azorult | 5639363353a4dcf957c52abba6b49501ac8d6dde78e338842f8301165284c3a0

Analysis

max time kernel
150s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-12-2024 06:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Size

218KB
MD5

415a0770a8f5e60a5fb408ebf360f6db
SHA1

679b46c5d0bc11608aa21636b3c11ac75ee0e6c5
SHA256

5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd
SHA512

0c059bbc1f4b684b15629cc6e5c2a2eac8ba89db5ae54286e0286b0f35a779af9a5a026ba26a821fcaccd6ec33586637cac32ba41bb79a3c4d08759663df31b5
SSDEEP

6144:mnIR+VhX35mOtbF9CZCLRdJiiOOAOy/D:mIRWN5btbBLRziidAO

Score

10^/10

azorult discovery infostealer trojan

Malware Config

Extracted

Family

azorult

http://45.95.168.162/city/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 1728 set thread context of 3056	1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	31
PID 2296 set thread context of 2908	2296	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	36
PID 2732 set thread context of 2972	2732	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	41
PID 2664 set thread context of 2396	2664	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	46
PID 2004 set thread context of 1744	2004	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	51
PID 1236 set thread context of 1128	1236	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	56
PID 2460 set thread context of 1928	2460	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	62
PID 2268 set thread context of 2272	2268	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	67
PID 2360 set thread context of 2304	2360	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	72
PID 1760 set thread context of 1156	1760	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	77
PID 2372 set thread context of 2132	2372	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	82
PID 2452 set thread context of 2228	2452	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	87
PID 2616 set thread context of 2112	2616	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	93
PID 2636 set thread context of 1840	2636	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	98
PID 2680 set thread context of 1152	2680	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	105
PID 2188 set thread context of 2028	2188	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	110
PID 408 set thread context of 872	408	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	115
PID 972 set thread context of 1876	972	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	120
PID 3016 set thread context of 1364	3016	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	125
PID 2164 set thread context of 1532	2164	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	131
PID 548 set thread context of 1808	548	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	136
PID 2440 set thread context of 2952	2440	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	141
PID 2864 set thread context of 316	2864	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	146
PID 2272 set thread context of 2052	2272	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	153
PID 2188 set thread context of 2808	2188	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	158
PID 1920 set thread context of 1056	1920	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	163
PID 1932 set thread context of 2832	1932	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	208
PID 804 set thread context of 1552	804	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	174
PID 2040 set thread context of 2164	2040	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	179
PID 532 set thread context of 2956	532	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	184
PID 1632 set thread context of 2624	1632	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	189
PID 2036 set thread context of 1672	2036	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	195
PID 2672 set thread context of 2688	2672	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	200
PID 1752 set thread context of 2752	1752	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	274
PID 1812 set thread context of 2768	1812	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	210
PID 1736 set thread context of 944	1736	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	251
PID 3016 set thread context of 1992	3016	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	259
PID 2236 set thread context of 1948	2236	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	375
PID 1840 set thread context of 1640	1840	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	230
PID 492 set thread context of 1792	492	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	348
PID 2392 set thread context of 564	2392	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	240
PID 864 set thread context of 2372	864	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	245
PID 1968 set thread context of 1728	1968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	435
PID 1812 set thread context of 900	1812	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	255
PID 1992 set thread context of 3060	1992	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	260
PID 2952 set thread context of 1712	2952	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	413
PID 988 set thread context of 2380	988	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	473
PID 2752 set thread context of 1856	2752	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	275
PID 2160 set thread context of 2660	2160	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	280
PID 2620 set thread context of 1304	2620	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	285
PID 2616 set thread context of 2516	2616	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	480
PID 976 set thread context of 892	976	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	463
PID 1084 set thread context of 1636	1084	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	374
PID 1812 set thread context of 1236	1812	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	345
PID 1564 set thread context of 1056	1564	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	310
PID 1436 set thread context of 336	1436	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	395
PID 2136 set thread context of 1536	2136	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	505
PID 2892 set thread context of 1932	2892	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	327
PID 1668 set thread context of 1956	1668	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	519
PID 784 set thread context of 2472	784	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	570
PID 1096 set thread context of 2888	1096	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	380
PID 1788 set thread context of 1084	1788	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	347
PID 2132 set thread context of 2288	2132	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	389
PID 2924 set thread context of 336	2924	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	395

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2296	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2732	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2664	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2004	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1236	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2460	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2460	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2268	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2360	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1760	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2372	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2452	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2616	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2616	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2636	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2680	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2680	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2188	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
408	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
972	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3016	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2164	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2164	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
548	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2440	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2864	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2272	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2272	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2272	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2188	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1920	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1932	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1932	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
804	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2040	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
532	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1632	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2036	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2036	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2672	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1752	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1812	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1736	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3016	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2236	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1840	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
492	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2392	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
864	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1812	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1992	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2952	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
988	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2752	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2160	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2620	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2616	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
976	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1084	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1812	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1564	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1436	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2296	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2732	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2664	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2004	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	1236	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2460	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2268	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2360	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	1760	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2372	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2452	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2616	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2636	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2680	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2188	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	408	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	972	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	3016	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2164	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	548	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2440	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2864	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2272	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2188	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	1920	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	1932	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	804	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2040	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	532	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	1632	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2036	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2672	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	1752	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	1812	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	1736	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	3016	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2236	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	1840	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	492	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2392	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	864	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	1968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	1812	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	1992	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2952	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	988	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2752	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2160	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2620	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2616	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	976	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	1084	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	1812	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	1564	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	1436	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2136	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2892	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	1668	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	784	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	1096	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	1788	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2132	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2924	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 3056	1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	31
PID 1728 wrote to memory of 3056	1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	31
PID 1728 wrote to memory of 3056	1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	31
PID 1728 wrote to memory of 3056	1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	31
PID 1728 wrote to memory of 3056	1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	31
PID 1728 wrote to memory of 3056	1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	31
PID 1728 wrote to memory of 3056	1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	31
PID 1728 wrote to memory of 3056	1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	31
PID 1728 wrote to memory of 2248	1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	32
PID 1728 wrote to memory of 2248	1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	32
PID 1728 wrote to memory of 2248	1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	32
PID 1728 wrote to memory of 2248	1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	32
PID 2248 wrote to memory of 2176	2248	cmd.exe	34
PID 2248 wrote to memory of 2176	2248	cmd.exe	34
PID 2248 wrote to memory of 2176	2248	cmd.exe	34
PID 2248 wrote to memory of 2176	2248	cmd.exe	34
PID 1728 wrote to memory of 2296	1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	35
PID 1728 wrote to memory of 2296	1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	35
PID 1728 wrote to memory of 2296	1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	35
PID 1728 wrote to memory of 2296	1728	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	35
PID 2296 wrote to memory of 2908	2296	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	36
PID 2296 wrote to memory of 2908	2296	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	36
PID 2296 wrote to memory of 2908	2296	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	36
PID 2296 wrote to memory of 2908	2296	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	36
PID 2296 wrote to memory of 2908	2296	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	36
PID 2296 wrote to memory of 2908	2296	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	36
PID 2296 wrote to memory of 2908	2296	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	36
PID 2296 wrote to memory of 2908	2296	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	36
PID 2296 wrote to memory of 2992	2296	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	37
PID 2296 wrote to memory of 2992	2296	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	37
PID 2296 wrote to memory of 2992	2296	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	37
PID 2296 wrote to memory of 2992	2296	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	37
PID 2992 wrote to memory of 2920	2992	cmd.exe	39
PID 2992 wrote to memory of 2920	2992	cmd.exe	39
PID 2992 wrote to memory of 2920	2992	cmd.exe	39
PID 2992 wrote to memory of 2920	2992	cmd.exe	39
PID 2296 wrote to memory of 2732	2296	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	40
PID 2296 wrote to memory of 2732	2296	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	40
PID 2296 wrote to memory of 2732	2296	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	40
PID 2296 wrote to memory of 2732	2296	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	40
PID 2732 wrote to memory of 2972	2732	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	41
PID 2732 wrote to memory of 2972	2732	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	41
PID 2732 wrote to memory of 2972	2732	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	41
PID 2732 wrote to memory of 2972	2732	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	41
PID 2732 wrote to memory of 2972	2732	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	41
PID 2732 wrote to memory of 2972	2732	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	41
PID 2732 wrote to memory of 2972	2732	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	41
PID 2732 wrote to memory of 2972	2732	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	41
PID 2732 wrote to memory of 2672	2732	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	42
PID 2732 wrote to memory of 2672	2732	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	42
PID 2732 wrote to memory of 2672	2732	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	42
PID 2732 wrote to memory of 2672	2732	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	42
PID 2672 wrote to memory of 2628	2672	cmd.exe	44
PID 2672 wrote to memory of 2628	2672	cmd.exe	44
PID 2672 wrote to memory of 2628	2672	cmd.exe	44
PID 2672 wrote to memory of 2628	2672	cmd.exe	44
PID 2732 wrote to memory of 2664	2732	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	45
PID 2732 wrote to memory of 2664	2732	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	45
PID 2732 wrote to memory of 2664	2732	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	45
PID 2732 wrote to memory of 2664	2732	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	45
PID 2664 wrote to memory of 2396	2664	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	46
PID 2664 wrote to memory of 2396	2664	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	46
PID 2664 wrote to memory of 2396	2664	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	46
PID 2664 wrote to memory of 2396	2664	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	46

C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
"C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3056
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:2176
- C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
  "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2908
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:2920
- - C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
    "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2972
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:2628
  - - C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
      "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:2396
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        5⤵
        
        PID:320
      - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:1668
    - - C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:1744
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        6⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        7⤵
        
        PID:2024
      - C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        7⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        7⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        8⤵
        
        PID:1132
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        8⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        8⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        9⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        9⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        10⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        9⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        10⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        11⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        10⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        11⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        11⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        12⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        11⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        12⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        12⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        13⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        12⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        13⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        13⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        14⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        13⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        14⤵
        
        PID:1688
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        14⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        14⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        15⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        14⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        15⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        15⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        16⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        15⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        16⤵
        
        PID:1320
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        16⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        16⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        17⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        16⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        17⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        18⤵
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        17⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:408
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        18⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        18⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        19⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        18⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        19⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        19⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        20⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        19⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        20⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        20⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        21⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        20⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        21⤵
        
        PID:1760
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        21⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        21⤵
        
        PID:880
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        22⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        21⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        22⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        22⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        23⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        22⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        23⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        23⤵
        
        PID:892
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        24⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        23⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        24⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        24⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        25⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        24⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        25⤵
        
        PID:476
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        25⤵
        
        PID:692
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        25⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        25⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        26⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        25⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        26⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        27⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        26⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        27⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        27⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        28⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        27⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        28⤵
        
        PID:676
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        28⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:752
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        29⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        28⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:804
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        29⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        29⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        30⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        29⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        30⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        30⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        31⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        30⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        31⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        31⤵
        
        PID:832
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        32⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        31⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        32⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        32⤵
        
        PID:784
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        32⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        33⤵
        
        PID:2864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        33⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        33⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        34⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        33⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        34⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        34⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        35⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        34⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        35⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        35⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        36⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        35⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        36⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        36⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        37⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        36⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        37⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        37⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        38⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        37⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        38⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        38⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        39⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        38⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        39⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        40⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        39⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        40⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        40⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        41⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        40⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:492
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        41⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        41⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        42⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        41⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        42⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        42⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        43⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        42⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        43⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        43⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        44⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        43⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        44⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        44⤵
        
        PID:944
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        45⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        44⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        45⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        46⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        45⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        46⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        47⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        46⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        47⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        47⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        48⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        47⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        48⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        48⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        49⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        48⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        49⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        49⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        50⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        49⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        50⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        50⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        51⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        50⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        51⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        51⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        52⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        51⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        52⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        52⤵
        
        PID:880
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        53⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        52⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        53⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        53⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        54⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        53⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        54⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        54⤵
        
        PID:620
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        55⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        54⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        55⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        55⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        56⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        55⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        56⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        56⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        56⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        57⤵
        
        PID:2824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        57⤵
        
        PID:2300
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        57⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        58⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        57⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        58⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        58⤵
        
        PID:540
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        59⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        58⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        59⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        59⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        60⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        59⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        60⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        60⤵
        
        PID:552
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        61⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        60⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:784
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        61⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        61⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        62⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        61⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        62⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        62⤵
        
        PID:532
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        63⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        62⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        63⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        63⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        64⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        63⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        64⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        64⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        65⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        64⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        65⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        65⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        66⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        65⤵
        
        PID:2436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        66⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        66⤵
        
        PID:604
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        67⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        66⤵
        
        PID:2992
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        67⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        68⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        67⤵
        
        PID:1080
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        68⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        68⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        69⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        68⤵
        
        PID:740
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        69⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        69⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        69⤵
        
        PID:1704
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        70⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        70⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        71⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        70⤵
        
        PID:2772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        71⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        71⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        72⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        71⤵
        
        PID:1596
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        72⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        72⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        73⤵
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        72⤵
        
        PID:1048
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        73⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        73⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        74⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        73⤵
        
        PID:884
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        74⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        74⤵
        
        PID:972
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        75⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        74⤵
        
        PID:1436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        75⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        75⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        76⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        75⤵
        
        PID:2636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        76⤵
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        76⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        77⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        76⤵
        
        PID:3036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        77⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        77⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        78⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        78⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        78⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        78⤵
        
        PID:1536
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        79⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        79⤵
        
        PID:920
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        80⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        79⤵
        
        PID:1940
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        80⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        80⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        81⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        80⤵
        
        PID:1832
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        81⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        81⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        82⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        82⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        82⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        83⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        82⤵
        
        PID:3048
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        83⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        84⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        83⤵
        
        PID:2892
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        84⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        84⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        85⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        84⤵
        
        PID:2472
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        85⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        85⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        86⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        86⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        86⤵
        
        PID:892
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        87⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        86⤵
        
        PID:2040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        87⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        87⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        88⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        87⤵
        
        PID:580
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        88⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        89⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        88⤵
        
        PID:2748
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        89⤵
        
        PID:492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        89⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        90⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        89⤵
        
        PID:2388
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        90⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        90⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        91⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        90⤵
        
        PID:2248
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        91⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        91⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        92⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        91⤵
        
        PID:1388
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        92⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        92⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        93⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        92⤵
        
        PID:2720
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        93⤵
        
        PID:3032
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        93⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        93⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        94⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        93⤵
        
        PID:1504
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        94⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        95⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        94⤵
        
        PID:2284
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        95⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        95⤵
        
        PID:864
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        96⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        95⤵
        
        PID:1392
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        96⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        96⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        97⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        96⤵
        
        PID:2876
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        97⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        97⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        98⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        97⤵
        
        PID:2716
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        98⤵
        
        PID:1752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        98⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        98⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        99⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        98⤵
        
        PID:2916
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        99⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        99⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        100⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        99⤵
        
        PID:1772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        100⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        100⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        101⤵
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        100⤵
        
        PID:940
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        101⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        101⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        102⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        101⤵
        
        PID:856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        102⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        102⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        103⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        102⤵
        
        PID:2496
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        103⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        103⤵
        
        PID:824
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        104⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        103⤵
        
        PID:2144
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        104⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        104⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        105⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        104⤵
        
        PID:2092
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        105⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        105⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        106⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        105⤵
        
        PID:620
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        106⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        106⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        107⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        106⤵
        
        PID:1660
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        107⤵
        
        PID:2948
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        107⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        107⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        108⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        107⤵
        
        PID:3068
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        108⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        108⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        109⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        108⤵
        
        PID:1940
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        109⤵
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        110⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        109⤵
        
        PID:1984
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        110⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        110⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        111⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        110⤵
        
        PID:2924
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        111⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        111⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        112⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        111⤵
        
        PID:2260
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        112⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        112⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        113⤵
        
        PID:492
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        112⤵
        
        PID:1724
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        113⤵
        
        PID:2308
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        113⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        113⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        114⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        113⤵
        
        PID:1264
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        114⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        114⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        115⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        114⤵
        
        PID:692
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        115⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        115⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        116⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        115⤵
        
        PID:2680
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        116⤵
        
        PID:1508
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        116⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        116⤵
        
        PID:832
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        117⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        116⤵
        
        PID:1052
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        117⤵
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        117⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        118⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        117⤵
        
        PID:2776
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        118⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        118⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        118⤵
        
        PID:2616
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        119⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        119⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        120⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        119⤵
        
        PID:1752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        120⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        120⤵
        
        PID:784
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        121⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        120⤵
        
        PID:1856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        121⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        121⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        122⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        121⤵
        
        PID:2948
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        122⤵
        
        PID:2876
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        122⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        122⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        123⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        122⤵
        
        PID:2944
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        123⤵
        
        PID:1388
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        123⤵
        
        PID:628
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        123⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        123⤵
        
        PID:996
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        124⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        123⤵
        
        PID:2644
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        124⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        125⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        124⤵
        
        PID:828
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        125⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        125⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        126⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        125⤵
        
        PID:2296
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        126⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        127⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        126⤵
        
        PID:2924
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        127⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        127⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        128⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        127⤵
        
        PID:2840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        128⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        128⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        129⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        128⤵
        
        PID:1492
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        129⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        129⤵
        
        PID:532
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        130⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        129⤵
        
        PID:2876
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        130⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        130⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        131⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        130⤵
        
        PID:1544
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        131⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        131⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        132⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        131⤵
        
        PID:2236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        132⤵
        
        PID:1668
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        132⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        132⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        133⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        132⤵
        
        PID:2788
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        133⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        133⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        134⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        133⤵
        
        PID:2304
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        134⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        134⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        135⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        134⤵
        
        PID:2300
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        135⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        135⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        136⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        135⤵
        
        PID:972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        136⤵
        
        PID:2284
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        136⤵
        
        PID:1936
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        136⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        136⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        137⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        136⤵
        
        PID:2328
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        137⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        137⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        138⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        137⤵
        
        PID:2392
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        138⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        138⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        139⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        138⤵
        
        PID:564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        139⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        139⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        140⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        139⤵
        
        PID:1668
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        140⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        140⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        141⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        140⤵
        
        PID:1484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        141⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        141⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        142⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        142⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        142⤵
        
        PID:692
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        143⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        142⤵
        
        PID:1692
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        143⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        144⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        143⤵
        
        PID:1960
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        144⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        144⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        145⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        144⤵
        
        PID:1996
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        145⤵
        
        PID:552
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        145⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        145⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        146⤵
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        145⤵
        
        PID:2888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        146⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        146⤵
        
        PID:900
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        147⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        146⤵
        
        PID:2520
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        147⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        147⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        148⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        147⤵
        
        PID:2376
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        148⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        148⤵
        
        PID:864
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        149⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        148⤵
        
        PID:2296
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        149⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        149⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        150⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        149⤵
        
        PID:3016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        150⤵
        
        PID:2972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        150⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        150⤵
        
        PID:860
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        151⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        150⤵
        
        PID:2788
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        151⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        152⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        151⤵
        
        PID:2684
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        152⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        152⤵
        
        PID:552
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        153⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        152⤵
        
        PID:1960
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        153⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        153⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        154⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        153⤵
        
        PID:1996
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        154⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        154⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        155⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        154⤵
        
        PID:1928
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        155⤵
        
        PID:2772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        155⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        155⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        156⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        155⤵
        
        PID:2520
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        156⤵
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        156⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        157⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        156⤵
        
        PID:2376
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        157⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        157⤵
        
        PID:696
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        158⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        157⤵
        
        PID:2296
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        158⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        158⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        159⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        158⤵
        
        PID:2492
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        159⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        159⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        160⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        159⤵
        
        PID:1952
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        160⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        160⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        161⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        160⤵
        
        PID:2468
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        161⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        161⤵
        
        PID:448
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        162⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        161⤵
        
        PID:580
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        162⤵
        
        PID:880
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        162⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        162⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        163⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        162⤵
        
        PID:1756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        163⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        163⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        164⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        163⤵
        
        PID:1216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        164⤵
        
        PID:3060
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        164⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        164⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        165⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        164⤵
        
        PID:2824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        165⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        165⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        166⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        165⤵
        
        PID:784
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        166⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        166⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        167⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        166⤵
        
        PID:2020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        167⤵
        
        PID:2256
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        167⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        167⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        168⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        167⤵
        
        PID:2228
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        168⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        168⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        169⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        168⤵
        
        PID:1516
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        169⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        169⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        170⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        169⤵
        
        PID:1932
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        170⤵
        
        PID:1784
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        170⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        170⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        171⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        170⤵
        
        PID:2716
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        171⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        171⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        172⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        171⤵
        
        PID:1236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        172⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        172⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        173⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        172⤵
        
        PID:2948
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        173⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        173⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        174⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        173⤵
        
        PID:860
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        174⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        174⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        175⤵
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        174⤵
        
        PID:2272
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        175⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        175⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        176⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        175⤵
        
        PID:1364
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        176⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        176⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        177⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        176⤵
        
        PID:2756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        177⤵
        
        PID:2656
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        177⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        177⤵
        
        PID:920
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        178⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        177⤵
        
        PID:1032
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        178⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        178⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        179⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        178⤵
        
        PID:2720
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        179⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        179⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        180⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        179⤵
        
        PID:2248
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        180⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        180⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        181⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        180⤵
        
        PID:1132
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        181⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        181⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        182⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        181⤵
        
        PID:880
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        182⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        182⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        183⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        182⤵
        
        PID:2772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        183⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        183⤵
        
        PID:904
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        184⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        183⤵
        
        PID:2964
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        184⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        184⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        185⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        184⤵
        
        PID:2124
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        185⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        185⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        186⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        185⤵
        
        PID:492
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        186⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        186⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        187⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        186⤵
        
        PID:1652
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        187⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        187⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        188⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        187⤵
        
        PID:1692
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        188⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        188⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        189⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        188⤵
        
        PID:1724
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        189⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        189⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        190⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        189⤵
        
        PID:2624
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        190⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        190⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        191⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        190⤵
        
        PID:1952
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        191⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        191⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        192⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        191⤵
        
        PID:2892
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        192⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        192⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        193⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        192⤵
        
        PID:548
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        193⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        193⤵
        
        PID:324
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        194⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        193⤵
        
        PID:2440
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        194⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        194⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        195⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        194⤵
        
        PID:2804
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        195⤵
        
        PID:1304
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        195⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        195⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        196⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        195⤵
        
        PID:2640
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        196⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        196⤵
        
        PID:784
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        197⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        196⤵
        
        PID:2824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        197⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        197⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        198⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        197⤵
        
        PID:1392
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        198⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        198⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        199⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        198⤵
        
        PID:2056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        199⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        199⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        200⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        199⤵
        
        PID:2636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        200⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        200⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        201⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        200⤵
        
        PID:2876
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        201⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        201⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        202⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        201⤵
        
        PID:2964
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        202⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        202⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        203⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        202⤵
        
        PID:2388
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        203⤵
        
        PID:2176
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        203⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        203⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        204⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        203⤵
        
        PID:2908
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        204⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        204⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        205⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        204⤵
        
        PID:2136
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        205⤵
        
        PID:604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        205⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        206⤵
        System Location Discovery: System Language Discovery
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        205⤵
        
        PID:580
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        206⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        206⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        207⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        206⤵
        
        PID:2592
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        207⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        207⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        208⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        207⤵
        
        PID:2496
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        208⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        208⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        209⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        208⤵
        
        PID:2720
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        209⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        209⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        210⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        209⤵
        
        PID:1736
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        210⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        210⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        211⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        210⤵
        
        PID:2032
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        211⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        211⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        212⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        211⤵
        
        PID:1648
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        212⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        212⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        213⤵
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        212⤵
        
        PID:2372
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        213⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        213⤵
        
        PID:828
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        214⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        213⤵
        
        PID:1308
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        214⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        214⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        215⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        214⤵
        
        PID:676
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        215⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        215⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        216⤵
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        215⤵
        
        PID:1732
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        216⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        216⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        217⤵
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        216⤵
        System Location Discovery: System Language Discovery
        
        PID:752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        217⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        217⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        218⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        217⤵
        
        PID:692
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        218⤵
        
        PID:1216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        218⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        218⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        219⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        218⤵
        
        PID:2224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        219⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        219⤵
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        220⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        219⤵
        
        PID:1820
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        220⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        220⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        221⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        220⤵
        
        PID:2684
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        221⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        221⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        222⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        221⤵
        
        PID:2780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        222⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        222⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        223⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        222⤵
        
        PID:1800
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        223⤵
        
        PID:2972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        223⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        223⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        224⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        223⤵
        
        PID:2040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        224⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        224⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        225⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        224⤵
        
        PID:1956
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        225⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        225⤵
        
        PID:972
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        226⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        225⤵
        
        PID:884
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        226⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        226⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        227⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        226⤵
        
        PID:2424
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        227⤵
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        227⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        228⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        227⤵
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        228⤵
        
        PID:2492
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        228⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        228⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        229⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        228⤵
        
        PID:2308
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        229⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        229⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        230⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        229⤵
        
        PID:880
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        230⤵
        
        PID:2756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        230⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        230⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        231⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        230⤵
        
        PID:2404
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        231⤵
        
        PID:1544
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        231⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        231⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        232⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        231⤵
        
        PID:1392
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        232⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        232⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        233⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        232⤵
        
        PID:1428
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        233⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        233⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        234⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        233⤵
        
        PID:2944
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        234⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        234⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        235⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        234⤵
        
        PID:2268
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        235⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        235⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        236⤵
        
        PID:904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "400937779-1253402498-846998505-1664755885373682411675242885-131896511-523440577"
1⤵
PID:2672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "59721925714829256691741509512909039357185533750-1855214521-1358274620-726142646"
1⤵
PID:2256

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12920350791469790064844433602027080490-14101131061419791053-215476285486793913"
1⤵
PID:1636

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "50301215174099208409523317-1194720702-1142930607-1770398467-391524908-1593737880"
1⤵
PID:936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-756930946-13154150881212295772-2059983926-14800357441813540788-4955710831473076798"
1⤵
PID:2288

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1008744217-462384484-799793643-609536723913169801407337982163628052-1261521361"
1⤵
PID:2928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9846896379318834631889216279195703045-18177503401244788846265672085-1888528609"
1⤵
PID:2136

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "172092606212765291281209391841131795598-1676690146-18304565911585463512-1095365438"
1⤵
PID:2240

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-914043512729203708-1464011229489039674235521769-1410041693-1951323294-1632882408"
1⤵
PID:2788

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-251740503-199950204114504728526424128152030936799-1523328901-1456023178-1866852491"
1⤵
PID:2984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1366161531954020186-1720592272-729773814-4944422502053394107-9827801591521560833"
1⤵
PID:1812

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15773020911820047016-177386283-1337764715-568113185-10459686959595895401731545821"
1⤵
PID:1536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-986215935-2066521528-819919562711332967178304925926744454682562186210386083"
1⤵
PID:1656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "853151445-488908016574440765-18172035171280599915-1636220382-21296062611695968290"
1⤵
PID:2728

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-455097877770595895213208347-597797113-1055878253-10531878952102249697817098207"
1⤵
PID:2388

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "489414697686393432-967571076-1572137572-1281438900-1190005840237345733-1873464707"
1⤵
PID:1780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1737324109283724112144089260-10855648861993906628459646668120409619514691836"
1⤵
PID:1872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "48099473812445857171135218223-20644986011982113680-199596045-762563816299536819"
1⤵
PID:336

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "619948258-248020162-1436274401530343741879847134-88176335912572733491582208223"
1⤵
PID:2640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7321807991138818040-2144476781-1531939765-15979373571104151929-19123299061861694911"
1⤵
PID:1152

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1825606045-1463414905-2465021613338108591696099241-1818578031928560424-574662695"
1⤵
PID:1632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6908364665343961291615519418-20177633865180527571018851332447638384-880572277"
1⤵
PID:2904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6890173201374102372822267564395456384782863966-902990674-43350940-196626935"
1⤵
PID:1956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1252919349159141055-143402257-468528572-1351567529-16221529351342860418762786829"
1⤵
PID:2720

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "595521228-1055788490-859837686417388758-2072688130-90461491-1727092526-245290267"
1⤵
PID:492

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "43609118122365087910265902-817942063866822735-2065468526-509773711172812723"
1⤵
PID:2948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "327665531191200778711258210811902240609-125910589-16899607331501584545644332932"
1⤵
PID:996

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "22198725313769942-1738548296-2836825521380137274-936893680-3240198431457422407"
1⤵
PID:2920

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1452496805437971450-237495514-1107293033738005313-1848369140714327878-1840777890"
1⤵
PID:3048

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17091348284043020051112357952-1973651803144000875817707277151057017698-1548580256"
1⤵
PID:2616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-640451874-3070922-769930069-1553226362-899535069-12964122721052402194-1499758880"
1⤵
PID:2256

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1387020573-100212085-147820713-1375625187-35825696617289909471512649029550698630"
1⤵
PID:2328

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-427114184-731364250-1473703500-412339004-2004383740-1815576384-1214293319-963052960"
1⤵
PID:1792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12757448328314264331600799347-13380776821315869771575449587-325328753885310187"
1⤵
PID:1380

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-37036634-8675594541231812389-132953794316154233881559287481186421672310561376"
1⤵
PID:1752

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1130565819-361227056655770209-1943089355-317454203-80218296617843417061535547353"
1⤵
PID:1008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2275692751219548732-2761284451360910282965621917035256464299035-282545168"
1⤵
PID:1544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "46335749-1867495130-15281219702029296529-13530322191436718501748974877848030612"
1⤵
PID:2428

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11422712431983610678-871127467-69314875659018205-8864177178422133-1750660258"
1⤵
PID:2888

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10625930833892548751571936910-1687707784-9089437951883028231533379200-208621961"
1⤵
PID:2772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "839587801-1824233031812346887788372731-1813499516523962093-356007386-1357378250"
1⤵
PID:860

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1473898291-46222159620972375051023192500287919039-949989042-383947542802284256"
1⤵
PID:2764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "82909272526594214-16075110517161670561364736164-16089846881643966971-400508114"
1⤵
PID:628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1299819884-848121076-192574932118578769988785401093674847893998626-834255083"
1⤵
PID:1240

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1048309701268853241-731278811-3882976271956024502-1473119295-2013153841-1429330884"
1⤵
PID:1388

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1936606924-1079518194-13118068621906969722-959264502-11667696132144890245429447678"
1⤵
PID:2664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11655840131601580825215673982906268787-2072860542912502180-430738242-1330181772"
1⤵
PID:2924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1574548392751509072-253256948-316666749-1470913439-3805738091043989787686649052"
1⤵
PID:2788

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1434313614445498914-1313382028-1195013801619630239-1728019524-82915683-229829611"
1⤵
PID:784

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-916457623-761615611995811125-379036511-697074737-4502495902529330262128909241"
1⤵
PID:1660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "61898905813979255501200455589-175000385719200117562744356601283048131934340301"
1⤵
PID:2628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "412219108-1596087027258686212-37226813348542390-1435517841823893962060470913"
1⤵
PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1728-16-0x0000000074E50000-0x000000007553E000-memory.dmp

Filesize
6.9MB

Download
memory/1728-1-0x0000000000ED0000-0x0000000000F0E000-memory.dmp

Filesize
248KB

Download
memory/1728-2-0x00000000001F0000-0x000000000021A000-memory.dmp

Filesize
168KB

Download
memory/1728-0-0x0000000074E5E000-0x0000000074E5F000-memory.dmp

Filesize
4KB

Download
memory/1728-25-0x0000000074E50000-0x000000007553E000-memory.dmp

Filesize
6.9MB

Download
memory/3056-3-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3056-14-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3056-17-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3056-15-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3056-11-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3056-9-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3056-7-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3056-5-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3056-369-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3056-2461-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download