d32f3a860b863d38f117c2e7efcaa6909583d418f8578b526a7ed0153529644b

Analysis

max time kernel
1793s
max time network
1140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Virus Maker.rar
Size

82KB
MD5

d1f61793e7898df4b27e3345764ceca8
SHA1

f03b91146aeaf753b565620a022a238830ed56d4
SHA256

d32f3a860b863d38f117c2e7efcaa6909583d418f8578b526a7ed0153529644b
SHA512

6491767f6db68886d000b173306377f3b0bf2d6db765ce4c14139c9ad09fa44e6cb75489f3858e45c4000333d2ad517721f81cc48e94de25c75c17cac36bb617
SSDEEP

1536:S0s/fG5w2aRBBNACjLkvSrfqAbv0Zarjg5AfDLCNE3Ztg/776X95:5s/+uRBmvMfzrhfbD2NStk76N5

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
4232	Virus Maker.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\Tranbyadmin.bat"	reg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	cmd.exe
File opened for modification	C:\Windows\system.ini	cmd.exe
File created	C:\Windows\Tranbyadmin.bat	cmd.exe
File opened for modification	C:\Windows\Tranbyadmin.bat	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Virus Maker.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Process not Found

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Process not Found

Modifies registry class 53 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "11"	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000100000000000000ffffffff	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000000000001000000ffffffff	Virus Maker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\SniffedFolderType = "Documents"	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Downloads"	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 010000000200000000000000ffffffff	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 14002e80922b16d365937a46956b92703aca08af0000	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Virus Maker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	Virus Maker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell	Virus Maker.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1712	reg.exe
2180	reg.exe
14120	Process not Found
15392	Process not Found
16052	Process not Found
18028	Process not Found
11680	Process not Found
15428	Process not Found
4964	reg.exe
7228	reg.exe
10648	reg.exe
12560	Process not Found
19508	Process not Found
19360	Process not Found
4108	reg.exe
3776	reg.exe
5500	reg.exe
5868	reg.exe
8628	reg.exe
13892	Process not Found
19448	Process not Found
18832	Process not Found
1884	reg.exe
8752	reg.exe
10348	Process not Found
12684	Process not Found
13280	Process not Found
15816	Process not Found
18740	Process not Found
18836	Process not Found
2432	reg.exe
5620	reg.exe
6856	reg.exe
8628	reg.exe
3568	reg.exe
2860	reg.exe
14140	Process not Found
15252	Process not Found
18488	Process not Found
10920	Process not Found
7700	reg.exe
17184	Process not Found
9156	Process not Found
8628	Process not Found
2844	reg.exe
7248	reg.exe
11512	Process not Found
4604	Process not Found
12908	Process not Found
17420	Process not Found
5956	reg.exe
4708	reg.exe
15528	Process not Found
15524	Process not Found
1524	reg.exe
19492	Process not Found
10640	Process not Found
5840	reg.exe
15536	Process not Found
17692	Process not Found
8068	Process not Found
6676	reg.exe
1944	Process not Found
12380	Process not Found

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1876	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
4816	OpenWith.exe
1876	vlc.exe
4232	Virus Maker.exe
1376	cmd.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeBackupPrivilege	5028	svchost.exe
Token: SeRestorePrivilege	5028	svchost.exe
Token: SeSecurityPrivilege	5028	svchost.exe
Token: SeTakeOwnershipPrivilege	5028	svchost.exe
Token: 35	5028	svchost.exe
Token: SeRestorePrivilege	2496	7zG.exe
Token: 35	2496	7zG.exe
Token: SeSecurityPrivilege	2496	7zG.exe
Token: SeSecurityPrivilege	2496	7zG.exe
Token: SeCreateGlobalPrivilege	1744	Process not Found
Token: SeChangeNotifyPrivilege	1744	Process not Found
Token: 33	1744	Process not Found
Token: SeIncBasePriorityPrivilege	1744	Process not Found
Token: SeShutdownPrivilege	1744	Process not Found
Token: SeCreatePagefilePrivilege	1744	Process not Found
Token: SeShutdownPrivilege	1744	Process not Found
Token: SeCreatePagefilePrivilege	1744	Process not Found
Token: SeShutdownPrivilege	1744	Process not Found
Token: SeCreatePagefilePrivilege	1744	Process not Found
Token: SeShutdownPrivilege	1744	Process not Found
Token: SeCreatePagefilePrivilege	1744	Process not Found
Token: SeShutdownPrivilege	1744	Process not Found
Token: SeCreatePagefilePrivilege	1744	Process not Found
Token: SeShutdownPrivilege	1744	Process not Found
Token: SeCreatePagefilePrivilege	1744	Process not Found
Token: SeShutdownPrivilege	1744	Process not Found
Token: SeCreatePagefilePrivilege	1744	Process not Found

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1876	vlc.exe
1876	vlc.exe
1876	vlc.exe
2496	7zG.exe
4232	Virus Maker.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1876	vlc.exe
1876	vlc.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4816	OpenWith.exe
4816	OpenWith.exe
4816	OpenWith.exe
4816	OpenWith.exe
4816	OpenWith.exe
1876	vlc.exe
4232	Virus Maker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 1876	4816	OpenWith.exe	90
PID 4816 wrote to memory of 1876	4816	OpenWith.exe	90
PID 1376 wrote to memory of 4236	1376	cmd.exe	113
PID 1376 wrote to memory of 4236	1376	cmd.exe	113
PID 1376 wrote to memory of 656	1376	cmd.exe	114
PID 1376 wrote to memory of 656	1376	cmd.exe	114
PID 1376 wrote to memory of 3828	1376	cmd.exe	115
PID 1376 wrote to memory of 3828	1376	cmd.exe	115
PID 1376 wrote to memory of 960	1376	cmd.exe	116
PID 1376 wrote to memory of 960	1376	cmd.exe	116
PID 1376 wrote to memory of 2684	1376	cmd.exe	117
PID 1376 wrote to memory of 2684	1376	cmd.exe	117
PID 1376 wrote to memory of 1336	1376	cmd.exe	118
PID 1376 wrote to memory of 1336	1376	cmd.exe	118
PID 1376 wrote to memory of 3004	1376	cmd.exe	119
PID 1376 wrote to memory of 3004	1376	cmd.exe	119
PID 1376 wrote to memory of 1856	1376	cmd.exe	120
PID 1376 wrote to memory of 1856	1376	cmd.exe	120
PID 1376 wrote to memory of 1904	1376	cmd.exe	121
PID 1376 wrote to memory of 1904	1376	cmd.exe	121
PID 1376 wrote to memory of 3440	1376	cmd.exe	122
PID 1376 wrote to memory of 3440	1376	cmd.exe	122
PID 1376 wrote to memory of 4892	1376	cmd.exe	123
PID 1376 wrote to memory of 4892	1376	cmd.exe	123
PID 1376 wrote to memory of 2756	1376	cmd.exe	124
PID 1376 wrote to memory of 2756	1376	cmd.exe	124
PID 1376 wrote to memory of 1868	1376	cmd.exe	125
PID 1376 wrote to memory of 1868	1376	cmd.exe	125
PID 1376 wrote to memory of 2884	1376	cmd.exe	126
PID 1376 wrote to memory of 2884	1376	cmd.exe	126
PID 1376 wrote to memory of 3488	1376	cmd.exe	127
PID 1376 wrote to memory of 3488	1376	cmd.exe	127
PID 1376 wrote to memory of 4484	1376	cmd.exe	128
PID 1376 wrote to memory of 4484	1376	cmd.exe	128
PID 1376 wrote to memory of 1816	1376	cmd.exe	129
PID 1376 wrote to memory of 1816	1376	cmd.exe	129
PID 1376 wrote to memory of 1056	1376	cmd.exe	130
PID 1376 wrote to memory of 1056	1376	cmd.exe	130
PID 1376 wrote to memory of 4964	1376	cmd.exe	131
PID 1376 wrote to memory of 4964	1376	cmd.exe	131
PID 1376 wrote to memory of 3084	1376	cmd.exe	132
PID 1376 wrote to memory of 3084	1376	cmd.exe	132
PID 1376 wrote to memory of 1380	1376	cmd.exe	133
PID 1376 wrote to memory of 1380	1376	cmd.exe	133
PID 1376 wrote to memory of 2272	1376	cmd.exe	134
PID 1376 wrote to memory of 2272	1376	cmd.exe	134
PID 1376 wrote to memory of 4160	1376	cmd.exe	135
PID 1376 wrote to memory of 4160	1376	cmd.exe	135
PID 1376 wrote to memory of 4976	1376	cmd.exe	136
PID 1376 wrote to memory of 4976	1376	cmd.exe	136
PID 1376 wrote to memory of 2692	1376	cmd.exe	137
PID 1376 wrote to memory of 2692	1376	cmd.exe	137
PID 1376 wrote to memory of 1828	1376	cmd.exe	138
PID 1376 wrote to memory of 1828	1376	cmd.exe	138
PID 1376 wrote to memory of 4168	1376	cmd.exe	139
PID 1376 wrote to memory of 4168	1376	cmd.exe	139
PID 1376 wrote to memory of 3872	1376	cmd.exe	140
PID 1376 wrote to memory of 3872	1376	cmd.exe	140
PID 1376 wrote to memory of 5060	1376	cmd.exe	141
PID 1376 wrote to memory of 5060	1376	cmd.exe	141
PID 1376 wrote to memory of 2284	1376	cmd.exe	142
PID 1376 wrote to memory of 2284	1376	cmd.exe	142
PID 1376 wrote to memory of 4908	1376	cmd.exe	143
PID 1376 wrote to memory of 4908	1376	cmd.exe	143

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Virus Maker.rar"
1⤵
- Modifies registry class
PID:3576

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Virus Maker.rar"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1876

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Virus Maker\" -ad -an -ai#7zMap188:102:7zEvent5917
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2496

C:\Users\Admin\AppData\Local\Temp\Virus Maker\Virus Maker.exe
"C:\Users\Admin\AppData\Local\Temp\Virus Maker\Virus Maker.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Tranbyadmin.bat" "
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:4236
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:656
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:3828
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:960
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:2684
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1336
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:3004
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:1856
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:1904
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Adds Run key to start application
  PID:3440
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Adds Run key to start application
  PID:4892
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:2756
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:1868
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2884
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:3488
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:4484
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:1816
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1056
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Modifies registry key
  PID:4964
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:3084
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:1380
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2272
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4160
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:4976
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:2692
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1828
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4168
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:3872
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:5060
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2284
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4908
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:1536
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:3288
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4308
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1160
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:4236
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:4124
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2948
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4820
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:1424
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:2236
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:3612
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:960
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:1652
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:4520
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:408
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4560
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:2216
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:984
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4384
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2748
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:2564
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:3788
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2896
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:3432
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:4968
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:1616
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1388
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4624
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:2068
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:872
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4652
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:3576
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:2036
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:1136
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2232
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4576
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:3080
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:4072
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1492
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:668
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:2176
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:3652
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:3612
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:960
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:4520
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:4992
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4036
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4320
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:924
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:4384
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Modifies registry key
  PID:1884
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2836
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:4828
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:2896
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1684
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:812
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:3712
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:3348
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1344
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:380
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:708
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:2436
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2864
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1732
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:816
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:324
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4072
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2024
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:3808
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:208
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:3516
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:3612
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:5000
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:4992
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2976
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4840
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:2396
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:2432
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1648
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1816
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:4292
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:4700
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4152
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1212
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:3324
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:2324
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Modifies registry key
  PID:4708
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1044
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:3152
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:844
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2520
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Modifies registry key
  PID:3568
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:3700
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:3976
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2560
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4864
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:4560
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:4036
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1324
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:3800
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:5080
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:3412
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1804
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4196
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:1372
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:2588
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4788
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2120
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:1756
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:4924
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2864
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2780
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:4072
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:2024
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1260
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2948
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:1112
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:4676
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1600
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:3672
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:3940
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:3488
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5088
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Modifies registry key
  PID:4108
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:2476
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:1616
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2588
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:3384
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:4444
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:3396
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:3776
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4656
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:3028
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:2852
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:3160
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4612
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:1340
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:4440
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1128
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1420
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:4108
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:4524
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:3432
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4188
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:2120
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:396
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:3380
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4708
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:4656
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:3388
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2228
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2844
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:960
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:4004
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4440
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4716
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:1628
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:2860
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:3340
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2568
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:1792
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:1560
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5060
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4516
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:4128
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:5056
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:3112
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:3908
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:972
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:3216
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1712
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1180
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:800
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:812
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:3012
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:3384
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:4048
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:3256
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2200
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2124
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:3228
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:1476
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4176
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1728
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:2896
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:116
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4588
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:3012
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:2276
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:1160
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2240
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2448
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:2132
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:3216
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1156
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Modifies registry key
  PID:2432
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:3012
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:928
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5060
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:180
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:3804
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:208
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4184
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:3848
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:3524
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:4784
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1200
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:3384
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:2124
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:3160
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4112
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:3004
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:1508
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:4288
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1200
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:3384
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:1040
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:3160
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:3848
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4112
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:1136
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:2232
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:844
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1772
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:3488
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:1000
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4288
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Modifies registry key
  PID:2860
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:4036
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:4864
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Modifies registry key
  PID:1712
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:3848
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:1044
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:1524
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2844
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:3148
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:3432
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:928
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Modifies registry key
  PID:2180
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2200
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:4884
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:4136
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Modifies registry key
  PID:3776
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2180
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:1000
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:4168
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Adds Run key to start application
  PID:4804
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Modifies registry key
  PID:2844
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:2200
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:844
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2976
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:984
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:1712
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:984
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4384
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Modifies registry key
  PID:1524
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:4992
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:1604
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1160
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4168
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:1604
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:984
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2960
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1476
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:984
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:1524
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4404
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:844
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:5220
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:5236
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5284
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Adds Run key to start application
  PID:5300
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:5440
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:5448
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5504
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5516
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:5656
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:5668
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5720
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5736
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:5876
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:5888
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5940
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Modifies registry key
  PID:5956
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:6096
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6108
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4404
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:844
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:5288
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:5308
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5360
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5352
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:5540
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:5548
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5596
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5612
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:5780
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:5800
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Modifies registry key
  PID:5840
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5856
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:6028
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6036
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6088
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6120
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:5252
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:5264
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5340
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5364
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:3944
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:5528
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:5620
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5632
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:5844
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:5828
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5936
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5920
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:6140
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6120
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5148
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5160
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:5380
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:5396
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5468
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5496
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:5716
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:5720
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5812
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5804
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:6016
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6056
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1524
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6120
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:5356
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:5368
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5432
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Modifies registry key
  PID:5500
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:5704
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:5736
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5804
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5828
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:6124
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:4404
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5168
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5176
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:5448
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:5500
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5608
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5580
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:5924
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:5928
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5988
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6004
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:5452
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:5504
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5580
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5624
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:5972
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6008
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:844
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5136
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:5420
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:5436
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5640
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5672
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:1160
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6004
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5188
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5208
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:5644
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:5740
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5828
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5944
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:5344
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:5360
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5632
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5652
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:5192
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:5188
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5436
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5336
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:6048
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:5168
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5268
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5436
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:6008
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:5168
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5336
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5620
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:5268
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:5580
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5868
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5892
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:2988
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:5936
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4988
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5672
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:5984
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:5936
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5920
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Adds Run key to start application
  PID:5892
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:5612
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:5620
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Modifies registry key
  PID:5868
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:976
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:5920
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:5620
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6180
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6192
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:6340
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6348
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6404
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6420
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:6572
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6580
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6644
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6656
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:6800
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6808
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6872
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6888
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:7028
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:7040
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7100
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7116
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:6232
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6240
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6308
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Adds Run key to start application
  PID:6320
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:6492
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6500
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6556
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6568
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:6744
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6768
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6816
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6856
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:7000
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:7012
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7096
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7104
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:3096
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6272
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6336
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6356
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:6548
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6556
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6644
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6664
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:6884
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6872
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6944
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6948
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:6172
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:7156
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6192
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6148
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:6460
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6448
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6540
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6592
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:6768
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6792
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6928
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6924
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:7132
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:7160
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6148
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6220
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:4640
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6528
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6668
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Modifies registry key
  PID:6676
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:6928
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6968
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7108
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7012
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:6324
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6332
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6416
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6424
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:6772
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6732
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Adds Run key to start application
  PID:6908
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7120
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:6228
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6188
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6396
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6408
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:6672
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6740
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6908
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7120
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:6148
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6348
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6432
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6568
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:7084
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6908
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:628
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:440
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:6448
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6508
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6700
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6696
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:7160
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6300
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6416
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6528
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:7052
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:7120
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2076
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:516
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:6952
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6960
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7080
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2076
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:6432
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6408
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6688
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6160
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:2076
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6696
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6876
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Modifies registry key
  PID:6856
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:3520
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6300
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4948
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6688
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:6876
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6212
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6688
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6960
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:7232
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:7244
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7296
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7308
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:7460
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:7468
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7524
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7536
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:7676
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:7688
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7748
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7764
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:7908
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:7924
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7980
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7996
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:8136
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:8144
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6300
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Adds Run key to start application
  PID:4948
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:7312
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:7316
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7380
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7396
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:7564
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:7636
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7580
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7568
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:7824
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:7836
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7880
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7904
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:8084
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:8092
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1212
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4336
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:7260
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:7244
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7376
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7400
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:7616
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:7592
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7672
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Modifies registry key
  PID:7700
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:7892
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:7936
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7992
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8004
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:6948
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6736
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7212
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Modifies registry key
  PID:7228
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:7480
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:7508
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7560
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7576
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:7816
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:2876
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:392
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7964
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:7096
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6212
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7216
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Modifies registry key
  PID:7248
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:7512
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:7544
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4592
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7656
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:7888
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:7972
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8036
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8048
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:7248
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:7292
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7376
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7404
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:4600
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:7740
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7788
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7848
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:7120
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6856
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7228
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2444
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:4592
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:7704
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7764
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7792
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:8164
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:8052
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1512
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2444
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:7704
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:7736
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1804
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8068
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:1512
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:7380
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Adds Run key to start application
  PID:7488
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7448
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:8040
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:8020
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7788
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4548
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:8132
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:7368
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7420
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7984
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:8048
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:8076
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7424
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7432
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:7436
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:3032
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7412
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7432
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:3032
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:7400
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1212
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Adds Run key to start application
  PID:7200
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:7788
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6856
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7536
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7544
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:4896
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:7884
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7292
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8096
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:8228
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:8248
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8300
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8312
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:8452
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:8464
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8516
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8528
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:8668
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:8680
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8740
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Modifies registry key
  PID:8752
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:8892
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:8900
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8956
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8972
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:9112
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:9128
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9184
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9196
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:8224
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:8260
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8320
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8336
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:8504
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:8524
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8564
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8544
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:8760
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:8784
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8828
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8840
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:9008
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:9016
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9180
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9200
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:8260
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:8304
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8364
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8376
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:8584
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:8544
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8660
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8644
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:8872
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:8880
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8996
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8984
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:9076
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:9208
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7560
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7488
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:8380
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:8376
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8440
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8468
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:8684
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:8680
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8832
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8600
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:9056
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:9068
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9104
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Adds Run key to start application
  PID:9196
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:8324
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:8336
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8376
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8436
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:8644
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:8740
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8832
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8600
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:9068
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:9100
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7544
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7548
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:8444
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:8476
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8464
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8596
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:2560
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:8900
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9004
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9020
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:8288
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:8096
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8404
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8424
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:8816
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:8600
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8992
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8976
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:8308
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:8248
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8396
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1560
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:8828
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:3848
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9004
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9020
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:8416
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:8396
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8524
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8636
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:8360
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:8336
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7588
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:6856
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:8464
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:3816
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9016
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:2448
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:8532
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:8524
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8540
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8968
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:8468
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:8696
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Adds Run key to start application
  PID:8744
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8912
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:9108
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:8548
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9088
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9096
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:8596
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:8540
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7548
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7432
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:7432
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:7536
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8524
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9088
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:5260
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:9128
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8524
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7200
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:9288
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:9300
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9352
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Adds Run key to start application
  PID:9364
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:9504
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:9520
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9560
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9580
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:9728
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:9736
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9792
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9804
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:9944
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:9956
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:10008
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:10020
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:10168
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:10196
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:10232
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:7200
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:9312
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:9332
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9388
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9396
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:9556
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:9584
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9644
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9656
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:9820
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:9840
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Adds Run key to start application
  PID:9884
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9896
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:10068
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:10080
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:10132
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:10144
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:9228
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:9236
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9336
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9332
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:9500
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:9548
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9628
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9648
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:9812
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:9852
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9908
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9920
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:10116
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:10140
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:10224
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:10212
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:9368
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:9388
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9432
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9444
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:9688
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:9704
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9780
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9796
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:10028
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:10032
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:10120
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:10148
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:9236
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:5696
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9420
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9440
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:9676
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:9708
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9808
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9848
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:10112
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:10092
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:10236
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:10232
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:9432
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:9440
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Adds Run key to start application
  PID:9548
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9636
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:9916
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:9936
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5808
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:10008
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:9388
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:9416
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9336
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9420
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:9704
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:9880
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Adds Run key to start application
  PID:9956
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:10004
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:9348
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:9408
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9336
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Adds Run key to start application
  PID:9460
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:9892
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:9936
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9992
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:10032
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:9420
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:9336
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9636
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9652
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:10220
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:10228
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9100
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:1408
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:9800
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:9912
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4168
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5412
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:9644
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:9652
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Modifies registry key
  PID:8628
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5520
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:10008
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:7488
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:4384
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Modifies registry key
  PID:8628
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:3768
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:4500
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:8628
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9248
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:5600
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:4384
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5416
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5520
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:5416
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:6084
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Adds Run key to start application
  PID:9760
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9864
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:9632
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:9336
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:9672
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:5988
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:10292
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:10300
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:10356
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:10368
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:10508
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:10524
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Adds Run key to start application
  PID:10580
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:10592
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:10732
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:10748
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:10804
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:10816
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:10956
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:10984
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:11020
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:11032
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:11176
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:11184
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:11248
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:11260
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:10304
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:10340
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:10384
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:10388
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:10564
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:10588
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:10636
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Modifies registry key
  PID:10648
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:10824
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:10836
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:10880
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:10892
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:11056
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:11072
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:11128
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:11144
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:5980
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:1408
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:10272
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:10344
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:10500
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:10476
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:10588
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:10620
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:10784
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:10832
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:10880
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:10892
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:11096
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:11112
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  - Adds Run key to start application
  PID:11160
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\Tranbyadmin.bat /f
  2⤵
  PID:11172
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:10264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Virus Maker\Virus Maker.exe

Filesize
3.7MB

MD5
c00845708ee4e6cbaa628a0886076c4d

SHA1
e011d28a40304957961654e62d00754a772fdee8

SHA256
16f14bd60c84a7838b99c34a791d5d334f08ee1e588c95162290ced38db8b092

SHA512
2b6a09b934ad6076008ad1b8bc960b6c3bf39968275f9f46fe1afbed7228eb196b46172c175106da70af80ad78aafc327869e71860af6472c74867dba022fb59

Download Submit
C:\Users\Admin\Downloads\Tranbyadmin.bat

Filesize
4KB

MD5
30019ceaaff0aea15d6e44efc2ec9b72

SHA1
67373d62947f11b45175576809facef19e6ec417

SHA256
94ded2c7bd47863c1d665b2c9fe97b28e16ccf3913353106a3505dc0c0eeae0c

SHA512
09e6388318839e10f44c0a99025bf1c44b4139be7d142b4146d93bcac32c3d241b9c5bd3bda3cf27ed61348c1a4c543c2f45fa5b36a496ba9636eafdb70ed134

Download Submit
C:\Windows\system.ini

Filesize
4KB

MD5
e3c357971ee3946fbec81d6d5e0421e8

SHA1
34e0775d7b1d698adf7d7328fa90311120c9e079

SHA256
5b58edd1dbc595242e2e61a9f9d45ba319b91ad33980aa9bb72bc636c80224a7

SHA512
b74adc8d6f84481b2d3ea289882f6a4b06d660398e109ffd176aeec5ff5b63939438c8ca956d778a61540c5fb5f66438705efe6c7abd38417be1695147945ab0

Download Submit
C:\Windows\win.ini

Filesize
4KB

MD5
8f070e6bb8118232b4c850087a5dc726

SHA1
357936cc41ca3d3108a79d534f4adbbebca71e47

SHA256
a83cd5a51f3e1c1dbaa703855d1c2565e8cceb02229019d5b17b876252f49c25

SHA512
b0b276c16387f501809be7b7cf7cf74d14d433ad11daca4e46c5af969df712cfa04aec2be32c92fd2ac0aba8a9846540cef20799c3490ba42b4e59159ed4718f

Download Submit
C:\mail.vbs

Filesize
581B

MD5
16191dc414542f77d7a2a621cf1bb2c7

SHA1
70cd99d1b4bb1e86b0c611c519d8f4cffccd1412

SHA256
c9fae967d918635c317e95451b70f79ce1b67d7b574adb597aed86cac07134cd

SHA512
7b9ec619bcd28d044672069566a6a97e6467512df92aa6fda0382801303d8879e484aa9c2e4fbc48ab3d57879ce5da9e3270ceacb1ba741f1ec1cccd6871235e

Download Submit
C:\mail.vbs

Filesize
1KB

MD5
bbe66554b7122defe3035dda526019b1

SHA1
15a5ec2c01b5881c0f6f344a3b572d5d5139c080

SHA256
2890f158e41a2a75e6c79fe14f3b969cce791e90e9f2ce2a2e258a8cd7d17434

SHA512
28f87c29b3850b813bcd62e0213a79ef2db054d91d713b4e1aeaa3e00ecc5b91625751fd53077a9a7eeef55738950730e2a3e464c49084c0b01dfeadeaca772e

Download Submit
C:\mail.vbs

Filesize
1KB

MD5
2824aba724ccfd698a14fff16dff26f0

SHA1
049e87a6e029c1987c39071c26fba3a6b0e9880a

SHA256
de7b31e702a4743103d109808fecaa9b7ea99d6623b5d5e913a019e27fd062c9

SHA512
cc7964c0ecebc62dae484d04eaba68fb24a8efc3d4736cbf74a6a237f70abcdef440b9d4a1c3d82d6d39cef8b0149b562ebc8efd135b2c1e20296dbe8187d42a

Download Submit
C:\mail.vbs

Filesize
2KB

MD5
523a53ef123a7395a03cf31a05f3d040

SHA1
3b271d0dc58e45305132bec1d83a501064a81cc2

SHA256
e1253533489a8fb812e943810ad7b6fcdeba9eb4fb3dd392775ef0e9c27f0cdc

SHA512
69ec8579d9df6481bfaeff27bedd2e082744344dd021a09aec5e10520308a93a0ee3a667267b85f2f1b4d403cbd137fec73aae11bbcd91e338da5b07d62a41b1

Download Submit
C:\mail.vbs

Filesize
2KB

MD5
5eef62de36948e99143093be75f79635

SHA1
5e33d03265e2b12fe335d6c93cad3465ff45852c

SHA256
090b247528a4a34a3fb3a6137d794edc3d53371aeeed37b955d5c7cc316da67c

SHA512
5e8643a404ed30c543ef562e6d3cf9a7f793a6102daa0545ad41a2ceeeadc7c5c51d53b4c9edeb8f9128f23d355cb2f5c098aab8b5b351c2a9fd8168d007facc

Download Submit
C:\mail.vbs

Filesize
3KB

MD5
73920f230059c9c2fb55ed88ae885eaf

SHA1
ca058250db198d8351863bad2de101f01bbfb850

SHA256
19a4d420029145ff248615be78ec76198fafb36fc40cf5bbc52141460a0f0423

SHA512
f8a2c3435e8ce9f00a397c8758faa2aadd7a7d6eb5805965f87615075ac37ab3c0f8bc91fb596746bfe5c117a91aef63a21fab95319bde0ae8bbd3751e55af31

Download Submit
C:\mail.vbs

Filesize
3KB

MD5
bca44ff5cddfc3c5339562208542a4e4

SHA1
e1925d60f6fd3a3a4ec361b556a2ba4a8398c200

SHA256
1299d37c5c0df8609a5c15b3579276443d8b49a7ff5e2faaea69561277952881

SHA512
e967bf181b56fc13d3f0eecbc1e1139585d33663fc74adf6e4f9bfb4b9de4b22b60514c1511d2b5b33aa07fcf60cb4078ef494dd556e059d14b5ada6a33c34bc

Download Submit
C:\mail.vbs

Filesize
4KB

MD5
4ea9ff59b312da42e707dde88250ee69

SHA1
f9afdd482cbafc5a8f45a1f9514d466f50c30d2c

SHA256
8901bc76345abcf0babb40e5d69ae681f87eeff4ca438cd922d9b3b7efddd4ad

SHA512
1a35978edd476c400021431d0b7f92edc79b743083aa6ddec4146f01d7acfbb7edac8628c222e1d06ff4dcfe376078f657e4ed12b1d267b5c48d8deb6def7cfc

Download Submit
C:\mail.vbs

Filesize
4KB

MD5
8f8375895e94ee5e582b1e4bd0fbf3d9

SHA1
cde5b57d92ca94f4cc1ebf29237d3f576f7ca449

SHA256
8637d23c430342d3720a5d11c52725f90fd6c330d3230a0506b5278c4f8ef415

SHA512
5f9dd596e9be133073798bf1002c457f16b0f8b996ffbf45ce049e952b01b696d4028d5dc7199e9df6aed3a1045d6a385fc6b13d8de1b052841d902e34366db8

Download Submit
C:\mail.vbs

Filesize
5KB

MD5
c33a46881dd890fc8b533d8e3ad519f0

SHA1
9b6dfd753d5f28894e9228d7429a687393d3159d

SHA256
936782a3e29ded0516c01a8dbcb06af557a475d8e89ea094da7f700d3c649e73

SHA512
9a95d5d0cc57bdd5ac0c4e4d3a5042633d532fa76803054f46f8440750ac1744265ff139e44bafc708d7cdc0179ed8f0912bc56117a18b5ff10c75a5b716fa6b

Download Submit
C:\mail.vbs

Filesize
5KB

MD5
e0f0f20c727dd1cd41b85ce649ca7293

SHA1
3095e0fab6dba8e18d145a2daccf18090ede0021

SHA256
9397a669848a2d66dbc73410b58d2929e811bc8e5f405ecd801acdf56df90199

SHA512
6ec07abbfe51b25cd2ff89da41d02434a9949ad24c9e67ee0e0cdf9736ad1bdaff15bd32206a3991cbc69474992d5e19e7cde3fb5041f0d353b13d5e9601ed25

Download Submit
C:\mail.vbs

Filesize
6KB

MD5
61342cdc78a222cd1bbfc180786063dd

SHA1
1a5be8328ce898ae6929c65c4998ee9cdab58dff

SHA256
e6fc0cabf928fd3bdb6554d47fdaae745ef80a954b3e79949b09000dff721290

SHA512
aa036dff07e06134e6f5094a179a8af40a6f6b74a8a892f0ca2dff6258872886d80ce926e8c8748a495d2197e35d3f11ccaa006eeb692cd85a9338a26803b3c2

Download Submit
C:\mail.vbs

Filesize
6KB

MD5
1522eb449a4f70e5ee46781689daee5c

SHA1
42d37508e4f55a16106c31dc75dd56aef3b07f12

SHA256
0ee2f2649aca5d309130ab766aa9c4027521c2abc327debb4d6a12b7d0ea41be

SHA512
eabe65eb242282c5f2733d628d112cd0e6fc2e58184fa202d81b1acc4eb8e19eedb342e42cfe25f2aa4b0ca23544b24302cc74141f7805df025d11217a68d25e

Download Submit
C:\mail.vbs

Filesize
7KB

MD5
4ee989939410b17f6bb037bc67deb18e

SHA1
d5ffadb92b3bd158c3be897c69f43c17c37bc9ab

SHA256
138b4e0ffdc65bdf4527d6d10fd5c636080f80ce6f6f02d1dad3911ff4133694

SHA512
67877f4a5de4a34747ea0d983eb0cd39305b375e0f227e822a821321411b19bb5aefbe324229d3fe32a7988c8c2254a685a6dcd005e8cfdfbbc152e421f64af9

Download Submit
C:\mail.vbs

Filesize
7KB

MD5
49d93a25259ca924defb2597d7eec243

SHA1
d4c6896d88746166bf941aaa0c39d7a281f0b1ad

SHA256
0bd249b25c9199bed41e648033277454932051e6a89306e5e2ef0ac50c1dc425

SHA512
5b3ef76d7874cbc4a9156fabd95354b220ba4711bdaafc04662a24263eed09b872f06a13bc60f7dec6dbe95d4ce60176d29db45831eb67880046946c3f684ea2

Download Submit
C:\mail.vbs

Filesize
8KB

MD5
dc70c597ae5b99e0b23b7d3ee66bded2

SHA1
49c309def204fb6eccc3ac5082dc817b06744514

SHA256
979494320a2b80e433239363e13d8b7e4f04b604806fe93a941193912c126b99

SHA512
f5ba91f4506b3a3bdf1fa02e191b89b8bf5cf98a202f91b66cff57856404257e10d6b9c343ed0bfb42b82205301014d2e1e8edb837092f3acbf7597410dd3122

Download Submit
C:\mail.vbs

Filesize
9KB

MD5
15b6c14748bf261a13eecfe130a62713

SHA1
8e6932a3b0c0a580fcb16ed88d254e5954d3b82f

SHA256
3e9b06301f3453674b9bd65e756bc5069565fa7ccfe067ebd4cf6c939861249c

SHA512
98283453dc18f61f529025eadf01442ef1be6d47cba67a421114b510a3a6df5c69454431693dabad7860c63e0f7cf639f09da495f170fd32d0051ae2781974c9

Download Submit
C:\mail.vbs

Filesize
9KB

MD5
ca0229c7ded6a69965a00188d0b193e7

SHA1
7b50339951a6742cefceb0f0f4c05ec48c86d161

SHA256
1f9494a730d0487defbc2f7a0ae18886859af4b029dca71d5c38c36224993eab

SHA512
7645a5dcef8d3a16be80e4268b0570b238ad95efb20c4108f5784fc6220c7127765afd775d5753641fdb078c2a49cd829ef6ff3c256090df8b2d021db1637507

Download Submit
C:\mail.vbs

Filesize
10KB

MD5
9d7be75d889f13fb53ded83d629dc2c1

SHA1
ec638a2f28dd85d561c8c364e97d29c75615ecdd

SHA256
14cd90888627af294f0f6771290ca20d5a7204452b60d031c702a86dc52238ab

SHA512
305e7e0ff059e4bd29d2ad56b49c65d94bf6574a9fa44d432c38bac80cc21c17b91ec3ec75b599e93805a7944324047736260aa770ef8fc84364e95d4380c09d

Download Submit
C:\mail.vbs

Filesize
10KB

MD5
bd8b3231c03565951a13414897a677f5

SHA1
6ffaa827bdd7063847ac2266c8b88357f7f2ee20

SHA256
b358e55ec408c29c4b300b7ef3ed6176a6cd7afc98867dfdf5bff28c2cf13a80

SHA512
72f1862b8a7d0f5d7d90895a9340dbdde35e6a778ecbc50f41b4b04d91454fd17aa152d2031dda6b7d0c773a4f3329a35ea529e282832919c1162de39ee01257

Download Submit
C:\mail.vbs

Filesize
11KB

MD5
45d5a7c54312d732ab7b44387cf68368

SHA1
87b63a38ff3f28d8624a3db97eb3364cb008f2d4

SHA256
1799a8b1c7ec1ea5df0d432b1dc0c1803c85036a15b40b8a125a59bb3a070a04

SHA512
ddd6468715adbe306423f699ad03139a14bfa116ce11014344aab0dc0ae3415482bc54b740cb9a2ac11befa2341481e3d4f1313237e937f610a3e5f98b0e3ea0

Download Submit
C:\mail.vbs

Filesize
11KB

MD5
5a8efaf57c8f44ef2514c3716d595af5

SHA1
413b7af2bfff606a0b133e623351124f711cec42

SHA256
452fd42316aa15bc2cf8867988075db9eafd89504c4e07f2ccb10b8bb11fc1e1

SHA512
a6fa6011fab595a55519dac950a3251853dbb1d7f5f8d2f053d615d7e1e9dd8ebf1611b3f95a340cf425e24718fc54faba6e7a49354f34b40df174df1f91abdc

Download Submit
C:\mail.vbs

Filesize
12KB

MD5
d7f941f1781b95722cccd09f5f44950c

SHA1
8f7d5edbac2e9ca394e19ea32799ba97a1fc399f

SHA256
ef06230ec6178d01afec98af7f1a191033ed84eece273b4d40a1f2727160a008

SHA512
e3452fc2de1d89a8208bfae5fa8305e4919abd2f674903286f1d8bd2edaba5bf08566ae1790178294890902a3bea693f270a12d0b4292093a49cfad321985d63

Download Submit
C:\mail.vbs

Filesize
13KB

MD5
71251a5f185d66fe9c769323ad1506b5

SHA1
177f2e7c6648a9278fee623f5ef9d8afad4ea6ce

SHA256
9d94bbe8bd843f3afb3c6fb73b84e3323748a27163b1a0e832a468a39a321168

SHA512
ab6daafb0df870977e44a4d4604f60a8538e1a25510e1f299015bafb1509a72defd0bfc665231032fd0e15a9701b6943259866f3273ab34e6811b5b10bc0d4c1

Download Submit
C:\mail.vbs

Filesize
13KB

MD5
9f40296d7f22398f71975ac6137ddc0c

SHA1
223e69d75b6376df6229201de693a45654a80b38

SHA256
cf74da2ad42965a5e218068c1b7ee9a2905b7da7b9a17441cc03f1be96899113

SHA512
009893a766bf524d82b0b6f4689f848db37242542f66fc08d64fd25353e064588e9cd60c9d48378b613081473e24d2a9172372734020ff73ef4259711aa66894

Download Submit
C:\mail.vbs

Filesize
14KB

MD5
e49dd8c231350afecdc27a5cd33f2cb0

SHA1
9a021ff0463035ca6bda08812082f0b12dd136c8

SHA256
54f9aaf333fea2b0ca3edefae7f672d95e3e873e1cb43774d9e2c2c723b5f3d4

SHA512
cb05d06090135ac6fc8cd0432307edb06ee4d5d31d5ceb030bc1e6c378fd5d2868b2a443a3222d3a2f95b02b4d07978dda0cccd31a921764e6f299ced1cc1a72

Download Submit
C:\mail.vbs

Filesize
14KB

MD5
80d16b94e2126c773a9323bc274089d3

SHA1
11c053294961612494f00fa6148973a1d0b68f27

SHA256
530f40adde0c73f1fe18c81f2177cc07d2c10d0b384ea23c98ed3f1d94617463

SHA512
922009467f9bcc5a9c12de28f7035aed7af8ec7b64c710ebbd001a3ec65238f392f6d46f2f2fac0f3f07350b6c437f8b799c6b31999f95bec14670aa65600e65

Download Submit
C:\mail.vbs

Filesize
15KB

MD5
e026187ad3e031c98ede50c0bf4d4b92

SHA1
cce59d08d74c1ca0b7b67009c075c0811a78ae76

SHA256
b94bd1e1c043da8c7fe1759fcda223a19580ed2f088c2149a76753e7a103a5ef

SHA512
7271eb82f9dff9b5a577ed6135e7d724cc88eb4281fdd679bd90ad704bb274cb609edc86eb44c4c6c7b3b56553aba1ec02603aef4c7c76bbc3528f36cbcac386

Download Submit
C:\mail.vbs

Filesize
15KB

MD5
c3bb81cf18cf87ad1b6732dca1b56707

SHA1
65d2c3985b2dd5cfaf4d6733635a185900637cff

SHA256
283669e1a07c419b7ad63ad071a1f3d99e1af7ef721d760241791a044338f242

SHA512
ffb084f2ea331391a78e11345290648b837a5ab67e28631f124f0cce27d0a47b61d50631af5f06ce09ffc5835ef54de544abf3ed8edd5d228c38110a58fad502

Download Submit
C:\mail.vbs

Filesize
16KB

MD5
f34131a5a1db0262e9fe748975b4c3b4

SHA1
e6e8716a017ffde60ba790423f107cd83e929577

SHA256
fb5d21df89fc64559dbc633af073c5f47d8ea4ee58d452a5ab2e878ee922e1e2

SHA512
5dd007a8f318e69fe91c38ac8af3df919b9abe3b97f0c70a5ee15c568a1a2d1e62e429fb64a9054a6eb610e36a93cb5fdf6682fb4d02673a8a8aa11a47b5fcb5

Download Submit
C:\mail.vbs

Filesize
17KB

MD5
a98fce76e58214fb9e076dba98d32627

SHA1
96f8ad41575f96655ea0249416740dd81db6b47f

SHA256
f7ab91a33868684ae1be0bca223b3bbc3080650cf753ade5ec0ce82e0470e7c8

SHA512
6c73dee0d444cd336b768918c22c8515838f3bec40162e8b2964bc0c0d6b83349f2e6a7887ed66b005d47450b678ef0593fa1c615668559d0d8c7258afdce8aa

Download Submit
C:\mail.vbs

Filesize
17KB

MD5
08f5e632cb2ea01cac5a6f0134d4231c

SHA1
71a339fec363fad4cfac947d7701d7750981a78d

SHA256
f927e3c18e1b27e8b3fd1ca881622dd576fc24526a103a92b837c2bc1488f7f8

SHA512
6bfbe17dee8977e156b36aaa58c06c963ec929c8acbbe4bd9a273fbe4ff35b2f563760e47f263233510daf9e32c17a80f4987a00b885e1080a0d652d7deda2f4

Download Submit
C:\mail.vbs

Filesize
18KB

MD5
98bdf5d9af46a15b5faa32a2f8d882b6

SHA1
9e73fc3d77fe9242eb6a1979c5e4bf13cb6a89af

SHA256
7e41e8fc98cbf98dac694981cee8142f9e6b0427d5741cb9ab2f518d40ae947d

SHA512
6d90dd8c6a4ade518a4c2e0599d8f9f99b22456af44c10e14cca5ed8dc50e783c2f1d3ac864ebbf156d770db68c7bae37b5e603151b7de525d9e4710419f3c2c

Download Submit
C:\mail.vbs

Filesize
18KB

MD5
26dab27f4e9c2889f4000227e9f262c3

SHA1
fbe0f5b76e3b01f96ba8058b049b807666f404ec

SHA256
41e12e35434e003de376f1dc45b44d43e60f787e9fa9a609abba2b96840ef235

SHA512
d31ffd7999bed722c49e20f23abe678a63c4e5892ec3bac6e7e9fa84fd2446768bd8670ea5c1e8c6c0ca48f94e5439b8fd3d6eecf2dab08d29b42f730734dc3c

Download Submit
C:\mail.vbs

Filesize
19KB

MD5
9800758e564a632f841683fd6c81992f

SHA1
4013e01b957792a3bb836e37d17e326210262381

SHA256
e18efe8c29356c5f3b90d40c8e1699a63ea44f785c1f0890ec3dd0a7caf83717

SHA512
86d2e4e1d5e0b211a2fb76b71ddfbb28c8a8c2373c8948276586f2353ba5dccd135d0d518a1340bd59ccdb10115e6c634791f53e31a995838365b49afb75097c

Download Submit
C:\mail.vbs

Filesize
19KB

MD5
1461adef64c236c4fab7a7fa633d6d2c

SHA1
2ace031e757431fdc6ee7a39b5f96e6497e85c3a

SHA256
4fd2b8f403788e0a5d3046a4ff7df7021c28b8676c70c4b1ef3859da4e2923bb

SHA512
965a5b2cfdf25e73cc2b5f5744fa6343df1a6c75491fe08100728e9f24393cda10f26ae33f97b06564d777b68565d585945a585abf7458ce4c6da05fce8ef865

Download Submit
C:\mail.vbs

Filesize
20KB

MD5
255f35c704a1d0b789a24c1237396009

SHA1
c1d7eee6e1bad800ac140af8e7d5a156630f10fe

SHA256
e5e7551eba6267c229cf115aa2d5990dbd132785dba652ccaa4481b11fc3ef1b

SHA512
ba6fc454790f60456234cfd5a65db8a3f71abaf0a4155d0ee9938692f1e487668f87f70c8c8b7fe85eecfb0301f2a91ba273839a651898853792c3535845b2fd

Download Submit
C:\mail.vbs

Filesize
20KB

MD5
bbf239961c3fc6310757eeeda1ba077e

SHA1
66d4d4ac66d1bb575f6bb04e327640233374f5ea

SHA256
00b11e138b9f28851a9689b7d5c5a39fdd846d90889db3cb62bc941b02b0d389

SHA512
ec243a766c6c9a4df34444c3b342c3ecf89eccbd36a52397273ec14a04fae8574c0d32d3577b1cc624c49cc4ad4f031e36985d100e6962eda726f562e180d017

Download Submit
C:\mail.vbs

Filesize
21KB

MD5
0c6f58fcecfac67e8cec52122fb7e524

SHA1
1771e15901acf0ef4ad702192a9112057803918c

SHA256
df80d4fa1c5f2e2ff679d89403606f1e916b601d7834196838650c13e57564a8

SHA512
b26a117e724158f717c000974e0edcaa6155f96b919f5c75733047d4958e2458455e23ce39eda99a3cd5be29cdccb1d068e0d75a539b08b206250ea95f28de62

Download Submit
C:\mail.vbs

Filesize
22KB

MD5
ec94114f1f4945eeb034680932ec1713

SHA1
7198c4c378715beb585e8a263d77b19cfe5bc65d

SHA256
b2154efdf4c52482da46eaf0e1f4d00fe273b601814acb51760c60b9efd43099

SHA512
ee2864a45421446c7ae334083429a054243d664b50fa247bc4d27322fc40818697b603e7978720195b6e2a7f92274e1cff52a048b11e231b0c8b55f25bd4ef72

Download Submit
C:\mail.vbs

Filesize
22KB

MD5
b3065a60c3fb553a5b3a6160682e5428

SHA1
5b2a9143a37c1452c15a54464c0e6da610be24ef

SHA256
31f2d3f4a907d9a95b5a6b623b64fcc82775a917901b9477a7c41170a1a60a91

SHA512
58494a7793f827587593d6a2789fd843f6eb57114dbbc5c4361f3300d3ea92a7f3d300d4fa6984e967663841103b53da6fb0fd4b447692c93090ac015d007391

Download Submit
C:\mail.vbs

Filesize
23KB

MD5
756f40d74f9c02e945c5d870930c005f

SHA1
d746808e9046686c4a97ede8e2fcb5ee05b4ab62

SHA256
3c0453312bfed5f06ffc1259659c040e98d0d5fa63adaa72a76cd33d3b755ac6

SHA512
5b90c1c24256b735132b93b24d27afae2347b89ca4ffe1fe30021fe60a86ffcff57f07318a2eac3950c27800e55951e8ba9e8f1e5d581f8904b432acb9b68eee

Download Submit
C:\mail.vbs

Filesize
23KB

MD5
a49ea4a88ebe1c37db76a3608099d301

SHA1
a361094d9a9eb4915c725072bff0548adc53bd02

SHA256
49d3aac761dec0dd1af86cf072044a9914e75f75b5cc253e32ad4a42f9b2d764

SHA512
8e6b373cace9cd03a0f4fc224114b821a5eeaef9de16bb1465fbb9e554a7ae40ca22b7951482371d47c5548c5c2f2ec4fa1e179444870ea734aa61d7f73375b0

Download Submit
C:\mail.vbs

Filesize
24KB

MD5
85c70f2afa16d5e9fd7c824b5de6cb2d

SHA1
aa61d0eb0d7397e51655679b545802a2a13b825c

SHA256
4792d3f6e91dc2a1436ab66e9c620f7cd14b08e99f999c9bc08fdee6541d0094

SHA512
a1ef505ded250767d4d55234a2a664bf425d52d0f075f769f9d9dc4902ca789ebebed42e860fc4dec53a218a8a0b7e766f180fbfba1bf860a8f2d73401d3473e

Download Submit
C:\mail.vbs

Filesize
24KB

MD5
ad4f088fa199a1ddd93fc52ae6127899

SHA1
f5d51e6c867abdaa5375346ac72d37fe07618b18

SHA256
a622625b2eae3c34d3967560b6848030213c2a9b2b8c1023b40ff5017d7ea15b

SHA512
346559be3a8c80b95c509fd5fadb6c9506827b9fde9850f7542f68b68fc443c2df35759e630b7223c15f53e76d3d78e7209bc8106cf3e6d5de45d68acbc9d629

Download Submit
C:\mail.vbs

Filesize
25KB

MD5
b8787b4cf9ac7755d2cf559e19233024

SHA1
ae0a948ab7dd80e408795d008f43864047611d71

SHA256
04a66cc9f70409f67056dc34afb05b99b358dbadfdf7bc58ca7f85b12df1fdc0

SHA512
d9e536b0240024cae5a10e8b20ef19f395787b38849c9bdd89cba6aa244524ffbcab8c7e0acbea9fb6b2f4511365009940deeae2a6c442d842f57bf0b21c3fad

Download Submit
C:\mail.vbs

Filesize
26KB

MD5
61839672015aa41491d2a2603c422e76

SHA1
b907934a4e25f206d55224e0b94d1e731f1562a5

SHA256
c05af9360aff83ca6e23e573f0dc34d01dfb70c474e0f047ad3395b147c55464

SHA512
559834564fee0ca7840d8f001cc517bfe5d2f4706f8ed8b518e6b71f5f38c066960974bcb6e9b8f85e0c8c4a075d0598bceac8a3a0c1fbb149236e28a3e8c327

Download Submit
C:\mail.vbs

Filesize
26KB

MD5
0171afd3d6b38f5fe0e7d41ba78baf1b

SHA1
73639fcc09ad8daa48fcca1398e93da510724216

SHA256
32ac0ff05d646687b54a84a88143bc96522c4d7a3967883fff51b42031fb300a

SHA512
418e6073a42957c55d9dfe75feb636b6a97e5d2527c512ea33d3e43e000e42c6c38cae748b333a1e64e9a3b7684aa691becf65079a9dbc7160d1e51311a48b07

Download Submit
C:\mail.vbs

Filesize
27KB

MD5
306ae4a0c42518cef058fd817aff7da1

SHA1
3c70e7dc26ccdf20cbfbc6a810977d54fb0dd1bc

SHA256
abdb4838b49da97df5a04aa57d29a1ae7d44d20514431066d7522ee4fc6d85b6

SHA512
10ea3e6b26636ae4aba52581e6a7e8ba8837e3b4a4f9ad34d91538aa11412a75cb39b1a4438203416d5032a7a0187988a4be931406c260a1321f517b7a4f9173

Download Submit
C:\mail.vbs

Filesize
27KB

MD5
f430993b0493a9e7222fcaa35934e009

SHA1
bae438c204733512d934df81ecc862e58fdc7239

SHA256
016f951b5022e118d2afcb99e926838d88dc8a55cc8ef14051fc0d8dd6db3d0a

SHA512
654213882ed14ecfe236c30d913f18543fdce12173184b8f8ea6a71a70d4f53a78e6b76428c959d4a942cc49262c1ff407b3daaa129e0d14b1626c73a828c54e

Download Submit
C:\mail.vbs

Filesize
28KB

MD5
aca6f679d745d77d98b546290fe955e7

SHA1
ded597c07ece03c6804b7b5fe56f254c76f56dbc

SHA256
dd1da9d0881d5c0faa62ee86eb6d3d94aaa542748568fe4494212fdf060fd80c

SHA512
fdb77739af64c037fbbaa212b2eeb66ec0dc24ef1d44820eda38cfa3402e4eb93170137ba709894ca64cceeada7f4ec84d0c0d2c720a6b847a12fcff855754b9

Download Submit
C:\mail.vbs

Filesize
28KB

MD5
f3b6a121bb4ff5ce4ba9bc37619d594f

SHA1
527a45195e235c7938cc806418b180dd68aef826

SHA256
9ce44bc93d5a700329d34ef65f53a229c58dfc24a4a90339fc5285ca60f9c471

SHA512
2d7b2fe4a6f34a377c3d8ac626a33f2d8629481efe2a4841c2c28153a61658d4c0cc6ffc5ffd2ead2604e150ce554ecc15c2776ffbe48937b92229820d8ac78e

Download Submit
C:\mail.vbs

Filesize
29KB

MD5
0943071a79dbfbe7afa51e4cd24817af

SHA1
d88c5df4d2511cbd1447bf6399af7bd4ea512ed6

SHA256
ee20b65533c7a9caf72bf10239f423dfb1614bd8656119b3086db03c3dc7d74e

SHA512
7b74547fa89aec022361c0ded8ddb8623216c865e12b25cbe355aa4da116e880d013f28c763306f84ee88ecfdf01137908f88f47a5ee50647213426f995f3edf

Download Submit
C:\mail.vbs

Filesize
30KB

MD5
2b5bd903dc9e0259a4f54c151f776055

SHA1
da52ddf272ed9e11c36594e618dcfa8b715c6cc3

SHA256
8c81c796043dd8ddb324bb1e4f7ee6aecf240f30a06e2ead25def608861b9c2f

SHA512
ecf766be7ab16b135297410a0f986c6a36332fb965d445669121842b4c0d84f86f419eeaa9fa620f183b65fe8817baf486b4d6cce57dff083d21644bbc297df4

Download Submit
C:\mail.vbs

Filesize
30KB

MD5
f97992ee7a322c26558e29703a12c341

SHA1
6effcba61b0e1ad305fd865163ce68d944719970

SHA256
d2a2eb39edda223817cd1cd51bfa8bbddb2f521d45748c604c3f268fdd776713

SHA512
c980bdf2355387606f1f4ac2dbcb16ca7d88b7f02431837579866e94d4f5795ade64ed2efd19d1f685990ab6462065dad3d099d3df557d8872d98899dc2c9b9f

Download Submit
C:\mail.vbs

Filesize
31KB

MD5
cb04a8e5ec1e03900aa58afce1422148

SHA1
6727beb1b26e145d666771946d44a89dc6d63463

SHA256
f8e767f80bca1082a77b3482fb86773526e77cf9938bb77f9aca6b405eea175a

SHA512
437f1972cb4665814b503922ac6cac3af8cb0f42fc9ee1bd6c672839abcbae79b24e62ffbe37b60da3f6d6cc59074f73674d2d5cc65b801ac09fab81c3938b8d

Download Submit
C:\mail.vbs

Filesize
31KB

MD5
dd142108e1993fd3dc8d40e83f030149

SHA1
713df048162a5858c3448553536158abe45da596

SHA256
6e4333902ad84dfdddc1f84e2c902b76093605aa7a3ea3266d5ed790955c3c84

SHA512
916ebdc7d4d8512dae254d10eeb8f3bb768f9bc56b2721a423b30864a09c1dfb8ba2c1a2d9468c263d40236014b41090e3aa4ff854dac3738ae679d85d44cc9f

Download Submit
C:\mail.vbs

Filesize
32KB

MD5
4f06f1a8f0458b12c7c7a23aabce9ed1

SHA1
aaf9fe4aedbd91a9c7db89a71370bc191fd938bc

SHA256
c40667820505a77a90ad1cdac21ded614a4c3da3efed082a3a01195bcc040b86

SHA512
718c28172260ca4f82dceda55f60142611e9676ff795ca228f1d9bf23bf5dc2288af2f1f2d2b258ebd96e8d5da43d59e5b2a06bcf7f8ea29841c65527fae2cfe

Download Submit
C:\mail.vbs

Filesize
32KB

MD5
bacc6f2b8dc8c5589823d42773d6cdfa

SHA1
ced083d8ffff1c5fcd42a91e2091028580c5deed

SHA256
a70a75b0265a77f8c628c3de536ad2ee4a750e5e5139c78aa35e2d29e1248e27

SHA512
3b88d25a6814973afcd4d9c45efa49f72e96ead521e2ba56529eb0ebae27f2221c3b4f233b210868ba2d9b89b1641caa33741d91acf81594a961d0a38edee9cc

Download Submit
C:\mail.vbs

Filesize
33KB

MD5
e7f65561ef3e4686572cce8d8ee970e6

SHA1
513567c1f5af46d63dcdacbe08055d9334453efb

SHA256
9a7383783fb240f3af2781ddd5d56e4cd298bcd7e274a0bd67612390a55eea26

SHA512
b793c86cc64dcfbb60d369a92a7331afca569d104ee3261f5f4d683910662334141c6b93818696bcf90d4fb9f20a9132fe3c240c3edee3b16c88f1c300232f5f

Download Submit
C:\mail.vbs

Filesize
34KB

MD5
0c5d7e17c3038c8e0ee82913baeb2d5b

SHA1
83bc2e208f7e67e6b0d5dbad14531939f07f2ace

SHA256
802e34369599d24a5047cd2b21dc794587b690f51eef79b43bb87d2dc265a9a6

SHA512
a9a6c6a2ec5022f2fcb6b8edfe7a59aa95d0a86bcff1a1349b28e876d28a56cb89ad886d9b1c919d766eb61fc55866cf8152a676bf3ff3a6814427f47738713e

Download Submit
C:\mail.vbs

Filesize
34KB

MD5
e6501db1455041f14a53275cd50a5700

SHA1
c61af317f699f99d451de8adbfb6cd19eaa8b215

SHA256
5068db79041fc18e64f8c4554c6b1e79e0fc94a5abe0b8f29fd58d609fbc5bae

SHA512
2fec515a95014fac84db4c7a36a1091ba01d284cd5f0502db2c6eeb0f282d1825238b2084b283ae893db0583969af7234a2976cef0d3ca58106611da73ce4833

Download Submit
memory/1876-17-0x00007FFCFDFB0000-0x00007FFCFDFC1000-memory.dmp

Filesize
68KB

Download
memory/1876-30-0x00007FFCECA20000-0x00007FFCEDAD0000-memory.dmp

Filesize
16.7MB

Download
memory/1876-8-0x00007FFCFE0D0000-0x00007FFCFE0ED000-memory.dmp

Filesize
116KB

Download
memory/1876-1-0x00007FFCFD9D0000-0x00007FFCFDA04000-memory.dmp

Filesize
208KB

Download
memory/1876-10-0x00007FFCEECD0000-0x00007FFCEEEDB000-memory.dmp

Filesize
2.0MB

Download
memory/1876-6-0x00007FFCFE110000-0x00007FFCFE127000-memory.dmp

Filesize
92KB

Download
memory/1876-5-0x00007FFCFE130000-0x00007FFCFE141000-memory.dmp

Filesize
68KB

Download
memory/1876-4-0x00007FFD02B60000-0x00007FFD02B77000-memory.dmp

Filesize
92KB

Download
memory/1876-3-0x00007FFD02B80000-0x00007FFD02B98000-memory.dmp

Filesize
96KB

Download
memory/1876-13-0x00007FFCFE030000-0x00007FFCFE051000-memory.dmp

Filesize
132KB

Download
memory/1876-15-0x00007FFCFDFF0000-0x00007FFCFE001000-memory.dmp

Filesize
68KB

Download
memory/1876-12-0x00007FFCFE060000-0x00007FFCFE0A1000-memory.dmp

Filesize
260KB

Download
memory/1876-18-0x00007FFCEBCA0000-0x00007FFCEBCB7000-memory.dmp

Filesize
92KB

Download
memory/1876-0-0x00007FF629CA0000-0x00007FF629D98000-memory.dmp

Filesize
992KB

Download
memory/1876-16-0x00007FFCFDFD0000-0x00007FFCFDFE1000-memory.dmp

Filesize
68KB

Download
memory/1876-14-0x00007FFCFE010000-0x00007FFCFE028000-memory.dmp

Filesize
96KB

Download
memory/1876-9-0x00007FFCFE0B0000-0x00007FFCFE0C1000-memory.dmp

Filesize
68KB

Download
memory/1876-2-0x00007FFCEDAD0000-0x00007FFCEDD86000-memory.dmp

Filesize
2.7MB

Download
memory/1876-11-0x00007FFCECA20000-0x00007FFCEDAD0000-memory.dmp

Filesize
16.7MB

Download
memory/1876-7-0x00007FFCFE0F0000-0x00007FFCFE101000-memory.dmp

Filesize
68KB

Download
memory/1876-49-0x00007FFCECA20000-0x00007FFCEDAD0000-memory.dmp

Filesize
16.7MB

Download
memory/4232-1811-0x0000000000120000-0x00000000004CE000-memory.dmp

Filesize
3.7MB

Download
memory/4232-1812-0x0000000004EB0000-0x0000000004F4C000-memory.dmp

Filesize
624KB

Download
memory/4232-1813-0x0000000005500000-0x0000000005AA4000-memory.dmp

Filesize
5.6MB

Download
memory/4232-1814-0x0000000004FF0000-0x0000000005082000-memory.dmp

Filesize
584KB

Download
memory/4232-1815-0x0000000004F60000-0x0000000004F6A000-memory.dmp

Filesize
40KB

Download
memory/4232-1816-0x00000000051C0000-0x0000000005216000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads