349225d232f24526c0b83d25f9e026c0da9b30868178989a790424717420a27d

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01a4355298023c35423d92d98380730c_JaffaCakes118.exe
Size

13KB
MD5

01a4355298023c35423d92d98380730c
SHA1

489fd8014d23722871bf82739362657e69fb5642
SHA256

349225d232f24526c0b83d25f9e026c0da9b30868178989a790424717420a27d
SHA512

f1001149b5431905691267d1def21709229b60edf4e261199ffdc6dee93bea30a494d1f0b3baf6209efa0591f479a3261e6f5e3ecd9bdb537c5acfc8dfb96e4a
SSDEEP

384:RtHbNKJ4mD2B6FrXqFio/eUBBUWUXmxgYbRo0Pkte:Rt24O2B67o/ZUWcmRZMM

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2648	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2264	kawdcaz.exe
2640	kawdcaz.exe
2612	kawdcaz.exe
2304	kawdcaz.exe
2868	kawdcaz.exe
1976	kawdcaz.exe
2680	kawdcaz.exe
776	kawdcaz.exe
2916	kawdcaz.exe
2128	kawdcaz.exe
1780	kawdcaz.exe
768	kawdcaz.exe
992	kawdcaz.exe
1988	kawdcaz.exe
1724	kawdcaz.exe
2336	kawdcaz.exe
2556	kawdcaz.exe
3008	kawdcaz.exe
2808	kawdcaz.exe
2992	kawdcaz.exe
1668	kawdcaz.exe
2832	kawdcaz.exe
1512	kawdcaz.exe
2308	kawdcaz.exe
880	kawdcaz.exe
632	kawdcaz.exe
2916	kawdcaz.exe
2888	kawdcaz.exe
1956	kawdcaz.exe
996	kawdcaz.exe
2020	kawdcaz.exe
2140	kawdcaz.exe
1824	kawdcaz.exe
1580	kawdcaz.exe
2572	kawdcaz.exe
2616	kawdcaz.exe
2516	kawdcaz.exe
2828	kawdcaz.exe
1984	kawdcaz.exe
664	kawdcaz.exe
2968	kawdcaz.exe
1964	kawdcaz.exe
3036	kawdcaz.exe
2276	kawdcaz.exe
1196	kawdcaz.exe
2284	kawdcaz.exe
1860	kawdcaz.exe
1956	kawdcaz.exe
1812	kawdcaz.exe
1632	kawdcaz.exe
564	kawdcaz.exe
1764	kawdcaz.exe
2728	kawdcaz.exe
2508	kawdcaz.exe
2440	kawdcaz.exe
1792	kawdcaz.exe
2860	kawdcaz.exe
2212	kawdcaz.exe
2548	kawdcaz.exe
1964	kawdcaz.exe
948	kawdcaz.exe
1100	kawdcaz.exe
1196	kawdcaz.exe
2100	kawdcaz.exe

Loads dropped DLL 64 IoCs

pid	Process
1816	cmd.exe
1816	cmd.exe
2664	cmd.exe
2664	cmd.exe
2464	cmd.exe
2464	cmd.exe
2996	cmd.exe
2996	cmd.exe
2832	cmd.exe
2832	cmd.exe
1784	cmd.exe
1784	cmd.exe
2788	cmd.exe
2788	cmd.exe
632	cmd.exe
632	cmd.exe
2064	cmd.exe
2064	cmd.exe
596	cmd.exe
596	cmd.exe
2076	cmd.exe
2076	cmd.exe
2400	cmd.exe
2400	cmd.exe
616	cmd.exe
616	cmd.exe
2956	cmd.exe
2956	cmd.exe
1932	cmd.exe
1932	cmd.exe
2668	cmd.exe
2668	cmd.exe
2616	cmd.exe
2616	cmd.exe
2516	cmd.exe
2516	cmd.exe
2796	cmd.exe
2796	cmd.exe
2984	cmd.exe
2984	cmd.exe
3068	cmd.exe
3068	cmd.exe
2968	cmd.exe
2968	cmd.exe
1964	cmd.exe
1964	cmd.exe
2096	cmd.exe
2096	cmd.exe
2760	cmd.exe
2760	cmd.exe
1796	cmd.exe
1796	cmd.exe
1272	cmd.exe
1272	cmd.exe
1860	cmd.exe
1860	cmd.exe
1636	cmd.exe
1636	cmd.exe
1812	cmd.exe
1812	cmd.exe
1632	cmd.exe
1632	cmd.exe
564	cmd.exe
564	cmd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2088	01a4355298023c35423d92d98380730c_JaffaCakes118.exe
2088	01a4355298023c35423d92d98380730c_JaffaCakes118.exe
2264	kawdcaz.exe
2264	kawdcaz.exe
2640	kawdcaz.exe
2640	kawdcaz.exe
2612	kawdcaz.exe
2612	kawdcaz.exe
2304	kawdcaz.exe
2304	kawdcaz.exe
2868	kawdcaz.exe
2868	kawdcaz.exe
1976	kawdcaz.exe
1976	kawdcaz.exe
2680	kawdcaz.exe
2680	kawdcaz.exe
776	kawdcaz.exe
776	kawdcaz.exe
2916	kawdcaz.exe
2916	kawdcaz.exe
2128	kawdcaz.exe
2128	kawdcaz.exe
1780	kawdcaz.exe
1780	kawdcaz.exe
768	kawdcaz.exe
768	kawdcaz.exe
992	kawdcaz.exe
992	kawdcaz.exe
1988	kawdcaz.exe
1988	kawdcaz.exe
1724	kawdcaz.exe
1724	kawdcaz.exe
2336	kawdcaz.exe
2336	kawdcaz.exe
2556	kawdcaz.exe
2556	kawdcaz.exe
3008	kawdcaz.exe
3008	kawdcaz.exe
2808	kawdcaz.exe
2808	kawdcaz.exe
2992	kawdcaz.exe
2992	kawdcaz.exe
1668	kawdcaz.exe
1668	kawdcaz.exe
2832	kawdcaz.exe
2832	kawdcaz.exe
1512	kawdcaz.exe
1512	kawdcaz.exe
2308	kawdcaz.exe
2308	kawdcaz.exe
880	kawdcaz.exe
880	kawdcaz.exe
632	kawdcaz.exe
632	kawdcaz.exe
2916	kawdcaz.exe
2916	kawdcaz.exe
2888	kawdcaz.exe
2888	kawdcaz.exe
1956	kawdcaz.exe
1956	kawdcaz.exe
996	kawdcaz.exe
996	kawdcaz.exe
2020	kawdcaz.exe
2020	kawdcaz.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 1816	2088	01a4355298023c35423d92d98380730c_JaffaCakes118.exe	28
PID 2088 wrote to memory of 1816	2088	01a4355298023c35423d92d98380730c_JaffaCakes118.exe	28
PID 2088 wrote to memory of 1816	2088	01a4355298023c35423d92d98380730c_JaffaCakes118.exe	28
PID 2088 wrote to memory of 1816	2088	01a4355298023c35423d92d98380730c_JaffaCakes118.exe	28
PID 1816 wrote to memory of 2264	1816	cmd.exe	30
PID 1816 wrote to memory of 2264	1816	cmd.exe	30
PID 1816 wrote to memory of 2264	1816	cmd.exe	30
PID 1816 wrote to memory of 2264	1816	cmd.exe	30
PID 2264 wrote to memory of 2664	2264	kawdcaz.exe	31
PID 2264 wrote to memory of 2664	2264	kawdcaz.exe	31
PID 2264 wrote to memory of 2664	2264	kawdcaz.exe	31
PID 2264 wrote to memory of 2664	2264	kawdcaz.exe	31
PID 2664 wrote to memory of 2640	2664	cmd.exe	33
PID 2664 wrote to memory of 2640	2664	cmd.exe	33
PID 2664 wrote to memory of 2640	2664	cmd.exe	33
PID 2664 wrote to memory of 2640	2664	cmd.exe	33
PID 2088 wrote to memory of 2648	2088	01a4355298023c35423d92d98380730c_JaffaCakes118.exe	34
PID 2088 wrote to memory of 2648	2088	01a4355298023c35423d92d98380730c_JaffaCakes118.exe	34
PID 2088 wrote to memory of 2648	2088	01a4355298023c35423d92d98380730c_JaffaCakes118.exe	34
PID 2088 wrote to memory of 2648	2088	01a4355298023c35423d92d98380730c_JaffaCakes118.exe	34
PID 2640 wrote to memory of 2464	2640	kawdcaz.exe	36
PID 2640 wrote to memory of 2464	2640	kawdcaz.exe	36
PID 2640 wrote to memory of 2464	2640	kawdcaz.exe	36
PID 2640 wrote to memory of 2464	2640	kawdcaz.exe	36
PID 2464 wrote to memory of 2612	2464	cmd.exe	38
PID 2464 wrote to memory of 2612	2464	cmd.exe	38
PID 2464 wrote to memory of 2612	2464	cmd.exe	38
PID 2464 wrote to memory of 2612	2464	cmd.exe	38
PID 2264 wrote to memory of 2436	2264	kawdcaz.exe	39
PID 2264 wrote to memory of 2436	2264	kawdcaz.exe	39
PID 2264 wrote to memory of 2436	2264	kawdcaz.exe	39
PID 2264 wrote to memory of 2436	2264	kawdcaz.exe	39
PID 2612 wrote to memory of 2996	2612	kawdcaz.exe	41
PID 2612 wrote to memory of 2996	2612	kawdcaz.exe	41
PID 2612 wrote to memory of 2996	2612	kawdcaz.exe	41
PID 2612 wrote to memory of 2996	2612	kawdcaz.exe	41
PID 2996 wrote to memory of 2304	2996	cmd.exe	43
PID 2996 wrote to memory of 2304	2996	cmd.exe	43
PID 2996 wrote to memory of 2304	2996	cmd.exe	43
PID 2996 wrote to memory of 2304	2996	cmd.exe	43
PID 2640 wrote to memory of 1660	2640	kawdcaz.exe	44
PID 2640 wrote to memory of 1660	2640	kawdcaz.exe	44
PID 2640 wrote to memory of 1660	2640	kawdcaz.exe	44
PID 2640 wrote to memory of 1660	2640	kawdcaz.exe	44
PID 2304 wrote to memory of 2832	2304	kawdcaz.exe	46
PID 2304 wrote to memory of 2832	2304	kawdcaz.exe	46
PID 2304 wrote to memory of 2832	2304	kawdcaz.exe	46
PID 2304 wrote to memory of 2832	2304	kawdcaz.exe	46
PID 2832 wrote to memory of 2868	2832	cmd.exe	48
PID 2832 wrote to memory of 2868	2832	cmd.exe	48
PID 2832 wrote to memory of 2868	2832	cmd.exe	48
PID 2832 wrote to memory of 2868	2832	cmd.exe	48
PID 2612 wrote to memory of 2976	2612	kawdcaz.exe	49
PID 2612 wrote to memory of 2976	2612	kawdcaz.exe	49
PID 2612 wrote to memory of 2976	2612	kawdcaz.exe	49
PID 2612 wrote to memory of 2976	2612	kawdcaz.exe	49
PID 2868 wrote to memory of 1784	2868	kawdcaz.exe	51
PID 2868 wrote to memory of 1784	2868	kawdcaz.exe	51
PID 2868 wrote to memory of 1784	2868	kawdcaz.exe	51
PID 2868 wrote to memory of 1784	2868	kawdcaz.exe	51
PID 1784 wrote to memory of 1976	1784	cmd.exe	53
PID 1784 wrote to memory of 1976	1784	cmd.exe	53
PID 1784 wrote to memory of 1976	1784	cmd.exe	53
PID 1784 wrote to memory of 1976	1784	cmd.exe	53

C:\Users\Admin\AppData\Local\Temp\01a4355298023c35423d92d98380730c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01a4355298023c35423d92d98380730c_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\tmp232A.bat
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\WINDOWS\SysWOW64\kawdcaz.exe
    "C:\WINDOWS\system32\kawdcaz.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\WINDOWS\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\tmp2655.bat
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2640
      - C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp2942.bat
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp2C4E.bat
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp2F4A.bat
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp3247.bat
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1976
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp3524.bat
        14⤵
        Loads dropped DLL
        
        PID:2788
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2680
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp3830.bat
        16⤵
        Loads dropped DLL
        
        PID:632
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:776
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp3B0D.bat
        18⤵
        Loads dropped DLL
        
        PID:2064
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2916
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp3E19.bat
        20⤵
        Loads dropped DLL
        
        PID:596
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2128
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp4106.bat
        22⤵
        Loads dropped DLL
        
        PID:2076
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1780
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp4412.bat
        24⤵
        Loads dropped DLL
        
        PID:2400
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:768
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp470E.bat
        26⤵
        Loads dropped DLL
        
        PID:616
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:992
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp4A0B.bat
        28⤵
        Loads dropped DLL
        
        PID:2956
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1988
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp4CF8.bat
        30⤵
        Loads dropped DLL
        
        PID:1932
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        31⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1724
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp5013.bat
        32⤵
        Loads dropped DLL
        
        PID:2668
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2336
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp5300.bat
        34⤵
        Loads dropped DLL
        
        PID:2616
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        35⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2556
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp55ED.bat
        36⤵
        Loads dropped DLL
        
        PID:2516
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        37⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3008
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp58CA.bat
        38⤵
        Loads dropped DLL
        
        PID:2796
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        39⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2808
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp5BB7.bat
        40⤵
        Loads dropped DLL
        
        PID:2984
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2992
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp5E94.bat
        42⤵
        Loads dropped DLL
        
        PID:3068
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1668
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp6190.bat
        44⤵
        Loads dropped DLL
        
        PID:2968
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        45⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2832
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp646E.bat
        46⤵
        Loads dropped DLL
        
        PID:1964
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1512
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp676A.bat
        48⤵
        Loads dropped DLL
        
        PID:2096
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2308
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp6A47.bat
        50⤵
        Loads dropped DLL
        
        PID:2760
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        51⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:880
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp6D44.bat
        52⤵
        Loads dropped DLL
        
        PID:1796
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        53⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:632
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp7031.bat
        54⤵
        Loads dropped DLL
        
        PID:1272
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        55⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2916
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp733D.bat
        56⤵
        Loads dropped DLL
        
        PID:1860
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2888
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp7629.bat
        58⤵
        Loads dropped DLL
        
        PID:1636
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1956
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp7916.bat
        60⤵
        Loads dropped DLL
        
        PID:1812
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        61⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:996
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp7BF3.bat
        62⤵
        Loads dropped DLL
        
        PID:1632
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2020
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp7EFF.bat
        64⤵
        Loads dropped DLL
        
        PID:564
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        65⤵
        Executes dropped EXE
        
        PID:2140
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp81EC.bat
        66⤵
        
        PID:1764
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        67⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1824
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp84D9.bat
        68⤵
        
        PID:1948
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        69⤵
        Executes dropped EXE
        
        PID:1580
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp87B6.bat
        70⤵
        
        PID:2508
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        71⤵
        Executes dropped EXE
        
        PID:2572
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp8AB3.bat
        72⤵
        
        PID:2804
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        73⤵
        Executes dropped EXE
        
        PID:2616
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp8D90.bat
        74⤵
        
        PID:2692
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        75⤵
        Executes dropped EXE
        
        PID:2516
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp908C.bat
        76⤵
        
        PID:3000
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        77⤵
        Executes dropped EXE
        
        PID:2828
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp9369.bat
        78⤵
        
        PID:600
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        79⤵
        Executes dropped EXE
        
        PID:1984
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp9666.bat
        80⤵
        
        PID:1700
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        81⤵
        Executes dropped EXE
        
        PID:664
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp9962.bat
        82⤵
        
        PID:3028
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        83⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp9C5F.bat
        84⤵
        
        PID:676
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        85⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp9F3C.bat
        86⤵
        
        PID:776
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        87⤵
        Executes dropped EXE
        
        PID:3036
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpA238.bat
        88⤵
        
        PID:1084
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        89⤵
        Executes dropped EXE
        
        PID:2276
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpA515.bat
        90⤵
        
        PID:1532
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        91⤵
        Executes dropped EXE
        
        PID:1196
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpA812.bat
        92⤵
        
        PID:2064
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        93⤵
        Executes dropped EXE
        
        PID:2284
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpAAFF.bat
        94⤵
        
        PID:1308
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        95⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1860
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpADFB.bat
        96⤵
        
        PID:1952
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        97⤵
        Executes dropped EXE
        
        PID:1956
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpB0D8.bat
        98⤵
        
        PID:2300
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        99⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpB3D5.bat
        100⤵
        
        PID:2356
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        101⤵
        Executes dropped EXE
        
        PID:1632
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpB6C1.bat
        102⤵
        
        PID:1592
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        103⤵
        Executes dropped EXE
        
        PID:564
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpB9BE.bat
        104⤵
        
        PID:2668
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        105⤵
        Executes dropped EXE
        
        PID:1764
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpBC9B.bat
        106⤵
        
        PID:2556
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        107⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2728
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpBF97.bat
        108⤵
        
        PID:1652
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        109⤵
        Executes dropped EXE
        
        PID:2508
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpC275.bat
        110⤵
        
        PID:2816
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        111⤵
        Executes dropped EXE
        
        PID:2440
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpC581.bat
        112⤵
        
        PID:2516
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        113⤵
        Executes dropped EXE
        
        PID:1792
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpC85E.bat
        114⤵
        
        PID:2820
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        115⤵
        Executes dropped EXE
        
        PID:2860
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpCB5A.bat
        116⤵
        
        PID:1912
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        117⤵
        Executes dropped EXE
        
        PID:2212
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpCE47.bat
        118⤵
        
        PID:1108
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        119⤵
        Executes dropped EXE
        
        PID:2548
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpD153.bat
        120⤵
        
        PID:960
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        121⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1964
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpD440.bat
        122⤵
        
        PID:1608
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        123⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:948
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpD74C.bat
        124⤵
        
        PID:2948
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        125⤵
        Executes dropped EXE
        
        PID:1100
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpDA29.bat
        126⤵
        
        PID:700
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        127⤵
        Executes dropped EXE
        
        PID:1196
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpDD25.bat
        128⤵
        
        PID:2400
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        129⤵
        Executes dropped EXE
        
        PID:2100
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpE022.bat
        130⤵
        
        PID:2900
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        131⤵
        
        PID:1680
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpE31E.bat
        132⤵
        
        PID:2896
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        133⤵
        Drops file in System32 directory
        
        PID:692
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpE61B.bat
        134⤵
        
        PID:2468
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        135⤵
        
        PID:1812
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpE917.bat
        136⤵
        
        PID:2520
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        137⤵
        
        PID:2940
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpEC04.bat
        138⤵
        
        PID:2768
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        139⤵
        
        PID:2444
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpEF00.bat
        140⤵
        
        PID:2572
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        141⤵
        Drops file in System32 directory
        
        PID:892
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpF1ED.bat
        142⤵
        
        PID:1340
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        143⤵
        
        PID:1948
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpF4EA.bat
        144⤵
        
        PID:1960
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        145⤵
        
        PID:2508
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpF7C7.bat
        146⤵
        
        PID:2796
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        147⤵
        
        PID:2804
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpFAC3.bat
        148⤵
        
        PID:1708
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        149⤵
        
        PID:1624
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpFDB0.bat
        150⤵
        
        PID:2864
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        151⤵
        
        PID:2820
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp9D.bat
        152⤵
        
        PID:2980
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        153⤵
        
        PID:1912
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp38A.bat
        154⤵
        
        PID:2096
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        155⤵
        
        PID:2868
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp676.bat
        156⤵
        
        PID:2924
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        157⤵
        
        PID:448
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp963.bat
        158⤵
        
        PID:2888
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        159⤵
        Drops file in System32 directory
        
        PID:272
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpC7F.bat
        160⤵
        
        PID:2276
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        161⤵
        
        PID:1796
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpF5C.bat
        162⤵
        
        PID:1308
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        163⤵
        
        PID:700
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp1268.bat
        164⤵
        
        PID:2904
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        165⤵
        
        PID:1636
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp1555.bat
        166⤵
        
        PID:852
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        167⤵
        
        PID:2528
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp1861.bat
        168⤵
        
        PID:692
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        169⤵
        Drops file in System32 directory
        
        PID:1992
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp1B4E.bat
        170⤵
        
        PID:2468
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        171⤵
        
        PID:1592
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp1E4A.bat
        172⤵
        
        PID:2520
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        173⤵
        
        PID:2240
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp2127.bat
        174⤵
        
        PID:2768
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        175⤵
        
        PID:2908
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp2443.bat
        176⤵
        
        PID:1484
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        177⤵
        
        PID:1980
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp273F.bat
        178⤵
        
        PID:1340
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        179⤵
        Drops file in System32 directory
        
        PID:2496
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp2A4B.bat
        180⤵
        
        PID:1960
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        181⤵
        
        PID:3024
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp2D48.bat
        182⤵
        
        PID:2536
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        183⤵
        Drops file in System32 directory
        
        PID:1552
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp3044.bat
        184⤵
        
        PID:3012
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        185⤵
        
        PID:2788
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp3321.bat
        186⤵
        
        PID:2820
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        187⤵
        Drops file in System32 directory
        
        PID:1432
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp361E.bat
        188⤵
        
        PID:2984
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        189⤵
        
        PID:2856
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp390A.bat
        190⤵
        
        PID:2964
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        191⤵
        
        PID:3036
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp3C07.bat
        192⤵
        
        PID:1272
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        193⤵
        
        PID:2988
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp3F03.bat
        194⤵
        
        PID:1352
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        195⤵
        
        PID:2388
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp420F.bat
        196⤵
        
        PID:2708
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        197⤵
        Drops file in System32 directory
        
        PID:880
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp450C.bat
        198⤵
        
        PID:2744
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        199⤵
        Drops file in System32 directory
        
        PID:1532
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp4808.bat
        200⤵
        
        PID:2896
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        201⤵
        
        PID:1636
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp4AF5.bat
        202⤵
        
        PID:2992
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        203⤵
        
        PID:1444
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp4DF1.bat
        204⤵
        
        PID:1660
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        205⤵
        Drops file in System32 directory
        
        PID:1632
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp50CE.bat
        206⤵
        
        PID:2176
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        207⤵
        Drops file in System32 directory
        
        PID:564
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp53BB.bat
        208⤵
        
        PID:2684
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        209⤵
        
        PID:892
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp56B8.bat
        210⤵
        
        PID:2052
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        211⤵
        
        PID:1948
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp59B4.bat
        212⤵
        
        PID:1852
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        213⤵
        
        PID:1328
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp5C91.bat
        214⤵
        
        PID:2976
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        215⤵
        
        PID:1364
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp5F9D.bat
        216⤵
        
        PID:348
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        217⤵
        
        PID:1676
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp629A.bat
        218⤵
        
        PID:756
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        219⤵
        
        PID:2500
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp6596.bat
        220⤵
        
        PID:1552
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        221⤵
        Drops file in System32 directory
        
        PID:2780
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp6873.bat
        222⤵
        
        PID:676
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        223⤵
        
        PID:2256
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp6B60.bat
        224⤵
        
        PID:488
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        225⤵
        Drops file in System32 directory
        
        PID:1716
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp6E3D.bat
        226⤵
        
        PID:2980
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        227⤵
        
        PID:3048
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp713A.bat
        228⤵
        
        PID:2096
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        229⤵
        
        PID:1336
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp7417.bat
        230⤵
        
        PID:2924
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        231⤵
        Drops file in System32 directory
        
        PID:960
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp7713.bat
        232⤵
        
        PID:3020
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        233⤵
        Drops file in System32 directory
        
        PID:1608
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp7A1F.bat
        234⤵
        
        PID:2904
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        235⤵
        
        PID:2708
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp7D1C.bat
        236⤵
        
        PID:1728
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        237⤵
        
        PID:1292
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp7FF9.bat
        238⤵
        
        PID:2356
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        239⤵
        
        PID:2640
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp82F5.bat
        240⤵
        
        PID:1712
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        241⤵
        Drops file in System32 directory
        
        PID:2992
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp85F2.bat
        242⤵
        
        PID:2220
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        243⤵
        
        PID:1988
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp890D.bat
        244⤵
        
        PID:564
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        245⤵
        
        PID:1744
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp8BEB.bat
        246⤵
        
        PID:2632
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        247⤵
        Drops file in System32 directory
        
        PID:540
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp8EE7.bat
        248⤵
        
        PID:2304
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        249⤵
        
        PID:1720
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp91C4.bat
        250⤵
        
        PID:1784
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        251⤵
        Drops file in System32 directory
        
        PID:2200
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp94C1.bat
        252⤵
        
        PID:2876
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        253⤵
        
        PID:2248
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp979E.bat
        254⤵
        
        PID:640
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        255⤵
        Drops file in System32 directory
        
        PID:2972
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp9A9A.bat
        256⤵
        
        PID:1760
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        257⤵
        
        PID:1960
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp9D87.bat
        258⤵
        
        PID:2296
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        259⤵
        Drops file in System32 directory
        
        PID:580
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpA074.bat
        260⤵
        
        PID:2420
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        261⤵
        Drops file in System32 directory
        
        PID:676
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpA351.bat
        262⤵
        
        PID:2108
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        263⤵
        Drops file in System32 directory
        
        PID:2828
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpA63E.bat
        264⤵
        
        PID:2652
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        265⤵
        
        PID:2040
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpA91B.bat
        266⤵
        
        PID:2576
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        267⤵
        
        PID:2868
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpAC08.bat
        268⤵
        
        PID:1600
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        269⤵
        
        PID:1528
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpAEF5.bat
        270⤵
        
        PID:2912
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        271⤵
        Drops file in System32 directory
        
        PID:336
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpB1E1.bat
        272⤵
        
        PID:2688
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        273⤵
        
        PID:2184
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpB4BF.bat
        274⤵
        
        PID:2088
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        275⤵
        
        PID:1444
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpB7BB.bat
        276⤵
        
        PID:2624
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        277⤵
        Drops file in System32 directory
        
        PID:760
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpBA98.bat
        278⤵
        
        PID:2412
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        279⤵
        
        PID:2112
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpBD95.bat
        280⤵
        
        PID:2772
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        281⤵
        Drops file in System32 directory
        
        PID:2236
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpC072.bat
        282⤵
        
        PID:2580
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        283⤵
        
        PID:1980
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpC36E.bat
        284⤵
        
        PID:2804
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        285⤵
        
        PID:2496
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpC64B.bat
        286⤵
        
        PID:360
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        287⤵
        Drops file in System32 directory
        
        PID:2740
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpC938.bat
        288⤵
        
        PID:2068
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        289⤵
        Drops file in System32 directory
        
        PID:2392
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpCC15.bat
        290⤵
        
        PID:1028
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        291⤵
        
        PID:2560
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpCF12.bat
        292⤵
        
        PID:2000
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        293⤵
        
        PID:2808
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpD1FF.bat
        294⤵
        
        PID:1940
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        295⤵
        
        PID:2856
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpD4EC.bat
        296⤵
        
        PID:2880
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        297⤵
        
        PID:2852
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpD7C9.bat
        298⤵
        
        PID:2312
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        299⤵
        
        PID:2944
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpDAC5.bat
        300⤵
        
        PID:2352
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        301⤵
        
        PID:992
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpDDB2.bat
        302⤵
        
        PID:2436
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        303⤵
        Drops file in System32 directory
        
        PID:2416
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpE0AE.bat
        304⤵
        
        PID:1576
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        305⤵
        Drops file in System32 directory
        
        PID:2628
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpE38C.bat
        306⤵
        
        PID:1680
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        307⤵
        
        PID:2464
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpE688.bat
        308⤵
        
        PID:2020
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        309⤵
        Drops file in System32 directory
        
        PID:2324
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpE965.bat
        310⤵
        
        PID:2032
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        311⤵
        
        PID:324
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpEC62.bat
        312⤵
        
        PID:2356
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        313⤵
        
        PID:304
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpEF5E.bat
        314⤵
        
        PID:1812
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        315⤵
        
        PID:1664
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpF25A.bat
        316⤵
        
        PID:1660
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        317⤵
        Drops file in System32 directory
        
        PID:1700
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpF538.bat
        318⤵
        
        PID:564
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        319⤵
        
        PID:2796
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpF824.bat
        320⤵
        
        PID:2632
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        321⤵
        
        PID:1044
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpFB21.bat
        322⤵
        
        PID:1732
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        323⤵
        Drops file in System32 directory
        
        PID:2024
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpFE1D.bat
        324⤵
        
        PID:2252
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        325⤵
        Drops file in System32 directory
        
        PID:1784
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp11A.bat
        326⤵
        
        PID:1364
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        327⤵
        
        PID:2928
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp406.bat
        328⤵
        
        PID:1340
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        329⤵
        
        PID:1080
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp6F3.bat
        330⤵
        
        PID:2788
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        331⤵
        
        PID:1760
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp9F0.bat
        332⤵
        
        PID:1432
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        333⤵
        
        PID:1584
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpCEC.bat
        334⤵
        
        PID:2884
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        335⤵
        
        PID:2420
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmpFE8.bat
        336⤵
        
        PID:2932
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        337⤵
        
        PID:1260
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp12E5.bat
        338⤵
        
        PID:868
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        339⤵
        
        PID:2476
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp15E1.bat
        340⤵
        
        PID:2224
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        341⤵
        
        PID:1448
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp18DE.bat
        342⤵
        
        PID:2456
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        343⤵
        Drops file in System32 directory
        
        PID:2792
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp1BDA.bat
        344⤵
        
        PID:2732
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        345⤵
        
        PID:1604
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp1EC7.bat
        346⤵
        
        PID:2528
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        347⤵
        
        PID:2736
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp21C3.bat
        348⤵
        
        PID:2088
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        349⤵
        
        PID:2992
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp24B0.bat
        350⤵
        
        PID:1580
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        351⤵
        
        PID:1596
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp27AC.bat
        352⤵
        
        PID:2520
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        353⤵
        
        PID:2240
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp2A8A.bat
        354⤵
        
        PID:1764
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        355⤵
        
        PID:1296
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp2D76.bat
        356⤵
        
        PID:2812
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        357⤵
        Drops file in System32 directory
        
        PID:1500
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp3063.bat
        358⤵
        
        PID:1936
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        359⤵
        Drops file in System32 directory
        
        PID:2892
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp3360.bat
        360⤵
        
        PID:2512
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        361⤵
        
        PID:1792
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp364C.bat
        362⤵
        
        PID:1084
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        363⤵
        
        PID:2536
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp3939.bat
        364⤵
        
        PID:956
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        365⤵
        
        PID:2076
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp3C26.bat
        366⤵
        
        PID:2404
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        367⤵
        
        PID:1872
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp3F22.bat
        368⤵
        
        PID:1316
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        369⤵
        
        PID:2256
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp4200.bat
        370⤵
        
        PID:2116
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        371⤵
        
        PID:1768
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp44FC.bat
        372⤵
        
        PID:2524
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        373⤵
        
        PID:768
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp47E9.bat
        374⤵
        
        PID:2128
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        375⤵
        
        PID:2028
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp4AE5.bat
        376⤵
        
        PID:2828
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        377⤵
        
        PID:1352
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp4DC3.bat
        378⤵
        
        PID:2904
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        379⤵
        Drops file in System32 directory
        
        PID:2716
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp50BF.bat
        380⤵
        
        PID:272
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        381⤵
        
        PID:2544
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp539C.bat
        382⤵
        
        PID:2960
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        383⤵
        
        PID:2896
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp5699.bat
        384⤵
        
        PID:320
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        385⤵
        
        PID:2908
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp5995.bat
        386⤵
        
        PID:2184
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        387⤵
        
        PID:2220
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp5C91.bat
        388⤵
        
        PID:2244
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        389⤵
        
        PID:2428
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp5F8E.bat
        390⤵
        
        PID:760
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        391⤵
        
        PID:2348
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp628A.bat
        392⤵
        
        PID:2816
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        393⤵
        Drops file in System32 directory
        
        PID:1948
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp6577.bat
        394⤵
        
        PID:1764
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        395⤵
        Drops file in System32 directory
        
        PID:1828
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp6873.bat
        396⤵
        
        PID:2812
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        397⤵
        
        PID:2692
        
        C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp6B51.bat
        398⤵
        
        PID:1976
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        399⤵
        Drops file in System32 directory
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        396⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        394⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        392⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        390⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        388⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        386⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        384⤵
        
        PID:304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        382⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        380⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        378⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        376⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        374⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        372⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        370⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        368⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        366⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        364⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        362⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        360⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        358⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        356⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        354⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        352⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        350⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        348⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        346⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        344⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        342⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        340⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        338⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        336⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        334⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        332⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        330⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        328⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        326⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        324⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        322⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        320⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        318⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        316⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        314⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        312⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        310⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        308⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        306⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        304⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        302⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        300⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        298⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        296⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        294⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        292⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        290⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        288⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        286⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        284⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        282⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        280⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        278⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        276⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        274⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        272⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        270⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        268⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        266⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        264⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        262⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        260⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        258⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        256⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        254⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        252⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        250⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        248⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        246⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        244⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        242⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        240⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        238⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        236⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        234⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        232⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        230⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        228⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        226⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        224⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        222⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        220⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        218⤵
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        216⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        214⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        212⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        210⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        208⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        206⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        204⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        202⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        200⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        198⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        196⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        194⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        192⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        190⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        188⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        186⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        184⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        182⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        180⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        178⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        176⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        174⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        172⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        170⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        168⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        166⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        164⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        162⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        160⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        158⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        156⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        154⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        152⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        150⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        148⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        146⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        144⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        142⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        140⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        138⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        136⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        134⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        132⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        130⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        128⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        126⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        124⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        122⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        120⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        118⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        116⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        114⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        112⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        110⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        108⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        106⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        104⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        102⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        100⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        98⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        96⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        94⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        92⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        90⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        88⤵
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        86⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        84⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        82⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        80⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        78⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        76⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        74⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        72⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        70⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        68⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        66⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        64⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        62⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        60⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        58⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        56⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        54⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        52⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        50⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        48⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        46⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        44⤵
        
        PID:488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        42⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        40⤵
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        38⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        36⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        34⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        32⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        30⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        28⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        26⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        24⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        22⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        20⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        18⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        16⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        14⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        12⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        10⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        8⤵
        
        PID:2976
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        6⤵
        
        PID:1660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
      4⤵
      PID:2436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\01a4355298023c35423d92d98380730c_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  PID:2648

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp232A.bat

Filesize
33B

MD5
eae7cd62995054b114ef1b0823c830ed

SHA1
a7b69b6455ac45a75d87de1ddc807f19e3d4ab17

SHA256
b42de27cd38bef527be79ceaae4b8974d5dca8971f953ce9bfea602e65890c49

SHA512
f616f3962fcf2d92e75a53ac1a204abd5ff6afc42554c5be994da9c55da9347028bdbe6b3acd05585ab4e746c3c46017ee51696472aff0fb6e0feca2c392f32c

Download Submit
\Windows\SysWOW64\kawdcaz.exe

Filesize
13KB

MD5
01a4355298023c35423d92d98380730c

SHA1
489fd8014d23722871bf82739362657e69fb5642

SHA256
349225d232f24526c0b83d25f9e026c0da9b30868178989a790424717420a27d

SHA512
f1001149b5431905691267d1def21709229b60edf4e261199ffdc6dee93bea30a494d1f0b3baf6209efa0591f479a3261e6f5e3ecd9bdb537c5acfc8dfb96e4a

Download Submit
memory/488-935-0x0000000000170000-0x00000000001AC000-memory.dmp

Filesize
240KB

Download
memory/616-158-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/632-99-0x0000000000170000-0x00000000001AC000-memory.dmp

Filesize
240KB

Download
memory/632-263-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/692-717-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/692-716-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/700-546-0x0000000000170000-0x00000000001AC000-memory.dmp

Filesize
240KB

Download
memory/756-912-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/852-707-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/852-708-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/880-826-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/948-530-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1108-514-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1272-808-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/1308-690-0x0000000000290000-0x00000000002CC000-memory.dmp

Filesize
240KB

Download
memory/1340-608-0x0000000000450000-0x000000000048C000-memory.dmp

Filesize
240KB

Download
memory/1352-816-0x00000000005A0000-0x00000000005DC000-memory.dmp

Filesize
240KB

Download
memory/1364-897-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1532-406-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/1532-407-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/1552-920-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1592-452-0x0000000000170000-0x00000000001AC000-memory.dmp

Filesize
240KB

Download
memory/1608-529-0x00000000002A0000-0x00000000002DC000-memory.dmp

Filesize
240KB

Download
memory/1632-301-0x0000000000190000-0x00000000001CC000-memory.dmp

Filesize
240KB

Download
memory/1652-475-0x0000000000390000-0x00000000003CC000-memory.dmp

Filesize
240KB

Download
memory/1680-562-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1700-368-0x0000000000290000-0x00000000002CC000-memory.dmp

Filesize
240KB

Download
memory/1708-633-0x0000000000200000-0x000000000023C000-memory.dmp

Filesize
240KB

Download
memory/1712-997-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/1724-182-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1728-981-0x0000000000130000-0x000000000016C000-memory.dmp

Filesize
240KB

Download
memory/1784-74-0x0000000000170000-0x00000000001AC000-memory.dmp

Filesize
240KB

Download
memory/1784-75-0x0000000000170000-0x00000000001AC000-memory.dmp

Filesize
240KB

Download
memory/1812-293-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/1816-12-0x00000000001F0000-0x000000000022C000-memory.dmp

Filesize
240KB

Download
memory/1932-181-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1952-430-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/1952-429-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/1960-617-0x0000000000200000-0x000000000023C000-memory.dmp

Filesize
240KB

Download
memory/1960-616-0x0000000000200000-0x000000000023C000-memory.dmp

Filesize
240KB

Download
memory/1988-1007-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2020-302-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2052-882-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2064-111-0x0000000000390000-0x00000000003CC000-memory.dmp

Filesize
240KB

Download
memory/2064-112-0x0000000000390000-0x00000000003CC000-memory.dmp

Filesize
240KB

Download
memory/2076-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2088-2-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2096-657-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2096-656-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2096-950-0x0000000000130000-0x000000000016C000-memory.dmp

Filesize
240KB

Download
memory/2176-866-0x0000000000330000-0x000000000036C000-memory.dmp

Filesize
240KB

Download
memory/2220-1006-0x0000000000330000-0x000000000036C000-memory.dmp

Filesize
240KB

Download
memory/2276-398-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2276-682-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2356-989-0x0000000000130000-0x000000000016C000-memory.dmp

Filesize
240KB

Download
memory/2388-817-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2400-554-0x0000000000810000-0x000000000084C000-memory.dmp

Filesize
240KB

Download
memory/2440-484-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2464-39-0x0000000000410000-0x000000000044C000-memory.dmp

Filesize
240KB

Download
memory/2468-577-0x00000000002A0000-0x00000000002DC000-memory.dmp

Filesize
240KB

Download
memory/2468-725-0x0000000002270000-0x00000000022AC000-memory.dmp

Filesize
240KB

Download
memory/2496-758-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2508-331-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2516-346-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2520-733-0x0000000000170000-0x00000000001AC000-memory.dmp

Filesize
240KB

Download
memory/2520-585-0x00000000001B0000-0x00000000001EC000-memory.dmp

Filesize
240KB

Download
memory/2556-467-0x00000000001F0000-0x000000000022C000-memory.dmp

Filesize
240KB

Download
memory/2612-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2632-1022-0x0000000000430000-0x000000000046C000-memory.dmp

Filesize
240KB

Download
memory/2664-27-0x0000000000180000-0x00000000001BC000-memory.dmp

Filesize
240KB

Download
memory/2684-874-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/2708-825-0x0000000000130000-0x000000000016C000-memory.dmp

Filesize
240KB

Download
memory/2768-742-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2768-593-0x0000000000110000-0x000000000014C000-memory.dmp

Filesize
240KB

Download
memory/2768-741-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2788-87-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2796-625-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2816-483-0x0000000000170000-0x00000000001AC000-memory.dmp

Filesize
240KB

Download
memory/2820-499-0x0000000000170000-0x00000000001AC000-memory.dmp

Filesize
240KB

Download
memory/2864-641-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2888-674-0x0000000000130000-0x000000000016C000-memory.dmp

Filesize
240KB

Download
memory/2888-673-0x0000000000130000-0x000000000016C000-memory.dmp

Filesize
240KB

Download
memory/2896-841-0x0000000000130000-0x000000000016C000-memory.dmp

Filesize
240KB

Download
memory/2896-842-0x0000000000130000-0x000000000016C000-memory.dmp

Filesize
240KB

Download
memory/2904-973-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2904-698-0x0000000000430000-0x000000000046C000-memory.dmp

Filesize
240KB

Download
memory/2904-699-0x0000000000430000-0x000000000046C000-memory.dmp

Filesize
240KB

Download
memory/2908-743-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2916-271-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2924-665-0x00000000001E0000-0x000000000021C000-memory.dmp

Filesize
240KB

Download
memory/2948-538-0x0000000000130000-0x000000000016C000-memory.dmp

Filesize
240KB

Download
memory/2992-998-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2992-851-0x0000000000450000-0x000000000048C000-memory.dmp

Filesize
240KB

Download
memory/2992-850-0x0000000000450000-0x000000000048C000-memory.dmp

Filesize
240KB

Download
memory/3020-965-0x0000000000170000-0x00000000001AC000-memory.dmp

Filesize
240KB

Download
memory/3028-376-0x0000000000130000-0x000000000016C000-memory.dmp

Filesize
240KB

Download