agenttesla | 7341780b5a914f5cf26fee6fecfa59380432fe6da8ad4aeb5bc9e83836991b1a

Analysis

max time kernel
150s
max time network
118s
platform
windows10_x64
resource
win10
submitted
15-07-2020 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order152020.exe
Size

439KB
MD5

bdad7cf32c55233a29a52feba81f140e
SHA1

464219a09f61e119e532fbacba58259ee7b06299
SHA256

7341780b5a914f5cf26fee6fecfa59380432fe6da8ad4aeb5bc9e83836991b1a
SHA512

32a56224e62319eeaa1f2467a8f502ee0b764912c55a24d1cc114f7dbc8ec9a7738eb737c362e641e3eb1b4988332d49b3b81ea981507a24cfc07f44296f6c73

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
anyanwu3116

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 64 IoCs

resource	yara_rule
behavioral2/memory/3064-1-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/3064-0-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral2/memory/1984-6-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/3780-11-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/1904-16-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/3040-21-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/4228-26-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/4400-31-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/4564-36-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/4744-41-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/4908-46-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/5072-51-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/3164-56-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/516-61-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/4752-66-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/4976-71-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/3756-76-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/5032-81-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/4880-86-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/2140-91-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/4324-96-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/2856-101-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/4656-106-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/4724-111-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/1564-116-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/4220-121-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/640-126-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/2176-131-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/4500-136-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/1168-141-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/4336-146-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/5020-151-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/3500-156-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/4472-161-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/5072-166-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/4796-171-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/1908-176-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/4660-181-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/1296-186-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/4800-191-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/4260-196-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/1556-201-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/4732-206-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/1720-211-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/4108-216-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/2328-221-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/3592-226-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/4264-231-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/3504-236-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/516-241-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/4704-246-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/3188-251-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/4616-256-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/1160-261-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/4720-266-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/4948-271-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/2088-276-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/2328-281-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/736-286-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/3896-291-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/4472-296-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/3968-301-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/4828-306-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral2/memory/4224-311-0x0000000000446EFE-mapping.dmp	family_agenttesla

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\YYtJku = "C:\\Users\\Admin\\AppData\\Roaming\\YYtJku\\YYtJku.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\YYtJku = "C:\\Users\\Admin\\AppData\\Roaming\\YYtJku\\YYtJku.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\YYtJku = "C:\\Users\\Admin\\AppData\\Roaming\\YYtJku\\YYtJku.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\YYtJku = "C:\\Users\\Admin\\AppData\\Roaming\\YYtJku\\YYtJku.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\YYtJku = "C:\\Users\\Admin\\AppData\\Roaming\\YYtJku\\YYtJku.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\YYtJku = "C:\\Users\\Admin\\AppData\\Roaming\\YYtJku\\YYtJku.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\YYtJku = "C:\\Users\\Admin\\AppData\\Roaming\\YYtJku\\YYtJku.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\YYtJku = "C:\\Users\\Admin\\AppData\\Roaming\\YYtJku\\YYtJku.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\YYtJku = "C:\\Users\\Admin\\AppData\\Roaming\\YYtJku\\YYtJku.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\YYtJku = "C:\\Users\\Admin\\AppData\\Roaming\\YYtJku\\YYtJku.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\YYtJku = "C:\\Users\\Admin\\AppData\\Roaming\\YYtJku\\YYtJku.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\YYtJku = "C:\\Users\\Admin\\AppData\\Roaming\\YYtJku\\YYtJku.exe"	RegAsm.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 3100 set thread context of 3064	3100	Order152020.exe	67
PID 3368 set thread context of 1984	3368	Order152020.exe	72
PID 776 set thread context of 3780	776	Order152020.exe	77
PID 4044 set thread context of 1904	4044	Order152020.exe	82
PID 3768 set thread context of 3040	3768	Order152020.exe	87
PID 4188 set thread context of 4228	4188	Order152020.exe	93
PID 4360 set thread context of 4400	4360	Order152020.exe	99
PID 4532 set thread context of 4564	4532	Order152020.exe	104
PID 4696 set thread context of 4744	4696	Order152020.exe	111
PID 4876 set thread context of 4908	4876	Order152020.exe	116
PID 5040 set thread context of 5072	5040	Order152020.exe	121
PID 4240 set thread context of 3164	4240	Order152020.exe	127
PID 4528 set thread context of 516	4528	Order152020.exe	132
PID 3240 set thread context of 4752	3240	Order152020.exe	137
PID 1980 set thread context of 4976	1980	Order152020.exe	142
PID 1164 set thread context of 3756	1164	Order152020.exe	147
PID 4720 set thread context of 5032	4720	Order152020.exe	152
PID 1804 set thread context of 4880	1804	Order152020.exe	157
PID 1720 set thread context of 2140	1720	Order152020.exe	162
PID 4344 set thread context of 4324	4344	Order152020.exe	167
PID 1000 set thread context of 2856	1000	Order152020.exe	172
PID 4528 set thread context of 4656	4528	Order152020.exe	177
PID 4844 set thread context of 4724	4844	Order152020.exe	182
PID 5000 set thread context of 1564	5000	Order152020.exe	187
PID 2160 set thread context of 4220	2160	Order152020.exe	192
PID 3932 set thread context of 640	3932	Order152020.exe	199
PID 4872 set thread context of 2176	4872	Order152020.exe	206
PID 3836 set thread context of 4500	3836	Order152020.exe	213
PID 4680 set thread context of 1168	4680	Order152020.exe	218
PID 3100 set thread context of 4336	3100	Order152020.exe	223
PID 5000 set thread context of 5020	5000	Order152020.exe	228
PID 4304 set thread context of 3500	4304	Order152020.exe	233
PID 4888 set thread context of 4472	4888	Order152020.exe	239
PID 4596 set thread context of 5072	4596	Order152020.exe	246
PID 4108 set thread context of 4796	4108	Order152020.exe	252
PID 2088 set thread context of 1908	2088	Order152020.exe	259
PID 4884 set thread context of 4660	4884	Order152020.exe	264
PID 1384 set thread context of 1296	1384	Order152020.exe	269
PID 4892 set thread context of 4800	4892	Order152020.exe	274
PID 736 set thread context of 4260	736	Order152020.exe	280
PID 516 set thread context of 1556	516	Order152020.exe	286
PID 5076 set thread context of 4732	5076	Order152020.exe	292
PID 2224 set thread context of 1720	2224	Order152020.exe	297
PID 3424 set thread context of 4108	3424	Order152020.exe	302
PID 3828 set thread context of 2328	3828	Order152020.exe	309
PID 3780 set thread context of 3592	3780	Order152020.exe	314
PID 1984 set thread context of 4264	1984	Order152020.exe	319
PID 4480 set thread context of 3504	4480	Order152020.exe	324
PID 4248 set thread context of 516	4248	Order152020.exe	329
PID 5116 set thread context of 4704	5116	Order152020.exe	334
PID 3288 set thread context of 3188	3288	Order152020.exe	339
PID 4960 set thread context of 4616	4960	Order152020.exe	344
PID 2160 set thread context of 1160	2160	Order152020.exe	349
PID 4152 set thread context of 4720	4152	Order152020.exe	355
PID 1044 set thread context of 4948	1044	Order152020.exe	361
PID 3380 set thread context of 2088	3380	Order152020.exe	368
PID 1092 set thread context of 2328	1092	Order152020.exe	374
PID 3856 set thread context of 736	3856	Order152020.exe	381
PID 3848 set thread context of 3896	3848	Order152020.exe	386
PID 4804 set thread context of 4472	4804	Order152020.exe	392
PID 2700 set thread context of 3968	2700	Order152020.exe	397
PID 4548 set thread context of 4828	4548	Order152020.exe	403
PID 3584 set thread context of 4224	3584	Order152020.exe	408
PID 3864 set thread context of 4636	3864	Order152020.exe	413

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe
3100	Order152020.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
3100	Order152020.exe
3368	Order152020.exe
776	Order152020.exe
4044	Order152020.exe
3768	Order152020.exe
4188	Order152020.exe
4188	Order152020.exe
4360	Order152020.exe
4360	Order152020.exe
4532	Order152020.exe
4696	Order152020.exe
4696	Order152020.exe
4696	Order152020.exe
4876	Order152020.exe
5040	Order152020.exe
4240	Order152020.exe
4240	Order152020.exe
4528	Order152020.exe
3240	Order152020.exe
1980	Order152020.exe
1164	Order152020.exe
4720	Order152020.exe
1804	Order152020.exe
1720	Order152020.exe
4344	Order152020.exe
1000	Order152020.exe
4528	Order152020.exe
4844	Order152020.exe
5000	Order152020.exe
2160	Order152020.exe
3932	Order152020.exe
3932	Order152020.exe
3932	Order152020.exe
4872	Order152020.exe
4872	Order152020.exe
4872	Order152020.exe
3836	Order152020.exe
3836	Order152020.exe
4680	Order152020.exe
3100	Order152020.exe
5000	Order152020.exe
4304	Order152020.exe
4888	Order152020.exe
4888	Order152020.exe
4596	Order152020.exe
4596	Order152020.exe
4596	Order152020.exe
4108	Order152020.exe
4108	Order152020.exe
2088	Order152020.exe
2088	Order152020.exe
2088	Order152020.exe
4884	Order152020.exe
1384	Order152020.exe
4892	Order152020.exe
736	Order152020.exe
736	Order152020.exe
516	Order152020.exe
516	Order152020.exe
5076	Order152020.exe
5076	Order152020.exe
2224	Order152020.exe
3424	Order152020.exe
3828	Order152020.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3100	Order152020.exe
Token: SeDebugPrivilege	3368	Order152020.exe
Token: SeDebugPrivilege	776	Order152020.exe
Token: SeDebugPrivilege	4044	Order152020.exe
Token: SeDebugPrivilege	3768	Order152020.exe
Token: SeDebugPrivilege	4188	Order152020.exe
Token: SeDebugPrivilege	4360	Order152020.exe
Token: SeDebugPrivilege	4532	Order152020.exe
Token: SeDebugPrivilege	4696	Order152020.exe
Token: SeDebugPrivilege	4876	Order152020.exe
Token: SeDebugPrivilege	5040	Order152020.exe
Token: SeDebugPrivilege	4240	Order152020.exe
Token: SeDebugPrivilege	4528	Order152020.exe
Token: SeDebugPrivilege	3240	Order152020.exe
Token: SeDebugPrivilege	1980	Order152020.exe
Token: SeDebugPrivilege	1164	Order152020.exe
Token: SeDebugPrivilege	4720	Order152020.exe
Token: SeDebugPrivilege	1804	Order152020.exe
Token: SeDebugPrivilege	1720	Order152020.exe
Token: SeDebugPrivilege	4344	Order152020.exe
Token: SeDebugPrivilege	1000	Order152020.exe
Token: SeDebugPrivilege	4528	Order152020.exe
Token: SeDebugPrivilege	4844	Order152020.exe
Token: SeDebugPrivilege	5000	Order152020.exe
Token: SeDebugPrivilege	2160	Order152020.exe
Token: SeDebugPrivilege	3932	Order152020.exe
Token: SeDebugPrivilege	3064	RegAsm.exe
Token: SeDebugPrivilege	4872	Order152020.exe
Token: SeDebugPrivilege	3836	Order152020.exe
Token: SeDebugPrivilege	4680	Order152020.exe
Token: SeDebugPrivilege	3100	Order152020.exe
Token: SeDebugPrivilege	5000	Order152020.exe
Token: SeDebugPrivilege	4304	Order152020.exe
Token: SeDebugPrivilege	4888	Order152020.exe
Token: SeDebugPrivilege	4596	Order152020.exe
Token: SeDebugPrivilege	4108	Order152020.exe
Token: SeDebugPrivilege	2088	Order152020.exe
Token: SeDebugPrivilege	4884	Order152020.exe
Token: SeDebugPrivilege	1384	Order152020.exe
Token: SeDebugPrivilege	4892	Order152020.exe
Token: SeDebugPrivilege	736	Order152020.exe
Token: SeDebugPrivilege	516	Order152020.exe
Token: SeDebugPrivilege	5076	Order152020.exe
Token: SeDebugPrivilege	2224	Order152020.exe
Token: SeDebugPrivilege	3424	Order152020.exe
Token: SeDebugPrivilege	3828	Order152020.exe
Token: SeDebugPrivilege	3780	Order152020.exe
Token: SeDebugPrivilege	1984	Order152020.exe
Token: SeDebugPrivilege	4480	Order152020.exe
Token: SeDebugPrivilege	4248	Order152020.exe
Token: SeDebugPrivilege	5116	Order152020.exe
Token: SeDebugPrivilege	3288	Order152020.exe
Token: SeDebugPrivilege	4960	Order152020.exe
Token: SeDebugPrivilege	4500	RegAsm.exe
Token: SeDebugPrivilege	2160	Order152020.exe
Token: SeDebugPrivilege	4152	Order152020.exe
Token: SeDebugPrivilege	1044	Order152020.exe
Token: SeDebugPrivilege	3380	Order152020.exe
Token: SeDebugPrivilege	1092	Order152020.exe
Token: SeDebugPrivilege	3856	Order152020.exe
Token: SeDebugPrivilege	3848	Order152020.exe
Token: SeDebugPrivilege	4804	Order152020.exe
Token: SeDebugPrivilege	2700	Order152020.exe
Token: SeDebugPrivilege	4548	Order152020.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 3064	3100	Order152020.exe	67
PID 3100 wrote to memory of 3064	3100	Order152020.exe	67
PID 3100 wrote to memory of 3064	3100	Order152020.exe	67
PID 3100 wrote to memory of 3064	3100	Order152020.exe	67
PID 3100 wrote to memory of 3384	3100	Order152020.exe	68
PID 3100 wrote to memory of 3384	3100	Order152020.exe	68
PID 3100 wrote to memory of 3384	3100	Order152020.exe	68
PID 3384 wrote to memory of 3932	3384	cmd.exe	70
PID 3384 wrote to memory of 3932	3384	cmd.exe	70
PID 3384 wrote to memory of 3932	3384	cmd.exe	70
PID 3100 wrote to memory of 3368	3100	Order152020.exe	71
PID 3100 wrote to memory of 3368	3100	Order152020.exe	71
PID 3100 wrote to memory of 3368	3100	Order152020.exe	71
PID 3368 wrote to memory of 1984	3368	Order152020.exe	72
PID 3368 wrote to memory of 1984	3368	Order152020.exe	72
PID 3368 wrote to memory of 1984	3368	Order152020.exe	72
PID 3368 wrote to memory of 1984	3368	Order152020.exe	72
PID 3368 wrote to memory of 2604	3368	Order152020.exe	73
PID 3368 wrote to memory of 2604	3368	Order152020.exe	73
PID 3368 wrote to memory of 2604	3368	Order152020.exe	73
PID 2604 wrote to memory of 1520	2604	cmd.exe	75
PID 2604 wrote to memory of 1520	2604	cmd.exe	75
PID 2604 wrote to memory of 1520	2604	cmd.exe	75
PID 3368 wrote to memory of 776	3368	Order152020.exe	76
PID 3368 wrote to memory of 776	3368	Order152020.exe	76
PID 3368 wrote to memory of 776	3368	Order152020.exe	76
PID 776 wrote to memory of 3780	776	Order152020.exe	77
PID 776 wrote to memory of 3780	776	Order152020.exe	77
PID 776 wrote to memory of 3780	776	Order152020.exe	77
PID 776 wrote to memory of 3780	776	Order152020.exe	77
PID 776 wrote to memory of 3984	776	Order152020.exe	78
PID 776 wrote to memory of 3984	776	Order152020.exe	78
PID 776 wrote to memory of 3984	776	Order152020.exe	78
PID 3984 wrote to memory of 3756	3984	cmd.exe	80
PID 3984 wrote to memory of 3756	3984	cmd.exe	80
PID 3984 wrote to memory of 3756	3984	cmd.exe	80
PID 776 wrote to memory of 4044	776	Order152020.exe	81
PID 776 wrote to memory of 4044	776	Order152020.exe	81
PID 776 wrote to memory of 4044	776	Order152020.exe	81
PID 4044 wrote to memory of 1904	4044	Order152020.exe	82
PID 4044 wrote to memory of 1904	4044	Order152020.exe	82
PID 4044 wrote to memory of 1904	4044	Order152020.exe	82
PID 4044 wrote to memory of 1904	4044	Order152020.exe	82
PID 4044 wrote to memory of 3968	4044	Order152020.exe	83
PID 4044 wrote to memory of 3968	4044	Order152020.exe	83
PID 4044 wrote to memory of 3968	4044	Order152020.exe	83
PID 3968 wrote to memory of 3772	3968	cmd.exe	85
PID 3968 wrote to memory of 3772	3968	cmd.exe	85
PID 3968 wrote to memory of 3772	3968	cmd.exe	85
PID 4044 wrote to memory of 3768	4044	Order152020.exe	86
PID 4044 wrote to memory of 3768	4044	Order152020.exe	86
PID 4044 wrote to memory of 3768	4044	Order152020.exe	86
PID 3768 wrote to memory of 3040	3768	Order152020.exe	87
PID 3768 wrote to memory of 3040	3768	Order152020.exe	87
PID 3768 wrote to memory of 3040	3768	Order152020.exe	87
PID 3768 wrote to memory of 3040	3768	Order152020.exe	87
PID 3768 wrote to memory of 4116	3768	Order152020.exe	88
PID 3768 wrote to memory of 4116	3768	Order152020.exe	88
PID 3768 wrote to memory of 4116	3768	Order152020.exe	88
PID 4116 wrote to memory of 4160	4116	cmd.exe	90
PID 4116 wrote to memory of 4160	4116	cmd.exe	90
PID 4116 wrote to memory of 4160	4116	cmd.exe	90
PID 3768 wrote to memory of 4188	3768	Order152020.exe	91
PID 3768 wrote to memory of 4188	3768	Order152020.exe	91

C:\Users\Admin\AppData\Local\Temp\Order152020.exe
"C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3384
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:3932
- C:\Users\Admin\AppData\Local\Temp\Order152020.exe
  "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:1520
- - C:\Users\Admin\AppData\Local\Temp\Order152020.exe
    "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:776
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3780
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3984
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:3756
  - - C:\Users\Admin\AppData\Local\Temp\Order152020.exe
      "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4044
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:1904
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3968
      - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:3772
    - - C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3768
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:3040
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        7⤵
        
        PID:4160
      - C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4188
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:4220
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        7⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        7⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4360
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        8⤵
        
        PID:4392
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        8⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        8⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        9⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        9⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        10⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        9⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4696
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:4728
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:4736
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        10⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        11⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        10⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4876
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        11⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        11⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        12⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        11⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:5040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        12⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        12⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        13⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        12⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        13⤵
        
        PID:3460
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        13⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        13⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        14⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        13⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4528
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        14⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        14⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        15⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        14⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        15⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        15⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        16⤵
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        15⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        16⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        16⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        17⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        16⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        17⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        17⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        18⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        17⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4720
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        18⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        18⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        19⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        18⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        19⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        19⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        20⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        19⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        20⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        20⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        21⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        20⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4344
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        21⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        21⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        22⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        21⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1000
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        22⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        22⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        23⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        22⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4528
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        23⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        23⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        24⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        23⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4844
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        24⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        24⤵
        
        PID:904
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        25⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        24⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:5000
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        25⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        25⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        26⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        25⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        26⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        26⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        27⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        26⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3932
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        27⤵
        
        PID:636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        27⤵
        
        PID:4280
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        27⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        27⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        28⤵
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        27⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4872
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        28⤵
        
        PID:2088
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        28⤵
        
        PID:2112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        28⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        28⤵
        
        PID:856
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        29⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        28⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3836
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        29⤵
        
        PID:4484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        29⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        29⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        30⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        29⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4680
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        30⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        30⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        31⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        30⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        31⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        31⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        32⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        31⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:5000
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        32⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        32⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        33⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        32⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4304
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        33⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        33⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        34⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        33⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        34⤵
        
        PID:4200
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        34⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        34⤵
        
        PID:804
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        35⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        34⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4596
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        35⤵
        
        PID:1564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        35⤵
        
        PID:5116
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        35⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        35⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        36⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        35⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        36⤵
        
        PID:4396
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        36⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        36⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        37⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        36⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        37⤵
        
        PID:5088
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        37⤵
        
        PID:652
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        37⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        37⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        38⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        37⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4884
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        38⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        38⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        39⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        38⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        39⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        39⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        40⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        39⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4892
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        40⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        40⤵
        
        PID:408
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        41⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        40⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:736
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        41⤵
        
        PID:2732
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        41⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        41⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        42⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        41⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:516
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        42⤵
        
        PID:3800
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        42⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        42⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        43⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        42⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:5076
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        43⤵
        
        PID:4208
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        43⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        43⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        44⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        43⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        44⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        44⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        45⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        44⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3424
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        45⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        45⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        46⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        45⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3828
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        46⤵
        
        PID:3136
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        46⤵
        
        PID:4904
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        46⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        46⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        47⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        46⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        47⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        47⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        48⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        47⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        48⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        48⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        49⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        48⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4480
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        49⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        49⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        50⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        49⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4248
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        50⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        50⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        51⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        50⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:5116
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        51⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        51⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        52⤵
        
        PID:504
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        51⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3288
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        52⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        52⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        53⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        52⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4960
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        53⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        53⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        54⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        53⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        54⤵
        Adds Run key to start application
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        54⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        55⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        54⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4152
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        55⤵
        
        PID:4356
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        55⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        55⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        56⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        55⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        56⤵
        
        PID:4572
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        56⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        56⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        57⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        56⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3380
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        57⤵
        
        PID:3752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        57⤵
        
        PID:4124
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        57⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        57⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        58⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        57⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        58⤵
        
        PID:4132
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        58⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        58⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        59⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        58⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        59⤵
        
        PID:3064
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        59⤵
        
        PID:1484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        59⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        59⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        60⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        59⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3848
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        60⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        60⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        61⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        60⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4804
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        61⤵
        
        PID:3460
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        61⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        61⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        62⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        61⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        62⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        62⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        63⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        62⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4548
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        63⤵
        
        PID:4408
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        63⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        63⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        64⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        63⤵
        Suspicious use of SetThreadContext
        
        PID:3584
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        64⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        64⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        65⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        64⤵
        Suspicious use of SetThreadContext
        
        PID:3864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        65⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        65⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        66⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        65⤵
        
        PID:4536
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        66⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        66⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        67⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        66⤵
        
        PID:3828
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        67⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        67⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        68⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        67⤵
        
        PID:2224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        68⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        68⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        69⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        68⤵
        
        PID:2884
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        69⤵
        
        PID:1856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        69⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        69⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        70⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        69⤵
        
        PID:3760
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        70⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        70⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        71⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        70⤵
        
        PID:2128
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        71⤵
        
        PID:4772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        71⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        71⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        72⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        71⤵
        
        PID:3448
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        72⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        72⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        73⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        72⤵
        
        PID:4044
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        73⤵
        
        PID:504
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        73⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        73⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        74⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        73⤵
        
        PID:4368
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        74⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        74⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        75⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        74⤵
        
        PID:4380
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        75⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        75⤵
        
        PID:408
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        76⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        75⤵
        
        PID:4592
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        76⤵
        
        PID:1852
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        76⤵
        
        PID:3780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        76⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        76⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        77⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        76⤵
        
        PID:3928
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        77⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        77⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        78⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        77⤵
        
        PID:3760
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        78⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        78⤵
        
        PID:484
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        79⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        78⤵
        
        PID:4812
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        79⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        79⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        80⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        79⤵
        
        PID:4632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        80⤵
        Adds Run key to start application
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        80⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        81⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        80⤵
        
        PID:3772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        81⤵
        
        PID:856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        81⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        81⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        82⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        81⤵
        
        PID:4384
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        82⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        82⤵
        
        PID:584
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        83⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        82⤵
        
        PID:4532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        83⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        83⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        84⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        83⤵
        
        PID:1436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        84⤵
        
        PID:4520
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        84⤵
        
        PID:4048
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        84⤵
        
        PID:4908
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        84⤵
        
        PID:2328
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        84⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        84⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        85⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        84⤵
        
        PID:992
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        85⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        85⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        86⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        85⤵
        
        PID:5036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        86⤵
        
        PID:4108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        86⤵
        
        PID:4224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        86⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        86⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        87⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        86⤵
        
        PID:4176
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        87⤵
        
        PID:2884
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        87⤵
        
        PID:5096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        87⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        87⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        88⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        87⤵
        
        PID:4344
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        88⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        88⤵
        
        PID:632
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        89⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        88⤵
        
        PID:364
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        89⤵
        
        PID:2596
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        89⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        89⤵
        
        PID:408
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        90⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        89⤵
        
        PID:3528
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        90⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        90⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        91⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        90⤵
        
        PID:4756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        91⤵
        
        PID:4200
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        91⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        91⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        92⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        91⤵
        
        PID:972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        92⤵
        
        PID:2068
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        92⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        92⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        93⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        92⤵
        
        PID:800
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        93⤵
        
        PID:1204
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        93⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        93⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        94⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        93⤵
        
        PID:2224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        94⤵
        
        PID:4156
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        94⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        94⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        95⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        94⤵
        
        PID:1164
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        95⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        95⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        96⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        95⤵
        
        PID:5112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        96⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        96⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        97⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        96⤵
        
        PID:4160
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        97⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        97⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        98⤵
        
        PID:504
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        97⤵
        
        PID:3828
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        98⤵
        
        PID:5092
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        98⤵
        
        PID:2088
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        98⤵
        
        PID:4588
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        98⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        98⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        99⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        98⤵
        
        PID:3384
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        99⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        99⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        100⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        99⤵
        
        PID:4308
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        100⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        100⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        101⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        100⤵
        
        PID:3744
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        101⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        101⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        102⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        101⤵
        
        PID:4288
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        102⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        102⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        103⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        102⤵
        
        PID:3132
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        103⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        103⤵
        
        PID:884
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        104⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        103⤵
        
        PID:5008
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        104⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        104⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        105⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        104⤵
        
        PID:5092
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        105⤵
        Adds Run key to start application
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        105⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        106⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        105⤵
        
        PID:4908
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        106⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        106⤵
        
        PID:992
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        107⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        106⤵
        
        PID:4988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        107⤵
        
        PID:3888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        107⤵
        
        PID:4432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        107⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        107⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        108⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        107⤵
        
        PID:3612
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        108⤵
        
        PID:4356
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        108⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        108⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        109⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        108⤵
        
        PID:3840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        109⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        109⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        110⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        109⤵
        
        PID:8
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        110⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        110⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        111⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        110⤵
        
        PID:2064
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        111⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        111⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        112⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        111⤵
        
        PID:4136
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        112⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        112⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        113⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        112⤵
        
        PID:5072
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        113⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        113⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        114⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        113⤵
        
        PID:1520
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        114⤵
        
        PID:4364
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        114⤵
        
        PID:4216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        114⤵
        
        PID:4140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        114⤵
        
        PID:4164
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        114⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        114⤵
        
        PID:584
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        115⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        114⤵
        
        PID:4032
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        115⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        115⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        116⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        115⤵
        
        PID:4780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        116⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        116⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        117⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        116⤵
        
        PID:736
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        117⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        117⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        118⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        117⤵
        
        PID:1672
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        118⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        118⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        119⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        118⤵
        
        PID:3936
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        119⤵
        
        PID:5088
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        119⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        119⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        120⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        119⤵
        
        PID:4596
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        120⤵
        
        PID:4816
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        120⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        120⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        121⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        120⤵
        
        PID:4372
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        121⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        121⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        122⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        121⤵
        
        PID:4408
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        122⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        122⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        123⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        122⤵
        
        PID:2240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        123⤵
        
        PID:2732
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        123⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        123⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        124⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        123⤵
        
        PID:3516
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        124⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        124⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        125⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        124⤵
        
        PID:4336
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        125⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        125⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        126⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        125⤵
        
        PID:4808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        126⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        126⤵
        
        PID:856
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        127⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        126⤵
        
        PID:1308
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        127⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        127⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        128⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        127⤵
        
        PID:5020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        128⤵
        
        PID:508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        128⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        129⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        128⤵
        
        PID:4860
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        129⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        129⤵
        
        PID:776
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        130⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        129⤵
        
        PID:2544
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        130⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        130⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        131⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        130⤵
        
        PID:4488
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        131⤵
        Adds Run key to start application
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        131⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        132⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        131⤵
        
        PID:1908
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        132⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        132⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        133⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        132⤵
        
        PID:4448
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        133⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        133⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        134⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        133⤵
        
        PID:2088
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        134⤵
        
        PID:3608
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        134⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        134⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        135⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        134⤵
        
        PID:4940
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        135⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        135⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        136⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        135⤵
        
        PID:3028
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        136⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        136⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        137⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        136⤵
        
        PID:1436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        137⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        137⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        138⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        137⤵
        
        PID:4524
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        138⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        138⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        139⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        138⤵
        
        PID:2140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        139⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        139⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        140⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        139⤵
        
        PID:4140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        140⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        140⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        141⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        140⤵
        
        PID:1000
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        141⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        141⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        142⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        141⤵
        
        PID:3800
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        142⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        142⤵
        
        PID:908
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        143⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        142⤵
        
        PID:1500
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        143⤵
        
        PID:4968
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        143⤵
        
        PID:4816
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        143⤵
        
        PID:4548
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        143⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        143⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        144⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        143⤵
        
        PID:3136
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        144⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        144⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        145⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        144⤵
        
        PID:4404
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        145⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        145⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        146⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        145⤵
        
        PID:1160
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        146⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        146⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        147⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        146⤵
        
        PID:3520
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        147⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        147⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        148⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        147⤵
        
        PID:4148
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        148⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        148⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        149⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        148⤵
        
        PID:5096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        149⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        149⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        150⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        149⤵
        
        PID:4864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        150⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        150⤵
        
        PID:364
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        151⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        150⤵
        
        PID:2328
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        151⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        151⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        152⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        151⤵
        
        PID:4800
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        152⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        152⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        153⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        152⤵
        
        PID:4972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        153⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        153⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        154⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        153⤵
        
        PID:3752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        154⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        154⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        155⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        154⤵
        
        PID:2096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        155⤵
        
        PID:4204
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        155⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        155⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        156⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        155⤵
        
        PID:4452
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        156⤵
        Adds Run key to start application
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        156⤵
        
        PID:900
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        157⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        156⤵
        
        PID:5036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        157⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        157⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        158⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        157⤵
        
        PID:2268
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        158⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        158⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        159⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        158⤵
        
        PID:4732
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        159⤵
        
        PID:884
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        159⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        159⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        160⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        159⤵
        
        PID:4268
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        160⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        160⤵
        
        PID:416
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        161⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        160⤵
        
        PID:4840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        161⤵
        
        PID:636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        161⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        161⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        162⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        161⤵
        
        PID:3236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        162⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        162⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        163⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        162⤵
        
        PID:4816
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        163⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        163⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        164⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        163⤵
        
        PID:4136
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        164⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        164⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        165⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        164⤵
        
        PID:1004
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        165⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        165⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        166⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        165⤵
        
        PID:2456
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        166⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        166⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        167⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        166⤵
        
        PID:4024
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        167⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        167⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        168⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        167⤵
        
        PID:1520
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        168⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        168⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        169⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        168⤵
        
        PID:636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        169⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        169⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        170⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        169⤵
        
        PID:3904
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        170⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        170⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        171⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        170⤵
        
        PID:3772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        171⤵
        
        PID:5076
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        171⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        171⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        172⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        171⤵
        
        PID:4880
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        172⤵
        
        PID:4888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        172⤵
        
        PID:3800
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        172⤵
        
        PID:776
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        172⤵
        
        PID:4816
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        172⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        172⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        173⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        172⤵
        
        PID:412
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        173⤵
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        173⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        174⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        173⤵
        
        PID:4564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        174⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        174⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        175⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        174⤵
        
        PID:1556
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        175⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        175⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        176⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        175⤵
        
        PID:4636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        176⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        176⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        177⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        176⤵
        
        PID:3368
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        177⤵
        
        PID:4884
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        177⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        177⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        178⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        177⤵
        
        PID:744
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        178⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        178⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        179⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        178⤵
        
        PID:4528
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        179⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        179⤵
        
        PID:800
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        180⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        179⤵
        
        PID:1176
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        180⤵
        
        PID:1904
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        180⤵
        Adds Run key to start application
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        180⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        181⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        180⤵
        
        PID:580
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        181⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        181⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        182⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        181⤵
        
        PID:1372
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        182⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        182⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        183⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        182⤵
        
        PID:4636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        183⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        183⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        184⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        183⤵
        
        PID:4684
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        184⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        184⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        185⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        184⤵
        
        PID:2116
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        185⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        185⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        186⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        185⤵
        
        PID:3448
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        186⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        186⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        187⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        186⤵
        
        PID:3892
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        187⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        187⤵
        
        PID:856
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        188⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        187⤵
        
        PID:4624
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        188⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        188⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        189⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        188⤵
        
        PID:3040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        189⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        189⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        190⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        189⤵
        
        PID:8
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        190⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        190⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        191⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        190⤵
        
        PID:1436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        191⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        191⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        192⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        191⤵
        
        PID:2640
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        192⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        192⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        193⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        192⤵
        
        PID:4488
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        193⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        193⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        194⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        193⤵
        
        PID:1908
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        194⤵
        
        PID:5112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        194⤵
        
        PID:5016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        194⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        194⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        195⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        194⤵
        
        PID:3844
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        195⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        195⤵
        
        PID:992
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        196⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        195⤵
        
        PID:4428
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        196⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        196⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        197⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        196⤵
        
        PID:1372
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        197⤵
        
        PID:3028
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        197⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        197⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        198⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        197⤵
        
        PID:5060
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        198⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        198⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        199⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        198⤵
        
        PID:4368
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        199⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        199⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        200⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        199⤵
        
        PID:2640
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        200⤵
        
        PID:3208
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        200⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        200⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        201⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        200⤵
        
        PID:4280
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        201⤵
        
        PID:4124
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        201⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        201⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        202⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        201⤵
        
        PID:2448
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        202⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        202⤵
        
        PID:972
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        203⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        202⤵
        
        PID:508
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        203⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        203⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        204⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        203⤵
        
        PID:1436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        204⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        204⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        205⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        204⤵
        
        PID:4676
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        205⤵
        Adds Run key to start application
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        205⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        206⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        205⤵
        
        PID:2856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        206⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        206⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        207⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        206⤵
        
        PID:904
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        207⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        207⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        208⤵
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        207⤵
        
        PID:1100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        208⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        208⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        209⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        208⤵
        
        PID:4768
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        209⤵
        
        PID:2156
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        209⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        209⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        210⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        209⤵
        
        PID:4772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        210⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        210⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        211⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        210⤵
        
        PID:3852
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        211⤵
        
        PID:4592
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        211⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        211⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        212⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        211⤵
        
        PID:4364
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        212⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        212⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        213⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        212⤵
        
        PID:4500
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        213⤵
        
        PID:4468
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        213⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        213⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        214⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        213⤵
        
        PID:384
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        214⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        214⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        215⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        214⤵
        
        PID:4744
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        215⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        215⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        216⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        215⤵
        
        PID:5048
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        216⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        216⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        217⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        216⤵
        
        PID:4972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        217⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        217⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        218⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        217⤵
        
        PID:3276
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        218⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        218⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        219⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        218⤵
        
        PID:2072
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        219⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        219⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        220⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        219⤵
        
        PID:5104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        220⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        220⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        221⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        220⤵
        
        PID:3520
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        221⤵
        
        PID:4784
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        221⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        221⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        222⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        221⤵
        
        PID:2912
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        222⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        222⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        223⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        222⤵
        
        PID:4780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        223⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        223⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        224⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        223⤵
        
        PID:3956
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        224⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        224⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        225⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        224⤵
        
        PID:2764
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        225⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        225⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        226⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        225⤵
        
        PID:2696
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        226⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        226⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        227⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        226⤵
        
        PID:1004
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        227⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        227⤵
        
        PID:804
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        228⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        227⤵
        
        PID:4948
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        228⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        228⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        229⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        228⤵
        
        PID:884
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        229⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        229⤵
        
        PID:504
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        230⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        229⤵
        
        PID:4388
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        230⤵
        
        PID:4108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        230⤵
        
        PID:4304
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        230⤵
        Adds Run key to start application
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        230⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        231⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        230⤵
        
        PID:2520
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        231⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        231⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        232⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        231⤵
        
        PID:4580
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        232⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        232⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        233⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        232⤵
        
        PID:4344
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        233⤵
        
        PID:1500
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        233⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        233⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        234⤵
        
        PID:416
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        233⤵
        
        PID:4540
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        234⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        234⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        235⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        234⤵
        
        PID:4264
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        235⤵
        
        PID:3836
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        235⤵
        
        PID:2160
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        235⤵
        
        PID:580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3064-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download