349225d232f24526c0b83d25f9e026c0da9b30868178989a790424717420a27d

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01a4355298023c35423d92d98380730c_JaffaCakes118.exe
Size

13KB
MD5

01a4355298023c35423d92d98380730c
SHA1

489fd8014d23722871bf82739362657e69fb5642
SHA256

349225d232f24526c0b83d25f9e026c0da9b30868178989a790424717420a27d
SHA512

f1001149b5431905691267d1def21709229b60edf4e261199ffdc6dee93bea30a494d1f0b3baf6209efa0591f479a3261e6f5e3ecd9bdb537c5acfc8dfb96e4a
SSDEEP

384:RtHbNKJ4mD2B6FrXqFio/eUBBUWUXmxgYbRo0Pkte:Rt24O2B67o/ZUWcmRZMM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
3516	kawdcaz.exe
4752	kawdcaz.exe
3964	kawdcaz.exe
4092	kawdcaz.exe
1568	kawdcaz.exe
5036	kawdcaz.exe
556	kawdcaz.exe
2444	kawdcaz.exe
1368	kawdcaz.exe
4456	kawdcaz.exe
808	kawdcaz.exe
4692	kawdcaz.exe
4768	kawdcaz.exe
3320	kawdcaz.exe
3496	kawdcaz.exe
1948	kawdcaz.exe
208	kawdcaz.exe
4504	kawdcaz.exe
4328	kawdcaz.exe
4116	kawdcaz.exe
3988	kawdcaz.exe
2464	kawdcaz.exe
3856	kawdcaz.exe
1800	kawdcaz.exe
1880	kawdcaz.exe
4464	kawdcaz.exe
1084	kawdcaz.exe
5048	kawdcaz.exe
4536	kawdcaz.exe
1720	kawdcaz.exe
2388	kawdcaz.exe
4504	kawdcaz.exe
2600	kawdcaz.exe
1032	kawdcaz.exe
3032	kawdcaz.exe
2012	kawdcaz.exe
2624	kawdcaz.exe
4780	kawdcaz.exe
2328	kawdcaz.exe
212	kawdcaz.exe
4148	kawdcaz.exe
4732	kawdcaz.exe
2672	kawdcaz.exe
912	kawdcaz.exe
872	kawdcaz.exe
1504	kawdcaz.exe
2480	kawdcaz.exe
4876	kawdcaz.exe
3092	kawdcaz.exe
2284	kawdcaz.exe
4620	kawdcaz.exe
4184	kawdcaz.exe
4272	kawdcaz.exe
4976	kawdcaz.exe
4056	kawdcaz.exe
4372	kawdcaz.exe
3588	kawdcaz.exe
4116	kawdcaz.exe
3988	kawdcaz.exe
4532	kawdcaz.exe
3892	kawdcaz.exe
5000	kawdcaz.exe
64	kawdcaz.exe
4320	kawdcaz.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File created	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe
File opened for modification	C:\WINDOWS\SysWOW64\kawdcaz.exe	kawdcaz.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3320	01a4355298023c35423d92d98380730c_JaffaCakes118.exe
3320	01a4355298023c35423d92d98380730c_JaffaCakes118.exe
3320	01a4355298023c35423d92d98380730c_JaffaCakes118.exe
3320	01a4355298023c35423d92d98380730c_JaffaCakes118.exe
3516	kawdcaz.exe
3516	kawdcaz.exe
3516	kawdcaz.exe
3516	kawdcaz.exe
4752	kawdcaz.exe
4752	kawdcaz.exe
4752	kawdcaz.exe
4752	kawdcaz.exe
3964	kawdcaz.exe
3964	kawdcaz.exe
3964	kawdcaz.exe
3964	kawdcaz.exe
4092	kawdcaz.exe
4092	kawdcaz.exe
4092	kawdcaz.exe
4092	kawdcaz.exe
1568	kawdcaz.exe
1568	kawdcaz.exe
1568	kawdcaz.exe
1568	kawdcaz.exe
5036	kawdcaz.exe
5036	kawdcaz.exe
5036	kawdcaz.exe
5036	kawdcaz.exe
556	kawdcaz.exe
556	kawdcaz.exe
556	kawdcaz.exe
556	kawdcaz.exe
2444	kawdcaz.exe
2444	kawdcaz.exe
2444	kawdcaz.exe
2444	kawdcaz.exe
1368	kawdcaz.exe
1368	kawdcaz.exe
1368	kawdcaz.exe
1368	kawdcaz.exe
4456	kawdcaz.exe
4456	kawdcaz.exe
4456	kawdcaz.exe
4456	kawdcaz.exe
808	kawdcaz.exe
808	kawdcaz.exe
808	kawdcaz.exe
808	kawdcaz.exe
4692	kawdcaz.exe
4692	kawdcaz.exe
4692	kawdcaz.exe
4692	kawdcaz.exe
4768	kawdcaz.exe
4768	kawdcaz.exe
4768	kawdcaz.exe
4768	kawdcaz.exe
3320	kawdcaz.exe
3320	kawdcaz.exe
3320	kawdcaz.exe
3320	kawdcaz.exe
3496	kawdcaz.exe
3496	kawdcaz.exe
3496	kawdcaz.exe
3496	kawdcaz.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 3672	3320	01a4355298023c35423d92d98380730c_JaffaCakes118.exe	84
PID 3320 wrote to memory of 3672	3320	01a4355298023c35423d92d98380730c_JaffaCakes118.exe	84
PID 3320 wrote to memory of 3672	3320	01a4355298023c35423d92d98380730c_JaffaCakes118.exe	84
PID 3672 wrote to memory of 3516	3672	cmd.exe	86
PID 3672 wrote to memory of 3516	3672	cmd.exe	86
PID 3672 wrote to memory of 3516	3672	cmd.exe	86
PID 3516 wrote to memory of 4712	3516	kawdcaz.exe	87
PID 3516 wrote to memory of 4712	3516	kawdcaz.exe	87
PID 3516 wrote to memory of 4712	3516	kawdcaz.exe	87
PID 4712 wrote to memory of 4752	4712	cmd.exe	89
PID 4712 wrote to memory of 4752	4712	cmd.exe	89
PID 4712 wrote to memory of 4752	4712	cmd.exe	89
PID 3320 wrote to memory of 2864	3320	01a4355298023c35423d92d98380730c_JaffaCakes118.exe	90
PID 3320 wrote to memory of 2864	3320	01a4355298023c35423d92d98380730c_JaffaCakes118.exe	90
PID 3320 wrote to memory of 2864	3320	01a4355298023c35423d92d98380730c_JaffaCakes118.exe	90
PID 4752 wrote to memory of 2504	4752	kawdcaz.exe	92
PID 4752 wrote to memory of 2504	4752	kawdcaz.exe	92
PID 4752 wrote to memory of 2504	4752	kawdcaz.exe	92
PID 2504 wrote to memory of 3964	2504	cmd.exe	94
PID 2504 wrote to memory of 3964	2504	cmd.exe	94
PID 2504 wrote to memory of 3964	2504	cmd.exe	94
PID 3516 wrote to memory of 2328	3516	kawdcaz.exe	95
PID 3516 wrote to memory of 2328	3516	kawdcaz.exe	95
PID 3516 wrote to memory of 2328	3516	kawdcaz.exe	95
PID 3964 wrote to memory of 3188	3964	kawdcaz.exe	97
PID 3964 wrote to memory of 3188	3964	kawdcaz.exe	97
PID 3964 wrote to memory of 3188	3964	kawdcaz.exe	97
PID 3188 wrote to memory of 4092	3188	cmd.exe	99
PID 3188 wrote to memory of 4092	3188	cmd.exe	99
PID 3188 wrote to memory of 4092	3188	cmd.exe	99
PID 4752 wrote to memory of 4432	4752	kawdcaz.exe	100
PID 4752 wrote to memory of 4432	4752	kawdcaz.exe	100
PID 4752 wrote to memory of 4432	4752	kawdcaz.exe	100
PID 4092 wrote to memory of 780	4092	kawdcaz.exe	102
PID 4092 wrote to memory of 780	4092	kawdcaz.exe	102
PID 4092 wrote to memory of 780	4092	kawdcaz.exe	102
PID 780 wrote to memory of 1568	780	cmd.exe	104
PID 780 wrote to memory of 1568	780	cmd.exe	104
PID 780 wrote to memory of 1568	780	cmd.exe	104
PID 3964 wrote to memory of 1448	3964	kawdcaz.exe	105
PID 3964 wrote to memory of 1448	3964	kawdcaz.exe	105
PID 3964 wrote to memory of 1448	3964	kawdcaz.exe	105
PID 1568 wrote to memory of 216	1568	kawdcaz.exe	107
PID 1568 wrote to memory of 216	1568	kawdcaz.exe	107
PID 1568 wrote to memory of 216	1568	kawdcaz.exe	107
PID 216 wrote to memory of 5036	216	cmd.exe	109
PID 216 wrote to memory of 5036	216	cmd.exe	109
PID 216 wrote to memory of 5036	216	cmd.exe	109
PID 4092 wrote to memory of 540	4092	kawdcaz.exe	110
PID 4092 wrote to memory of 540	4092	kawdcaz.exe	110
PID 4092 wrote to memory of 540	4092	kawdcaz.exe	110
PID 5036 wrote to memory of 1876	5036	kawdcaz.exe	112
PID 5036 wrote to memory of 1876	5036	kawdcaz.exe	112
PID 5036 wrote to memory of 1876	5036	kawdcaz.exe	112
PID 1876 wrote to memory of 556	1876	cmd.exe	114
PID 1876 wrote to memory of 556	1876	cmd.exe	114
PID 1876 wrote to memory of 556	1876	cmd.exe	114
PID 1568 wrote to memory of 3240	1568	kawdcaz.exe	115
PID 1568 wrote to memory of 3240	1568	kawdcaz.exe	115
PID 1568 wrote to memory of 3240	1568	kawdcaz.exe	115
PID 556 wrote to memory of 1272	556	kawdcaz.exe	117
PID 556 wrote to memory of 1272	556	kawdcaz.exe	117
PID 556 wrote to memory of 1272	556	kawdcaz.exe	117
PID 1272 wrote to memory of 2444	1272	cmd.exe	119

C:\Users\Admin\AppData\Local\Temp\01a4355298023c35423d92d98380730c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01a4355298023c35423d92d98380730c_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp614A.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\WINDOWS\SysWOW64\kawdcaz.exe
    "C:\WINDOWS\system32\kawdcaz.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp6457.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4712
    - - C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4752
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp6765.bat
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp6A91.bat
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp6D8F.bat
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp709C.bat
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp738A.bat
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp7678.bat
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp7966.bat
        18⤵
        
        PID:5020
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp7C64.bat
        20⤵
        
        PID:4312
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp7F52.bat
        22⤵
        
        PID:916
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp825F.bat
        24⤵
        
        PID:3712
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp854D.bat
        26⤵
        
        PID:2276
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp883B.bat
        28⤵
        
        PID:2968
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp8B48.bat
        30⤵
        
        PID:3672
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp8E46.bat
        32⤵
        
        PID:3312
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        33⤵
        Executes dropped EXE
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp9143.bat
        34⤵
        
        PID:3928
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        35⤵
        Executes dropped EXE
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp9460.bat
        36⤵
        
        PID:3188
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        37⤵
        Executes dropped EXE
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp976D.bat
        38⤵
        
        PID:2364
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        39⤵
        Executes dropped EXE
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp9A6B.bat
        40⤵
        
        PID:216
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        41⤵
        Executes dropped EXE
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp9D69.bat
        42⤵
        
        PID:2084
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        43⤵
        Executes dropped EXE
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpA066.bat
        44⤵
        
        PID:1636
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        45⤵
        Executes dropped EXE
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpA364.bat
        46⤵
        
        PID:3808
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpA662.bat
        48⤵
        
        PID:2928
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        49⤵
        Executes dropped EXE
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpA95F.bat
        50⤵
        
        PID:3512
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpAC4D.bat
        52⤵
        
        PID:4280
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpAF3B.bat
        54⤵
        
        PID:2520
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        55⤵
        Executes dropped EXE
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpB248.bat
        56⤵
        
        PID:1968
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        57⤵
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpB536.bat
        58⤵
        
        PID:3672
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        59⤵
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpB834.bat
        60⤵
        
        PID:2408
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpBB32.bat
        62⤵
        
        PID:208
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        63⤵
        Executes dropped EXE
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpBE2F.bat
        64⤵
        
        PID:3852
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        65⤵
        Executes dropped EXE
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpC12D.bat
        66⤵
        
        PID:2032
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        67⤵
        Executes dropped EXE
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpC41B.bat
        68⤵
        
        PID:4364
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        69⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpC709.bat
        70⤵
        
        PID:2936
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        71⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpCA16.bat
        72⤵
        
        PID:4456
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        73⤵
        Executes dropped EXE
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpCD23.bat
        74⤵
        
        PID:1956
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        75⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpD021.bat
        76⤵
        
        PID:3784
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        77⤵
        Executes dropped EXE
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpD32E.bat
        78⤵
        
        PID:4592
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        79⤵
        Executes dropped EXE
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpD61C.bat
        80⤵
        
        PID:1796
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        81⤵
        Executes dropped EXE
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpD92A.bat
        82⤵
        
        PID:3836
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        83⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpDC46.bat
        84⤵
        
        PID:332
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        85⤵
        Executes dropped EXE
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpDF63.bat
        86⤵
        
        PID:1760
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        87⤵
        Executes dropped EXE
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpE271.bat
        88⤵
        
        PID:5036
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        89⤵
        Executes dropped EXE
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpE58D.bat
        90⤵
        
        PID:4988
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        91⤵
        Executes dropped EXE
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpE89B.bat
        92⤵
        
        PID:4460
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        93⤵
        Executes dropped EXE
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpEBA8.bat
        94⤵
        
        PID:764
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        95⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpEEB5.bat
        96⤵
        
        PID:3260
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        97⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpF1C2.bat
        98⤵
        
        PID:8
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        99⤵
        Executes dropped EXE
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpF4D0.bat
        100⤵
        
        PID:1508
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        101⤵
        Executes dropped EXE
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpF7DD.bat
        102⤵
        
        PID:3108
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        103⤵
        Executes dropped EXE
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpFADB.bat
        104⤵
        
        PID:980
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        105⤵
        Executes dropped EXE
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpFDC9.bat
        106⤵
        
        PID:3652
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        107⤵
        Executes dropped EXE
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpD6.bat
        108⤵
        
        PID:2520
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        109⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp3E3.bat
        110⤵
        
        PID:2300
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        111⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp6D1.bat
        112⤵
        
        PID:3992
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        113⤵
        Executes dropped EXE
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp9CF.bat
        114⤵
        
        PID:2536
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        115⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpCEC.bat
        116⤵
        
        PID:4084
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        117⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpFDA.bat
        118⤵
        
        PID:4384
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        119⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp12E7.bat
        120⤵
        
        PID:2600
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        121⤵
        Executes dropped EXE
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp15F4.bat
        122⤵
        
        PID:4876
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        123⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp1901.bat
        124⤵
        
        PID:436
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        125⤵
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp1BEF.bat
        126⤵
        
        PID:1484
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        127⤵
        Executes dropped EXE
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp1EFD.bat
        128⤵
        
        PID:1548
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        129⤵
        Executes dropped EXE
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp21EB.bat
        130⤵
        
        PID:748
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        131⤵
        Drops file in System32 directory
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp24F8.bat
        132⤵
        
        PID:4444
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        133⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp27E6.bat
        134⤵
        
        PID:5048
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        135⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp2AD4.bat
        136⤵
        
        PID:1760
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        137⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp2DC2.bat
        138⤵
        
        PID:4480
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        139⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp30B0.bat
        140⤵
        
        PID:2940
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        141⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp339E.bat
        142⤵
        
        PID:216
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        143⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp368C.bat
        144⤵
        
        PID:1908
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        145⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp397A.bat
        146⤵
        
        PID:4404
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        147⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp3CA6.bat
        148⤵
        
        PID:4776
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        149⤵
        Drops file in System32 directory
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp3FC3.bat
        150⤵
        
        PID:2864
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        151⤵
        Drops file in System32 directory
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp42B1.bat
        152⤵
        
        PID:4972
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        153⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp459F.bat
        154⤵
        
        PID:2952
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        155⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp488D.bat
        156⤵
        
        PID:3300
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        157⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp4B7B.bat
        158⤵
        
        PID:4060
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        159⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp4E88.bat
        160⤵
        
        PID:3788
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        161⤵
        Drops file in System32 directory
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp5186.bat
        162⤵
        
        PID:2944
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        163⤵
        Drops file in System32 directory
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp5484.bat
        164⤵
        
        PID:3264
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        165⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp5772.bat
        166⤵
        
        PID:4480
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        167⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp5A7F.bat
        168⤵
        
        PID:1500
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        169⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp5D8C.bat
        170⤵
        
        PID:4068
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        171⤵
        Drops file in System32 directory
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp608A.bat
        172⤵
        
        PID:4620
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        173⤵
        Drops file in System32 directory
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp6387.bat
        174⤵
        
        PID:3388
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        175⤵
        Drops file in System32 directory
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp6685.bat
        176⤵
        
        PID:1452
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        177⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp6983.bat
        178⤵
        
        PID:3472
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        179⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp6C80.bat
        180⤵
        
        PID:628
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        181⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp6F7E.bat
        182⤵
        
        PID:1000
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        183⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp727C.bat
        184⤵
        
        PID:3916
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        185⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp7579.bat
        186⤵
        
        PID:1084
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        187⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp7886.bat
        188⤵
        
        PID:3224
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        189⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp7B94.bat
        190⤵
        
        PID:3448
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        191⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp7E82.bat
        192⤵
        
        PID:868
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        193⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp8170.bat
        194⤵
        
        PID:4516
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        195⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp846D.bat
        196⤵
        
        PID:4412
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        197⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp878A.bat
        198⤵
        
        PID:4116
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        199⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp8A78.bat
        200⤵
        
        PID:2756
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        201⤵
        Drops file in System32 directory
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp8D95.bat
        202⤵
        
        PID:1804
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        203⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp90A2.bat
        204⤵
        
        PID:3212
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        205⤵
        Drops file in System32 directory
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp93A0.bat
        206⤵
        
        PID:3500
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        207⤵
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp96AD.bat
        208⤵
        
        PID:3836
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        209⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp99BA.bat
        210⤵
        
        PID:4228
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        211⤵
        Drops file in System32 directory
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp9CA8.bat
        212⤵
        
        PID:872
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        213⤵
        Drops file in System32 directory
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp9FA6.bat
        214⤵
        
        PID:4588
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        215⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpA2A4.bat
        216⤵
        
        PID:1904
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        217⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpA5A1.bat
        218⤵
        
        PID:1808
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        219⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpA8AF.bat
        220⤵
        
        PID:4596
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        221⤵
        Drops file in System32 directory
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpABCB.bat
        222⤵
        
        PID:4068
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        223⤵
        Drops file in System32 directory
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpAEF8.bat
        224⤵
        
        PID:1696
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        225⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpB215.bat
        226⤵
        
        PID:4176
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        227⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpB512.bat
        228⤵
        
        PID:3172
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        229⤵
        Drops file in System32 directory
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpB810.bat
        230⤵
        
        PID:2864
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        231⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpBB2D.bat
        232⤵
        
        PID:1676
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        233⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpBE2B.bat
        234⤵
        
        PID:3652
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        235⤵
        Drops file in System32 directory
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpC128.bat
        236⤵
        
        PID:4796
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        237⤵
        Drops file in System32 directory
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpC426.bat
        238⤵
        
        PID:4608
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        239⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpC733.bat
        240⤵
        
        PID:3640
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        241⤵
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpCA21.bat
        242⤵
        
        PID:3276
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        243⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpCD2E.bat
        244⤵
        
        PID:3380
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        245⤵
        Drops file in System32 directory
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpD03C.bat
        246⤵
        
        PID:2312
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        247⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpD349.bat
        248⤵
        
        PID:2480
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        249⤵
        Drops file in System32 directory
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpD656.bat
        250⤵
        
        PID:3240
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        251⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpD963.bat
        252⤵
        
        PID:4712
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        253⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpDC61.bat
        254⤵
        
        PID:1636
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        255⤵
        Drops file in System32 directory
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpDF6E.bat
        256⤵
        
        PID:1376
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        257⤵
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpE28B.bat
        258⤵
        
        PID:3724
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        259⤵
        Drops file in System32 directory
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpE589.bat
        260⤵
        
        PID:3252
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        261⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpE886.bat
        262⤵
        
        PID:1464
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        263⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpEB94.bat
        264⤵
        
        PID:4636
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        265⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpEEB0.bat
        266⤵
        
        PID:3248
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        267⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpF1CD.bat
        268⤵
        
        PID:4808
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        269⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpF4EA.bat
        270⤵
        
        PID:2928
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        271⤵
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpF7F7.bat
        272⤵
        
        PID:1788
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        273⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpFB05.bat
        274⤵
        
        PID:1224
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        275⤵
        Drops file in System32 directory
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpFE02.bat
        276⤵
        
        PID:3592
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        277⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp110.bat
        278⤵
        
        PID:3468
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        279⤵
        Drops file in System32 directory
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp42C.bat
        280⤵
        
        PID:4448
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        281⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp749.bat
        282⤵
        
        PID:4752
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        283⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpA57.bat
        284⤵
        
        PID:3688
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        285⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpD45.bat
        286⤵
        
        PID:8
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        287⤵
        Drops file in System32 directory
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp1052.bat
        288⤵
        
        PID:1016
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        289⤵
        Drops file in System32 directory
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp135F.bat
        290⤵
        
        PID:4644
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        291⤵
        Drops file in System32 directory
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp165D.bat
        292⤵
        
        PID:3588
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        293⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp195A.bat
        294⤵
        
        PID:952
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        295⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp1C68.bat
        296⤵
        
        PID:628
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        297⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp1F75.bat
        298⤵
        
        PID:3988
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        299⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp2282.bat
        300⤵
        
        PID:5052
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        301⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp258F.bat
        302⤵
        
        PID:220
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        303⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp289D.bat
        304⤵
        
        PID:3312
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        305⤵
        Drops file in System32 directory
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp2B9A.bat
        306⤵
        
        PID:2532
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        307⤵
        Drops file in System32 directory
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp2EA7.bat
        308⤵
        
        PID:3240
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        309⤵
        Drops file in System32 directory
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp31B5.bat
        310⤵
        
        PID:3388
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        311⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp34C2.bat
        312⤵
        
        PID:2328
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        313⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp37C0.bat
        314⤵
        
        PID:4008
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        315⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp3ABD.bat
        316⤵
        
        PID:1676
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        317⤵
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp3DBB.bat
        318⤵
        
        PID:4672
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        319⤵
        Drops file in System32 directory
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp40C8.bat
        320⤵
        
        PID:1348
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        321⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp43B6.bat
        322⤵
        
        PID:3608
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        323⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp46C3.bat
        324⤵
        
        PID:2436
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        325⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp49E0.bat
        326⤵
        
        PID:3340
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        327⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp4CED.bat
        328⤵
        
        PID:2020
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        329⤵
        Drops file in System32 directory
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp4FFB.bat
        330⤵
        
        PID:3988
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        331⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp52F8.bat
        332⤵
        
        PID:208
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        333⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp55F6.bat
        334⤵
        
        PID:3592
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        335⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp58F4.bat
        336⤵
        
        PID:1948
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        337⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp5C01.bat
        338⤵
        
        PID:1472
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        339⤵
        Drops file in System32 directory
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp5F1E.bat
        340⤵
        
        PID:2932
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        341⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp620C.bat
        342⤵
        
        PID:5032
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        343⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp6529.bat
        344⤵
        
        PID:3856
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        345⤵
        Drops file in System32 directory
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp6817.bat
        346⤵
        
        PID:404
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        347⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp6B05.bat
        348⤵
        
        PID:1492
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        349⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp6DF3.bat
        350⤵
        
        PID:4672
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        351⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp70E1.bat
        352⤵
        
        PID:2432
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        353⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp73CF.bat
        354⤵
        
        PID:3608
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        355⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp76DC.bat
        356⤵
        
        PID:1952
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        357⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp79E9.bat
        358⤵
        
        PID:1084
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        359⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp7CE7.bat
        360⤵
        
        PID:3728
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        361⤵
        Drops file in System32 directory
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp8061.bat
        362⤵
        
        PID:552
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        363⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp837E.bat
        364⤵
        
        PID:3656
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        365⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp869B.bat
        366⤵
        
        PID:1548
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        367⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp8999.bat
        368⤵
        
        PID:112
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        369⤵
        Drops file in System32 directory
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp8CC5.bat
        370⤵
        
        PID:4068
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        371⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp8FD2.bat
        372⤵
        
        PID:4008
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        373⤵
        Drops file in System32 directory
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp92E0.bat
        374⤵
        
        PID:2756
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        375⤵
        Drops file in System32 directory
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp95DD.bat
        376⤵
        
        PID:1800
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        377⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp98EB.bat
        378⤵
        
        PID:4248
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        379⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp9BE8.bat
        380⤵
        
        PID:4396
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        381⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp9EF5.bat
        382⤵
        
        PID:1348
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        383⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpA1F3.bat
        384⤵
        
        PID:2364
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        385⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpA4E1.bat
        386⤵
        
        PID:4364
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        387⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpA7FE.bat
        388⤵
        
        PID:3568
        
        C:\WINDOWS\SysWOW64\kawdcaz.exe
        
        "C:\WINDOWS\system32\kawdcaz.exe"
        389⤵
        Drops file in System32 directory
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        384⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        382⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        380⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        378⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        376⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        374⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        372⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        370⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        368⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        366⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        364⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        362⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        360⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        358⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        356⤵
        
        PID:656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        354⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        352⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        350⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        348⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        346⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        344⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        342⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        340⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        338⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        336⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        334⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        332⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        330⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        328⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        326⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        324⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        322⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        320⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        318⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        316⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        314⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        312⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        310⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        308⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        306⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        304⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        302⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        300⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        298⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        296⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        294⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        292⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        290⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        288⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        286⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        284⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        282⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        280⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        278⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        276⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        274⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        272⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        270⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        268⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        266⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        264⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        262⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        260⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        258⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        256⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        254⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        252⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        250⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        248⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        246⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        244⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        242⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        240⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        238⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        236⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        234⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        232⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        230⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        228⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        226⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        224⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        222⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        220⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        218⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        216⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        214⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        212⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        210⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        208⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        206⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        204⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        202⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        200⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        198⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        196⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        194⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        192⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        190⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        188⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        186⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        184⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        182⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        180⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        178⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        176⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        174⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        172⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        170⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        168⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        166⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        164⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        162⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        160⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        158⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        156⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        154⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        152⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        150⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        148⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        146⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        144⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        142⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        140⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        138⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        136⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        134⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        132⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        130⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        128⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        126⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        124⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        122⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        120⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        118⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        116⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        114⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        112⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        110⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        108⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        106⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        104⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        102⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        100⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        98⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        96⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        94⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        92⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        90⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        88⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        86⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        84⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        82⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        80⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        78⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        76⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        74⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        72⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        70⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        68⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        66⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        64⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        62⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        60⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        58⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        56⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        54⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        52⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        50⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        48⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        46⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        44⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        42⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        40⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        38⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        36⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        34⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        32⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        30⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        28⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        26⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        24⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        22⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        20⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        18⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        16⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        14⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        12⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        10⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        8⤵
        
        PID:1448
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
        6⤵
        
        PID:4432
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del "C:\WINDOWS\SysWOW64\kawdcaz.exe"
      4⤵
      PID:2328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\01a4355298023c35423d92d98380730c_JaffaCakes118.exe"
  2⤵
  PID:2864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp614A.bat

Filesize
33B

MD5
eae7cd62995054b114ef1b0823c830ed

SHA1
a7b69b6455ac45a75d87de1ddc807f19e3d4ab17

SHA256
b42de27cd38bef527be79ceaae4b8974d5dca8971f953ce9bfea602e65890c49

SHA512
f616f3962fcf2d92e75a53ac1a204abd5ff6afc42554c5be994da9c55da9347028bdbe6b3acd05585ab4e746c3c46017ee51696472aff0fb6e0feca2c392f32c

Download Submit
C:\WINDOWS\SysWOW64\kawdcaz.exe

Filesize
13KB

MD5
01a4355298023c35423d92d98380730c

SHA1
489fd8014d23722871bf82739362657e69fb5642

SHA256
349225d232f24526c0b83d25f9e026c0da9b30868178989a790424717420a27d

SHA512
f1001149b5431905691267d1def21709229b60edf4e261199ffdc6dee93bea30a494d1f0b3baf6209efa0591f479a3261e6f5e3ecd9bdb537c5acfc8dfb96e4a

Download Submit
memory/208-76-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/540-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/688-457-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/832-400-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/872-167-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1112-310-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1896-224-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2420-353-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2536-274-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2672-221-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2940-432-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3196-437-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3320-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3320-63-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3436-462-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3484-307-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3512-317-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3516-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3588-193-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3624-446-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3964-18-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3988-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4116-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4148-157-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4184-182-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4276-423-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4328-85-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4448-467-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4464-115-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4668-385-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4732-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4940-364-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download