badrabbit | 96f3ce153153f922fb18e4722b0348aee2c76022bcdee75fadab97023003fe10

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 4 IoCs

pid	Process
4996	BadRabbit.exe
4256	17D4.tmp
5576	BadRabbit.exe
2552	KillWin.exe

Loads dropped DLL 2 IoCs

pid	Process
3500	rundll32.exe
5480	rundll32.exe

Enumerates connected drives 3 TTPs 6 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\A:	cmd.exe
File opened (read-only)	\??\B:	cmd.exe
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\A:	cmd.exe
File opened (read-only)	\??\B:	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
117	raw.githubusercontent.com
118	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 10 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\Wallpaper.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\Wallpaper.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\Wallpaper.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\Wallpaper.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\Wallpaper.jpeg"	wscript.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\17D4.tmp	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
4124	schtasks.exe
2520	schtasks.exe

Delays execution with timeout.exe 13 IoCs

evasion

pid	Process
4824	timeout.exe
4500	timeout.exe
3012	timeout.exe
1936	timeout.exe
5596	timeout.exe
488	timeout.exe
696	timeout.exe
4904	timeout.exe
1420	timeout.exe
5900	timeout.exe
4896	timeout.exe
5476	timeout.exe
788	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4448	taskkill.exe

Modifies Control Panel 10 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\Desktop	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\Desktop	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\Desktop	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\Desktop	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\Desktop	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\Desktop	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\Desktop	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\Desktop	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\Desktop	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\Desktop	wscript.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-776854024-226333264-2052258302-1000\{68572B68-685D-4286-946F-0F6F2B5C4051}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000_Classes\Local Settings	cmd.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 115817.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1508	msedge.exe
1508	msedge.exe
4152	msedge.exe
4152	msedge.exe
4688	identity_helper.exe
4688	identity_helper.exe
4652	msedge.exe
4652	msedge.exe
3560	msedge.exe
3560	msedge.exe
3500	rundll32.exe
3500	rundll32.exe
3500	rundll32.exe
3500	rundll32.exe
4256	17D4.tmp
4256	17D4.tmp
4256	17D4.tmp
4256	17D4.tmp
4256	17D4.tmp
4256	17D4.tmp
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5480	rundll32.exe
5480	rundll32.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5500	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3500	rundll32.exe
Token: SeDebugPrivilege	3500	rundll32.exe
Token: SeTcbPrivilege	3500	rundll32.exe
Token: SeDebugPrivilege	4256	17D4.tmp
Token: SeDebugPrivilege	5500	taskmgr.exe
Token: SeSystemProfilePrivilege	5500	taskmgr.exe
Token: SeCreateGlobalPrivilege	5500	taskmgr.exe
Token: SeShutdownPrivilege	5480	rundll32.exe
Token: SeDebugPrivilege	5480	rundll32.exe
Token: SeTcbPrivilege	5480	rundll32.exe
Token: 33	5500	taskmgr.exe
Token: SeIncBasePriorityPrivilege	5500	taskmgr.exe
Token: 33	5448	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5448	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1088	FMLN Ransomware.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 4252	2508	FMLN Ransomware.exe	89
PID 2508 wrote to memory of 4252	2508	FMLN Ransomware.exe	89
PID 4252 wrote to memory of 4804	4252	cmd.exe	90
PID 4252 wrote to memory of 4804	4252	cmd.exe	90
PID 4252 wrote to memory of 1768	4252	cmd.exe	92
PID 4252 wrote to memory of 1768	4252	cmd.exe	92
PID 4252 wrote to memory of 4824	4252	cmd.exe	93
PID 4252 wrote to memory of 4824	4252	cmd.exe	93
PID 4152 wrote to memory of 2024	4152	msedge.exe	103
PID 4152 wrote to memory of 2024	4152	msedge.exe	103
PID 4252 wrote to memory of 4500	4252	cmd.exe	104
PID 4252 wrote to memory of 4500	4252	cmd.exe	104
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 5060	4152	msedge.exe	105
PID 4152 wrote to memory of 1508	4152	msedge.exe	106
PID 4152 wrote to memory of 1508	4152	msedge.exe	106
PID 4152 wrote to memory of 4264	4152	msedge.exe	107
PID 4152 wrote to memory of 4264	4152	msedge.exe	107
PID 4152 wrote to memory of 4264	4152	msedge.exe	107
PID 4152 wrote to memory of 4264	4152	msedge.exe	107
PID 4152 wrote to memory of 4264	4152	msedge.exe	107
PID 4152 wrote to memory of 4264	4152	msedge.exe	107
PID 4152 wrote to memory of 4264	4152	msedge.exe	107
PID 4152 wrote to memory of 4264	4152	msedge.exe	107
PID 4152 wrote to memory of 4264	4152	msedge.exe	107
PID 4152 wrote to memory of 4264	4152	msedge.exe	107

C:\Users\Admin\AppData\Local\Temp\FMLN Ransomware.exe
"C:\Users\Admin\AppData\Local\Temp\FMLN Ransomware.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\64F4.tmp\64F5.tmp\64F6.bat "C:\Users\Admin\AppData\Local\Temp\FMLN Ransomware.exe""
  2⤵
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:4252
- - C:\Windows\system32\mode.com
    mode con: cols=170 lines=45
    3⤵
    PID:4804
- - C:\Windows\system32\certutil.exe
    certutil -decode "Image.bin" "Wallpaper.jpeg"
    3⤵
    PID:1768
- - C:\Windows\system32\timeout.exe
    timeout /t 3
    3⤵
    - Delays execution with timeout.exe
    PID:4824
- - C:\Windows\system32\timeout.exe
    timeout /t 3
    3⤵
    - Delays execution with timeout.exe
    PID:4500
- - C:\Windows\system32\timeout.exe
    timeout /t 3
    3⤵
    - Delays execution with timeout.exe
    PID:3012
- - C:\Windows\system32\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:4896
- - C:\Windows\system32\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:1936
- - C:\Windows\system32\wscript.exe
    wscript "0.vbs"
    3⤵
    - Checks computer location settings
    - Sets desktop wallpaper using registry
    - Modifies Control Panel
    PID:5216
  - - C:\Windows\System32\RUNDLL32.EXE
      "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
      4⤵
      PID:5484
- - C:\Windows\system32\wscript.exe
    wscript "0.vbs"
    3⤵
    - Checks computer location settings
    - Sets desktop wallpaper using registry
    - Modifies Control Panel
    PID:5228
  - - C:\Windows\System32\RUNDLL32.EXE
      "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
      4⤵
      PID:5516
- - C:\Windows\system32\wscript.exe
    wscript "0.vbs"
    3⤵
    - Checks computer location settings
    - Sets desktop wallpaper using registry
    - Modifies Control Panel
    PID:5240
  - - C:\Windows\System32\RUNDLL32.EXE
      "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
      4⤵
      PID:5500
- - C:\Windows\system32\wscript.exe
    wscript "0.vbs"
    3⤵
    - Checks computer location settings
    - Sets desktop wallpaper using registry
    - Modifies Control Panel
    PID:5256
  - - C:\Windows\System32\RUNDLL32.EXE
      "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
      4⤵
      PID:5492
- - C:\Windows\system32\wscript.exe
    wscript "0.vbs"
    3⤵
    - Checks computer location settings
    - Sets desktop wallpaper using registry
    - Modifies Control Panel
    PID:5268
  - - C:\Windows\System32\RUNDLL32.EXE
      "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
      4⤵
      PID:5548
- - C:\Windows\system32\timeout.exe
    timeout /t 4
    3⤵
    - Delays execution with timeout.exe
    PID:5596
- - C:\Windows\system32\certutil.exe
    certutil -decode "Data.lp" "KillWin.exe"
    3⤵
    PID:5628
- - C:\Windows\system32\wscript.exe
    wscript "m.vbs"
    3⤵
    PID:5688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe72e46f8,0x7fffe72e4708,0x7fffe72e4718
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,8175559868357806539,11348638823353614720,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,8175559868357806539,11348638823353614720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,8175559868357806539,11348638823353614720,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
  2⤵
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8175559868357806539,11348638823353614720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8175559868357806539,11348638823353614720,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8175559868357806539,11348638823353614720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2296 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8175559868357806539,11348638823353614720,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,8175559868357806539,11348638823353614720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3372 /prefetch:8
  2⤵
  PID:320
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,8175559868357806539,11348638823353614720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3372 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8175559868357806539,11348638823353614720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8175559868357806539,11348638823353614720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8175559868357806539,11348638823353614720,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:1308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8175559868357806539,11348638823353614720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2148,8175559868357806539,11348638823353614720,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2148,8175559868357806539,11348638823353614720,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8175559868357806539,11348638823353614720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8175559868357806539,11348638823353614720,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8175559868357806539,11348638823353614720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8175559868357806539,11348638823353614720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:5812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8175559868357806539,11348638823353614720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:5824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,8175559868357806539,11348638823353614720,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6288 /prefetch:8
  2⤵
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8175559868357806539,11348638823353614720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2148,8175559868357806539,11348638823353614720,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6764 /prefetch:8
  2⤵
  PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,8175559868357806539,11348638823353614720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6508 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3560

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2320

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5012

C:\Users\Admin\Downloads\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4996
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3500
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    PID:5156
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2815815854 && exit"
    3⤵
    PID:5184
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2815815854 && exit"
      4⤵
      Creates scheduled task(s)
      PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 22:47:00
    3⤵
    PID:1324
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 22:47:00
      4⤵
      Creates scheduled task(s)
      PID:4124
- - C:\Windows\17D4.tmp
    "C:\Windows\17D4.tmp" \\.\pipe\{046B7180-30D8-4584-95FE-56BDD7B4E708}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4256

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5500

C:\Users\Admin\Downloads\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5576
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5480

C:\Users\Admin\Desktop\FMLN Ransomware.exe
"C:\Users\Admin\Desktop\FMLN Ransomware.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1088
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2E94.tmp\2E95.tmp\2E96.bat "C:\Users\Admin\Desktop\FMLN Ransomware.exe""
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Enumerates connected drives
  - Modifies registry class
  PID:4916
- - C:\Windows\system32\mode.com
    mode con: cols=170 lines=45
    3⤵
    PID:1968
- - C:\Windows\system32\certutil.exe
    certutil -decode "Image.bin" "Wallpaper.jpeg"
    3⤵
    PID:484
- - C:\Windows\system32\timeout.exe
    timeout /t 3
    3⤵
    - Delays execution with timeout.exe
    PID:696
- - C:\Windows\system32\timeout.exe
    timeout /t 3
    3⤵
    - Delays execution with timeout.exe
    PID:4904
- - C:\Windows\system32\timeout.exe
    timeout /t 3
    3⤵
    - Delays execution with timeout.exe
    PID:5476
- - C:\Windows\system32\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:788
- - C:\Windows\system32\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:1420
- - C:\Windows\system32\wscript.exe
    wscript "0.vbs"
    3⤵
    - Checks computer location settings
    - Sets desktop wallpaper using registry
    - Modifies Control Panel
    PID:184
  - - C:\Windows\System32\RUNDLL32.EXE
      "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
      4⤵
      PID:5384
- - C:\Windows\system32\wscript.exe
    wscript "0.vbs"
    3⤵
    - Checks computer location settings
    - Sets desktop wallpaper using registry
    - Modifies Control Panel
    PID:2604
  - - C:\Windows\System32\RUNDLL32.EXE
      "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
      4⤵
      PID:5688
- - C:\Windows\system32\wscript.exe
    wscript "0.vbs"
    3⤵
    - Checks computer location settings
    - Sets desktop wallpaper using registry
    - Modifies Control Panel
    PID:2004
  - - C:\Windows\System32\RUNDLL32.EXE
      "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
      4⤵
      PID:5616
- - C:\Windows\system32\wscript.exe
    wscript "0.vbs"
    3⤵
    - Checks computer location settings
    - Sets desktop wallpaper using registry
    - Modifies Control Panel
    PID:2900
  - - C:\Windows\System32\RUNDLL32.EXE
      "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
      4⤵
      PID:5400
- - C:\Windows\system32\wscript.exe
    wscript "0.vbs"
    3⤵
    - Checks computer location settings
    - Sets desktop wallpaper using registry
    - Modifies Control Panel
    PID:5608
  - - C:\Windows\System32\RUNDLL32.EXE
      "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
      4⤵
      PID:5232
- - C:\Windows\system32\timeout.exe
    timeout /t 4
    3⤵
    - Delays execution with timeout.exe
    PID:488
- - C:\Windows\system32\certutil.exe
    certutil -decode "Data.lp" "KillWin.exe"
    3⤵
    PID:5028
- - C:\Windows\system32\wscript.exe
    wscript "m.vbs"
    3⤵
    PID:2212
- - C:\Windows\system32\msg.exe
    msg * Codigo no valido, vuelva a introducirlo
    3⤵
    PID:5628
- - C:\Windows\system32\msg.exe
    msg * Codigo no valido, vuelva a introducirlo
    3⤵
    PID:5600
- - C:\Windows\system32\msg.exe
    msg * Codigo no valido, vuelva a introducirlo
    3⤵
    PID:4420
- - C:\Windows\system32\msg.exe
    msg * Codigo no valido, vuelva a introducirlo
    3⤵
    PID:3696
- - C:\Windows\system32\msg.exe
    msg * Codigo no valido, Su PC sera destruida
    3⤵
    PID:1112
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\DRunHD.vbs"
    3⤵
    - Checks computer location settings
    PID:4660
  - - C:\Users\Admin\Desktop\TempData\KillWin.exe
      "C:\Users\Admin\Desktop\TempData\KillWin.exe"
      4⤵
      Executes dropped EXE
      PID:2552
- - C:\Windows\system32\timeout.exe
    timeout /nobreak 30
    3⤵
    - Delays execution with timeout.exe
    PID:5900
- - C:\Windows\system32\taskkill.exe
    taskkill /im svchost.exe /f
    3⤵
    - Kills process with taskkill
    PID:4448

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f0 0x298
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery