB

MD5
dc43693ef7c1e53d46b0da91191597db

SHA1
aef31787fe96864a8ae38793d4974fc254cddf50

SHA256
be6c7b0c87bdb9426bbbab27b7574d3bcd435126b8130bbd2c2ce516e077e4e8

SHA512
d5190aa5c30e941908560709917ea59dc6400f4ba1bbf2aa15c4abaa08d62cc1f7aa4cd154dbea9c537ddc513005ec1b25146a2d7b8951da14cac2542861fb26

Download Submit
C:\Users\Admin\Downloads\ScyllaHide_2023-03-24_13-03.zip

Filesize
3.6MB

MD5
138bffc8d10d42fc5c43194f632dfac8

SHA1
9f1769eb39f971e2fb72c539dbc76788982ad14b

SHA256
edeb0dd203fd1ef38e1404e8a1bd001e05c50b6096e49533f546d13ffdcb7404

SHA512
248777f1bd83f9ec55526bb095e85bc0f64c87c0cb4959c091dc7a9008369a5ba2864ac4230b40590438e86bc84e70b549c01cb9524d3c0c86dd3bc335c2b962

Download Submit
C:\Users\Admin\Downloads\die_win64_portable_3.09_x64.zip

Filesize
19.7MB

MD5
9df37be5599da02c8080038bd2e24c6a

SHA1
de5720fc01731f449296dc56ce857a6d8bfa237f

SHA256
299ff9d91cead31c32926ecfb5f27d629d06997d259e70af8632044edaf27c9b

SHA512
a5970762a94370860806ed90c4ea73afedbd3a86144ed582a118f4b5dd1b1ae91c7b5a3034722229781c3cfc29ff80504096aa426baaee06cb6dc9701b7fea21

Download Submit
C:\Users\Admin\Downloads\die_win64_portable_3.09_x64\die.ini

Filesize
92B

MD5
4b095f80e44c96a0cf390db672b01aed

SHA1
468839f65d726a9d15c24f44fc849c472c5bfb5c

SHA256
b87b53d0eee1662f797372fa5dd8bc874d9ef25d72f3c9473e2a468107314395

SHA512
e289f16f48a47f2c83a8f09919fd0c63af2d7fe1da438660a47b89b1c2716a10e80e734e3faee3f9650856fd65b1de1c8aed7dff70027f493774239fba597a16

Download Submit
C:\Users\Admin\Downloads\die_win64_portable_3.09_x64\shortcuts.ini

Filesize
1KB

MD5
090612b1c921f2d7094d80f6430733d5

SHA1
050025f1b573b53f30bd06af0d30fa4acdc66fa9

SHA256
bdeb1db80e2f10cd4d78f165a7348c3f1f7dab8f263941081a1f8de8a921751f

SHA512
17f7641f266138519a63a4d6b493c72b5f39140cb2cfa73b07168f71c4d16be8fd847c4bbdd045337b06741496d2c573f10cbf43b1d632491cbea5efc9946b29

Download Submit
C:\Users\Admin\Downloads\snapshot_2024-07-07_16-07.zip

Filesize
33.1MB

MD5
f6ebf59ec67592ef1ade07b9db76703e

SHA1
f096202b372b1c501f673c981d3f851779a9a167

SHA256
7be51d98b2fc39e76fef6434ef035d36a40745974f9f5cb8eaabcc6ab8329662

SHA512
eac5ce06b393c3277130bfe64806ef64af648c08ef575a3b8ca8cf4189cb8dcf262640fedcacd1a14cae7154fd992b92467001c02db39630ac2bddf7a1b6a81e

Download Submit
memory/1928-236-0x00007FF93E0F0000-0x00007FF93E631000-memory.dmp

Filesize
5.3MB

Download
memory/1928-235-0x00007FF6F7110000-0x00007FF6F7D2F000-memory.dmp

Filesize
12.1MB

Download
memory/2328-186-0x0000000052E30000-0x000000005337A000-memory.dmp

Filesize
5.3MB

Download
memory/2328-199-0x00000000538E0000-0x00000000538F5000-memory.dmp

Filesize
84KB

Download
memory/3676-6-0x00007FF798550000-0x00007FF799961000-memory.dmp

Filesize
20.1MB

Download
memory/3676-1-0x00007FF798550000-0x00007FF799961000-memory.dmp

Filesize
20.1MB

Download
memory/3676-39-0x00007FF79863C000-0x00007FF798E70000-memory.dmp

Filesize
8.2MB

Download
memory/3676-0-0x00007FF960EB0000-0x00007FF960EB2000-memory.dmp

Filesize
8KB

Download
memory/3676-76-0x00007FF798550000-0x00007FF799961000-memory.dmp

Filesize
20.1MB

Download
memory/3676-42-0x00007FF798550000-0x00007FF799961000-memory.dmp

Filesize
20.1MB

Download
memory/3676-77-0x00007FF79863C000-0x00007FF798E70000-memory.dmp

Filesize
8.2MB

Download
memory/3676-2-0x00007FF79863C000-0x00007FF798E70000-memory.dmp

Filesize
8.2MB

Download
memory/5036-197-0x0000023759D20000-0x0000023759D21000-memory.dmp

Filesize
4KB

Download
memory/5036-191-0x0000023759CC0000-0x0000023759CC1000-memory.dmp

Filesize
4KB

Download
memory/5036-192-0x0000023759CD0000-0x0000023759CD1000-memory.dmp

Filesize
4KB

Download
memory/5036-193-0x0000023759CE0000-0x0000023759CE1000-memory.dmp

Filesize
4KB

Download
memory/5036-194-0x0000023759CF0000-0x0000023759CF1000-memory.dmp

Filesize
4KB

Download
memory/5036-195-0x0000023759D00000-0x0000023759D01000-memory.dmp

Filesize
4KB

Download
memory/5036-196-0x0000023759D10000-0x0000023759D11000-memory.dmp

Filesize
4KB

Download
memory/5036-198-0x0000023759D30000-0x0000023759D31000-memory.dmp

Filesize
4KB

Download