quasar | 733431ca3726f733f13a62b56f15faaef24c5edf1822deafee856fed28f31c44

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DCRAT.EXE

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DCRAT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DCRAT.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	DcRat.exe

Executes dropped EXE 2 IoCs

pid	Process
4464	AWCC.SERVICE.EXE
772	AWCC.SERVICE.EXE

Themida packer 64 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000800000002311d-137.dat	themida
behavioral2/files/0x000800000002311d-142.dat	themida
behavioral2/files/0x000800000002311d-143.dat	themida
behavioral2/files/0x000800000002311d-144.dat	themida
behavioral2/files/0x000800000002311d-148.dat	themida
behavioral2/memory/772-152-0x0000000000930000-0x00000000011AC000-memory.dmp	themida
behavioral2/memory/4464-154-0x0000000000930000-0x00000000011AC000-memory.dmp	themida
behavioral2/memory/772-156-0x0000000000930000-0x00000000011AC000-memory.dmp	themida
behavioral2/memory/4464-158-0x0000000000930000-0x00000000011AC000-memory.dmp	themida
behavioral2/memory/1792-163-0x0000000000930000-0x00000000011AC000-memory.dmp	themida
behavioral2/memory/1792-159-0x0000000000930000-0x00000000011AC000-memory.dmp	themida
behavioral2/files/0x000800000002311d-157.dat	themida
behavioral2/files/0x000800000002311d-168.dat	themida
behavioral2/memory/216-169-0x0000000000930000-0x00000000011AC000-memory.dmp	themida
behavioral2/memory/216-170-0x0000000000930000-0x00000000011AC000-memory.dmp	themida
behavioral2/files/0x000800000002311d-176.dat	themida
behavioral2/memory/2884-178-0x0000000000930000-0x00000000011AC000-memory.dmp	themida
behavioral2/memory/2884-181-0x0000000000930000-0x00000000011AC000-memory.dmp	themida
behavioral2/files/0x000800000002311d-185.dat	themida
behavioral2/memory/3672-184-0x0000000000930000-0x00000000011AC000-memory.dmp	themida
behavioral2/memory/3672-187-0x0000000000930000-0x00000000011AC000-memory.dmp	themida
behavioral2/files/0x000800000002311d-190.dat	themida
behavioral2/memory/828-199-0x0000000000930000-0x00000000011AC000-memory.dmp	themida
behavioral2/memory/828-204-0x0000000000930000-0x00000000011AC000-memory.dmp	themida
behavioral2/files/0x000800000002311d-203.dat	themida
behavioral2/memory/2872-208-0x0000000000930000-0x00000000011AC000-memory.dmp	themida
behavioral2/memory/772-209-0x0000000000930000-0x00000000011AC000-memory.dmp	themida
behavioral2/memory/4464-210-0x0000000000930000-0x00000000011AC000-memory.dmp	themida
behavioral2/memory/2872-211-0x0000000000930000-0x00000000011AC000-memory.dmp	themida
behavioral2/files/0x000800000002311d-218.dat	themida
behavioral2/memory/216-220-0x0000000000930000-0x00000000011AC000-memory.dmp	themida
behavioral2/memory/2200-222-0x0000000000930000-0x00000000011AC000-memory.dmp	themida
behavioral2/memory/2200-224-0x0000000000930000-0x00000000011AC000-memory.dmp	themida
behavioral2/memory/2172-231-0x0000000000930000-0x00000000011AC000-memory.dmp	themida
behavioral2/files/0x0006000000023129-230.dat	themida
behavioral2/files/0x000800000002311d-232.dat	themida
behavioral2/memory/2172-233-0x0000000000930000-0x00000000011AC000-memory.dmp	themida
behavioral2/memory/1792-236-0x0000000000930000-0x00000000011AC000-memory.dmp	themida
behavioral2/memory/1868-245-0x00000000007F0000-0x000000000106C000-memory.dmp	themida
behavioral2/memory/1868-249-0x00000000007F0000-0x000000000106C000-memory.dmp	themida
behavioral2/files/0x000800000002311d-248.dat	themida
behavioral2/memory/2016-250-0x0000000000930000-0x00000000011AC000-memory.dmp	themida
behavioral2/memory/2016-247-0x0000000000930000-0x00000000011AC000-memory.dmp	themida
behavioral2/memory/3672-246-0x0000000000930000-0x00000000011AC000-memory.dmp	themida
behavioral2/files/0x0006000000023129-254.dat	themida
behavioral2/files/0x000800000002311d-262.dat	themida
behavioral2/memory/2872-264-0x0000000000930000-0x00000000011AC000-memory.dmp	themida
behavioral2/memory/1868-271-0x00000000007F0000-0x000000000106C000-memory.dmp	themida
behavioral2/memory/3784-274-0x0000000000930000-0x00000000011AC000-memory.dmp	themida
behavioral2/files/0x000800000002311d-275.dat	themida
behavioral2/memory/2040-276-0x0000000000930000-0x00000000011AC000-memory.dmp	themida
behavioral2/files/0x0003000000000737-288.dat	themida
behavioral2/files/0x000800000002311d-290.dat	themida
behavioral2/files/0x0003000000000737-294.dat	themida
behavioral2/files/0x000800000002311d-309.dat	themida
behavioral2/files/0x000800000002311d-320.dat	themida
behavioral2/files/0x000300000000073b-323.dat	themida
behavioral2/files/0x000300000000073b-324.dat	themida
behavioral2/files/0x000800000002311d-326.dat	themida
behavioral2/files/0x000800000002311d-340.dat	themida
behavioral2/files/0x000800000002311d-348.dat	themida
behavioral2/files/0x000800000002311d-354.dat	themida
behavioral2/files/0x000800000002311d-365.dat	themida
behavioral2/files/0x0003000000000741-367.dat	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DCRAT.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AWCC.SERVICE.EXE

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com
64	ip-api.com
97	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4464	DCRAT.EXE
772	AWCC.SERVICE.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 49 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
2792	schtasks.exe
4080	schtasks.exe
2152	schtasks.exe
1524	schtasks.exe
4964	schtasks.exe
2744	schtasks.exe
476	schtasks.exe
2200	schtasks.exe
4224	schtasks.exe
736	schtasks.exe
2068	schtasks.exe
2800	schtasks.exe
1916	schtasks.exe
3900	schtasks.exe
5068	schtasks.exe
2500	schtasks.exe
540	schtasks.exe
4960	schtasks.exe
3208	schtasks.exe
4968	schtasks.exe
4632	schtasks.exe
2884	schtasks.exe
2756	schtasks.exe
2744	schtasks.exe
2012	schtasks.exe
4348	schtasks.exe
4072	schtasks.exe
3400	schtasks.exe
4984	schtasks.exe
388	schtasks.exe
3312	schtasks.exe
4944	schtasks.exe
3752	schtasks.exe
4672	schtasks.exe
2752	schtasks.exe
2344	schtasks.exe
2324	schtasks.exe
956	schtasks.exe
2560	schtasks.exe
3724	schtasks.exe
4840	schtasks.exe
3536	schtasks.exe
2772	schtasks.exe
2464	schtasks.exe
3160	schtasks.exe
4116	schtasks.exe
4044	schtasks.exe
2440	schtasks.exe
4804	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 4464	2020	DcRat.exe	82
PID 2020 wrote to memory of 4464	2020	DcRat.exe	82
PID 2020 wrote to memory of 4464	2020	DcRat.exe	82
PID 2020 wrote to memory of 4532	2020	DcRat.exe	83
PID 2020 wrote to memory of 4532	2020	DcRat.exe	83
PID 2020 wrote to memory of 4532	2020	DcRat.exe	83
PID 4532 wrote to memory of 772	4532	Process not Found	84
PID 4532 wrote to memory of 772	4532	Process not Found	84
PID 4532 wrote to memory of 772	4532	Process not Found	84
PID 4532 wrote to memory of 604	4532	Process not Found	85
PID 4532 wrote to memory of 604	4532	Process not Found	85
PID 4532 wrote to memory of 604	4532	Process not Found	85

C:\Users\Admin\AppData\Local\Temp\DcRat.exe
"C:\Users\Admin\AppData\Local\Temp\DcRat.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
  "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
  "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
  2⤵
  PID:4532
- - C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
    "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:772
- - C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
    "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
    3⤵
    PID:604
  - - C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
      "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
      4⤵
      PID:1792
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:3400
    - - C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        5⤵
        
        PID:1868
  - - C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
      "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
      4⤵
      PID:2280
    - - C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        5⤵
        
        PID:216
    - - C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        5⤵
        
        PID:5032
      - C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        6⤵
        
        PID:2884
      - C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        6⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        7⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        7⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        8⤵
        
        PID:828
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        9⤵
        Creates scheduled task(s)
        
        PID:2152
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        9⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        8⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        9⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        10⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        11⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        12⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        13⤵
        Creates scheduled task(s)
        
        PID:2068
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        13⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        12⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        13⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        14⤵
        Creates scheduled task(s)
        
        PID:1916
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        14⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        13⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        14⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        15⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        15⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        16⤵
        
        PID:544
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        17⤵
        Creates scheduled task(s)
        
        PID:2800
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        17⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        16⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        17⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        18⤵
        Creates scheduled task(s)
        
        PID:3900
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        18⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        17⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        18⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        19⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        19⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        20⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        20⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        21⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        21⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        22⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        23⤵
        Creates scheduled task(s)
        
        PID:2324
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        23⤵
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        22⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        23⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        23⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        24⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        24⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        25⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        25⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        26⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        27⤵
        Creates scheduled task(s)
        
        PID:540
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        27⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        26⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        27⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        28⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        29⤵
        Creates scheduled task(s)
        
        PID:2772
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        29⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        28⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        29⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        30⤵
        Creates scheduled task(s)
        
        PID:3536
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        30⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        29⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        30⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        30⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        31⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        32⤵
        Creates scheduled task(s)
        
        PID:1524
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        32⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        31⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        32⤵
        
        PID:972
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        33⤵
        Creates scheduled task(s)
        
        PID:4984
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        33⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        32⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        33⤵
        
        PID:480
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        34⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        34⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        35⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        36⤵
        Creates scheduled task(s)
        
        PID:956
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        36⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        35⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        36⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        36⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        37⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        38⤵
        Creates scheduled task(s)
        
        PID:2560
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        38⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        37⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        38⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        39⤵
        Creates scheduled task(s)
        
        PID:4960
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        39⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        38⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        39⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        39⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        40⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        40⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        41⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        42⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        43⤵
        Creates scheduled task(s)
        
        PID:2744
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        43⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        42⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        43⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        44⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        45⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        45⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        46⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        47⤵
        Creates scheduled task(s)
        
        PID:5068
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        47⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        46⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        47⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        47⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        48⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        49⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        49⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        50⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        51⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        52⤵
        Creates scheduled task(s)
        
        PID:2744
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        52⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        51⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        52⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        52⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        53⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        54⤵
        Creates scheduled task(s)
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        53⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        54⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        54⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        55⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        56⤵
        Creates scheduled task(s)
        
        PID:3160
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        56⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        55⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        56⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        57⤵
        Creates scheduled task(s)
        
        PID:4840
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        57⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        56⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        57⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        58⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        58⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        59⤵
        
        PID:456
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        60⤵
        Creates scheduled task(s)
        
        PID:388
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        60⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        59⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        60⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        60⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        61⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        62⤵
        Creates scheduled task(s)
        
        PID:4044
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        62⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        61⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        62⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        62⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        63⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        64⤵
        Creates scheduled task(s)
        
        PID:2200
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        64⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        63⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        64⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        65⤵
        Creates scheduled task(s)
        
        PID:3312
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        65⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        64⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        65⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        66⤵
        Creates scheduled task(s)
        
        PID:3752
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        66⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        65⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        66⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        66⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        67⤵
        
        PID:216
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        68⤵
        Creates scheduled task(s)
        
        PID:2012
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        68⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        67⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        68⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        69⤵
        Creates scheduled task(s)
        
        PID:2792
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        69⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        68⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        69⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        69⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        70⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        71⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        72⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        72⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        73⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        73⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        74⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        75⤵
        Creates scheduled task(s)
        
        PID:4348
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        75⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        74⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        75⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        75⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        76⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        77⤵
        Creates scheduled task(s)
        
        PID:3208
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        77⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        76⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        77⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        77⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        78⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        79⤵
        Creates scheduled task(s)
        
        PID:4072
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        79⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        78⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        79⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        79⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        80⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        81⤵
        Creates scheduled task(s)
        
        PID:4672
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        81⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        80⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        81⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        82⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        83⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        83⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        84⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        85⤵
        Creates scheduled task(s)
        
        PID:2500
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        85⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        84⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        85⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        86⤵
        Creates scheduled task(s)
        
        PID:4632
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        86⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        85⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        86⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        86⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        87⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        87⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        88⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        88⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        89⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        90⤵
        Creates scheduled task(s)
        
        PID:2752
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        90⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        89⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        90⤵
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        90⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        91⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        92⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        92⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        93⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        94⤵
        Creates scheduled task(s)
        
        PID:4224
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        94⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        93⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        94⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        94⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        95⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        96⤵
        Creates scheduled task(s)
        
        PID:2344
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        96⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        95⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        96⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        97⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        97⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        98⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        98⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        99⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        99⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        100⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        100⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        101⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        102⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        103⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        103⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        104⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        105⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        106⤵
        Creates scheduled task(s)
        
        PID:2884
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        106⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        105⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        106⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        106⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        107⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        107⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        108⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        108⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        109⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        109⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        110⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        111⤵
        Creates scheduled task(s)
        
        PID:736
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        111⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        110⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        111⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        112⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        112⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        113⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        113⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        114⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        114⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        115⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        115⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        116⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        116⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        117⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        117⤵
        
        PID:488
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        118⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        118⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        111⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        104⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        105⤵
        Creates scheduled task(s)
        
        PID:4804
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        105⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        102⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        101⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        96⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        91⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        92⤵
        Creates scheduled task(s)
        
        PID:4080
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        92⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        82⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        83⤵
        Creates scheduled task(s)
        
        PID:2440
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        83⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        81⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        71⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        72⤵
        Creates scheduled task(s)
        
        PID:4968
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        72⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        70⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        71⤵
        Creates scheduled task(s)
        
        PID:4944
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        71⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        57⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        58⤵
        Creates scheduled task(s)
        
        PID:4116
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        58⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        50⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        48⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        44⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        45⤵
        Creates scheduled task(s)
        
        PID:476
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        45⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        43⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        41⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        42⤵
        Creates scheduled task(s)
        
        PID:2464
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        42⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        33⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        34⤵
        Creates scheduled task(s)
        
        PID:4964
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        34⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        27⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        18⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE" /rl HIGHEST /f
        19⤵
        Creates scheduled task(s)
        
        PID:2756
        
        C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\wsappx.exe"
        19⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        14⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        11⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        10⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        9⤵
        
        PID:2872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

System Information Discovery