azorult | 5639363353a4dcf957c52abba6b49501ac8d6dde78e338842f8301165284c3a0

Analysis

max time kernel
62s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2024 06:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Size

218KB
MD5

415a0770a8f5e60a5fb408ebf360f6db
SHA1

679b46c5d0bc11608aa21636b3c11ac75ee0e6c5
SHA256

5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd
SHA512

0c059bbc1f4b684b15629cc6e5c2a2eac8ba89db5ae54286e0286b0f35a779af9a5a026ba26a821fcaccd6ec33586637cac32ba41bb79a3c4d08759663df31b5
SSDEEP

6144:mnIR+VhX35mOtbF9CZCLRdJiiOOAOy/D:mIRWN5btbBLRziidAO

Score

10^/10

azorult discovery infostealer trojan

Malware Config

Extracted

Family

azorult

http://45.95.168.162/city/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 3968 set thread context of 2428	3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	82
PID 860 set thread context of 4840	860	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	87
PID 2680 set thread context of 5092	2680	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	91
PID 2072 set thread context of 3020	2072	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	97
PID 4656 set thread context of 952	4656	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	104
PID 4580 set thread context of 1532	4580	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	109
PID 2896 set thread context of 2004	2896	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	114
PID 4576 set thread context of 1940	4576	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	119
PID 2688 set thread context of 3876	2688	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	124
PID 4644 set thread context of 116	4644	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	130
PID 4840 set thread context of 4316	4840	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	135
PID 4244 set thread context of 1196	4244	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	140
PID 2056 set thread context of 3128	2056	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	145
PID 2344 set thread context of 3680	2344	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	150
PID 2492 set thread context of 1800	2492	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	239
PID 5080 set thread context of 728	5080	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	160
PID 4572 set thread context of 2408	4572	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	165
PID 4452 set thread context of 3008	4452	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	171
PID 5036 set thread context of 4700	5036	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	276
PID 2008 set thread context of 4696	2008	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	181
PID 952 set thread context of 4756	952	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	186
PID 4988 set thread context of 4468	4988	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	192
PID 3428 set thread context of 1936	3428	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	306
PID 1556 set thread context of 1896	1556	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	244
PID 2716 set thread context of 3108	2716	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	249
PID 2100 set thread context of 764	2100	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	214
PID 3192 set thread context of 4872	3192	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	219
PID 2384 set thread context of 1480	2384	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	224
PID 232 set thread context of 1328	232	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	229
PID 1644 set thread context of 2420	1644	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	472
PID 2996 set thread context of 2064	2996	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	243
PID 4952 set thread context of 3376	4952	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	248
PID 3348 set thread context of 2256	3348	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	255
PID 3668 set thread context of 3332	3668	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	523
PID 1280 set thread context of 2416	1280	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	267
PID 316 set thread context of 3520	316	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	272
PID 4700 set thread context of 1044	4700	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	277
PID 4124 set thread context of 4860	4124	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	416
PID 2476 set thread context of 4380	2476	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	381
PID 4340 set thread context of 488	4340	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	296
PID 3380 set thread context of 4832	3380	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	302
PID 1936 set thread context of 3280	1936	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	307
PID 464 set thread context of 1856	464	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	312
PID 2488 set thread context of 4952	2488	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	554
PID 2152 set thread context of 3992	2152	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	324
PID 3864 set thread context of 956	3864	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	386
PID 380 set thread context of 4556	380	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	334
PID 316 set thread context of 3708	316	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	484
PID 3916 set thread context of 3120	3916	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	376
PID 3688 set thread context of 3636	3688	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	438
PID 4944 set thread context of 1208	4944	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	725
PID 368 set thread context of 908	368	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	361
PID 1040 set thread context of 408	1040	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	366
PID 2120 set thread context of 3184	2120	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	596
PID 5044 set thread context of 2700	5044	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	794
PID 4668 set thread context of 3192	4668	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	522
PID 1772 set thread context of 3688	1772	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	797
PID 2056 set thread context of 4884	2056	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	686
PID 880 set thread context of 368	880	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	399
PID 5064 set thread context of 1040	5064	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	846
PID 1280 set thread context of 3636	1280	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	748
PID 2212 set thread context of 3200	2212	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	696
PID 2776 set thread context of 4668	2776	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	838
PID 384 set thread context of 3716	384	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	425

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
860	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2680	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2072	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
4656	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
4656	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
4656	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
4580	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2896	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
4576	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2688	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
4644	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
4644	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
4840	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
4244	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2056	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2344	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2492	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
5080	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
4572	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
4452	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
4452	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
5036	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2008	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
952	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
4988	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
4988	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3428	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1556	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1556	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2716	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2716	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2100	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3192	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2384	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
232	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1644	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1644	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2996	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2996	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
4952	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3348	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3348	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3348	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3668	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1280	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
316	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
4700	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
4124	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
4124	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
4124	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
4124	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2476	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
4340	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
4340	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3380	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3380	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
1936	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
464	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2488	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2488	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
2152	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
3864	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
380	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	860	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2680	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2072	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	4656	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	4580	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2896	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	4576	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2688	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	4644	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	4840	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	4244	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2056	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2344	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2492	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	5080	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	4572	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	4452	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	5036	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2008	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	952	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	4988	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	3428	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	1556	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2716	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2100	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	3192	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2384	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	232	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	1644	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2996	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	4952	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	3348	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	3668	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	1280	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	316	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	4700	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	4124	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2476	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	4340	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	3380	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	1936	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	464	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2488	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2152	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	3864	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	380	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	316	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	3916	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	3688	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	4944	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	368	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	1040	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2120	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	5044	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	4668	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	1772	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2056	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	880	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	5064	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	1280	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2212	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	2776	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
Token: SeDebugPrivilege	384	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 2428	3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	82
PID 3968 wrote to memory of 2428	3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	82
PID 3968 wrote to memory of 2428	3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	82
PID 3968 wrote to memory of 2428	3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	82
PID 3968 wrote to memory of 2012	3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	83
PID 3968 wrote to memory of 2012	3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	83
PID 3968 wrote to memory of 2012	3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	83
PID 2012 wrote to memory of 2484	2012	cmd.exe	85
PID 2012 wrote to memory of 2484	2012	cmd.exe	85
PID 2012 wrote to memory of 2484	2012	cmd.exe	85
PID 3968 wrote to memory of 860	3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	86
PID 3968 wrote to memory of 860	3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	86
PID 3968 wrote to memory of 860	3968	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	86
PID 860 wrote to memory of 4840	860	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	87
PID 860 wrote to memory of 4840	860	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	87
PID 860 wrote to memory of 4840	860	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	87
PID 860 wrote to memory of 4840	860	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	87
PID 860 wrote to memory of 2700	860	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	88
PID 860 wrote to memory of 2700	860	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	88
PID 860 wrote to memory of 2700	860	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	88
PID 860 wrote to memory of 2680	860	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	90
PID 860 wrote to memory of 2680	860	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	90
PID 860 wrote to memory of 2680	860	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	90
PID 2680 wrote to memory of 5092	2680	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	91
PID 2680 wrote to memory of 5092	2680	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	91
PID 2680 wrote to memory of 5092	2680	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	91
PID 2680 wrote to memory of 5092	2680	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	91
PID 2700 wrote to memory of 1564	2700	cmd.exe	92
PID 2700 wrote to memory of 1564	2700	cmd.exe	92
PID 2700 wrote to memory of 1564	2700	cmd.exe	92
PID 2680 wrote to memory of 5020	2680	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	93
PID 2680 wrote to memory of 5020	2680	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	93
PID 2680 wrote to memory of 5020	2680	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	93
PID 5020 wrote to memory of 5016	5020	cmd.exe	95
PID 5020 wrote to memory of 5016	5020	cmd.exe	95
PID 5020 wrote to memory of 5016	5020	cmd.exe	95
PID 2680 wrote to memory of 2072	2680	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	96
PID 2680 wrote to memory of 2072	2680	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	96
PID 2680 wrote to memory of 2072	2680	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	96
PID 2072 wrote to memory of 3020	2072	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	97
PID 2072 wrote to memory of 3020	2072	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	97
PID 2072 wrote to memory of 3020	2072	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	97
PID 2072 wrote to memory of 3020	2072	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	97
PID 2072 wrote to memory of 232	2072	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	98
PID 2072 wrote to memory of 232	2072	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	98
PID 2072 wrote to memory of 232	2072	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	98
PID 2072 wrote to memory of 4656	2072	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	100
PID 2072 wrote to memory of 4656	2072	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	100
PID 2072 wrote to memory of 4656	2072	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	100
PID 232 wrote to memory of 1416	232	cmd.exe	101
PID 232 wrote to memory of 1416	232	cmd.exe	101
PID 232 wrote to memory of 1416	232	cmd.exe	101
PID 4656 wrote to memory of 1688	4656	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	102
PID 4656 wrote to memory of 1688	4656	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	102
PID 4656 wrote to memory of 1688	4656	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	102
PID 4656 wrote to memory of 1372	4656	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	103
PID 4656 wrote to memory of 1372	4656	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	103
PID 4656 wrote to memory of 1372	4656	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	103
PID 4656 wrote to memory of 952	4656	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	104
PID 4656 wrote to memory of 952	4656	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	104
PID 4656 wrote to memory of 952	4656	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	104
PID 4656 wrote to memory of 952	4656	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	104
PID 4656 wrote to memory of 1864	4656	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	105
PID 4656 wrote to memory of 1864	4656	5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe	105

C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
"C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2428
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:2484
- C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
  "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4840
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:1564
- - C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
    "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:5092
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5020
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5016
  - - C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
      "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2072
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:3020
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:232
      - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:1416
    - - C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        5⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4656
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:1688
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:1372
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:952
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        6⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3684
      - C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4580
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        7⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        7⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        8⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        8⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4576
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        9⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        10⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        9⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        10⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        11⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        10⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4644
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        11⤵
        
        PID:3092
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        11⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        11⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        12⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        11⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        12⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        12⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        13⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        12⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4244
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        13⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        13⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        14⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        13⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        14⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        14⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        15⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        14⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        15⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        15⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        16⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        15⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        16⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        16⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        17⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        16⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:5080
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        17⤵
        
        PID:728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        17⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        18⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        17⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4572
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        18⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        18⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        19⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        18⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4452
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        19⤵
        
        PID:2700
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        19⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        19⤵
        
        PID:384
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        20⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        19⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:5036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        20⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        20⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        21⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        20⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        21⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        21⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        22⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        21⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        22⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        22⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        23⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        22⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        23⤵
        
        PID:2584
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        23⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        23⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        24⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        23⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3428
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        24⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        24⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        25⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        24⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        25⤵
        
        PID:3252
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        25⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        25⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        26⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        25⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        26⤵
        
        PID:3024
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        26⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        26⤵
        
        PID:4672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        27⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        26⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        27⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        27⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        28⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        27⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3192
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        28⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        28⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        29⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        28⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        29⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        29⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        30⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        29⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:232
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        30⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        30⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        31⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        30⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        31⤵
        
        PID:4128
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        31⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        31⤵
        
        PID:4636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        32⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        32⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        31⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        32⤵
        
        PID:3804
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        32⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        32⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        33⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        32⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4952
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        33⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        33⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        34⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        33⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3348
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        34⤵
        
        PID:1984
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        34⤵
        
        PID:1040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        34⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        34⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        34⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3668
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        35⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        35⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        36⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        35⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        36⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        37⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        36⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        37⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        37⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        37⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4700
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        38⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        38⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        39⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        38⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4124
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        39⤵
        
        PID:3124
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        39⤵
        
        PID:3180
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        39⤵
        
        PID:4772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        39⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        39⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        40⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        39⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        40⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        40⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        41⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        40⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4340
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        41⤵
        
        PID:3980
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        41⤵
        
        PID:488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        41⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        41⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3380
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        42⤵
        
        PID:908
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        42⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        42⤵
        
        PID:524
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        43⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        42⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        43⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        43⤵
        
        PID:452
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        44⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        43⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:464
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        44⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        45⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        44⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        45⤵
        
        PID:3256
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        45⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        45⤵
        
        PID:632
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        46⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        45⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        46⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        46⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        47⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        46⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        47⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        47⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        48⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        47⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:380
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        48⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        49⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        48⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        49⤵
        
        PID:3584
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        49⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        49⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        49⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3916
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        50⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        50⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        51⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        50⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3688
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        51⤵
        
        PID:4380
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        51⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        51⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        52⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        51⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4944
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        52⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        52⤵
        
        PID:760
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        53⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        52⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:368
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        53⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        53⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        54⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        53⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        54⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        54⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        55⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        54⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        55⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        55⤵
        
        PID:728
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        56⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        55⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:5044
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        56⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        56⤵
        
        PID:5076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:524
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        56⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4668
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        57⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        57⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        58⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        57⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        58⤵
        
        PID:5072
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        58⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        59⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        58⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        59⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        59⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        60⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        59⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        60⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        60⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        61⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        60⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:5064
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        61⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        61⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        62⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        61⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        62⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        62⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        63⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        62⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        63⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        63⤵
        
        PID:2620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        64⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        64⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        63⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        64⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        64⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        65⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        64⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:384
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        65⤵
        
        PID:4364
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        65⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        65⤵
        
        PID:784
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        66⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        65⤵
        
        PID:4944
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        66⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        66⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        67⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        66⤵
        
        PID:2008
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        67⤵
        
        PID:2800
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        67⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        67⤵
        
        PID:3668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        68⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        68⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        68⤵
        
        PID:1280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        69⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        68⤵
        
        PID:3536
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        69⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        69⤵
        
        PID:4668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        70⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        69⤵
        
        PID:980
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        70⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        70⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        71⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        70⤵
        Checks computer location settings
        
        PID:1812
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        71⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        71⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        72⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        71⤵
        
        PID:3100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        72⤵
        
        PID:860
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        73⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        72⤵
        Checks computer location settings
        
        PID:2056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        73⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        73⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        74⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        73⤵
        
        PID:952
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        74⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        74⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        75⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        74⤵
        
        PID:4808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        75⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        75⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        76⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        75⤵
        
        PID:4360
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        76⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        76⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        77⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        77⤵
        
        PID:5104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        77⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        77⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        78⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        77⤵
        
        PID:4584
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        78⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        78⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        79⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        78⤵
        
        PID:3680
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        79⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        79⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        80⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        79⤵
        Checks computer location settings
        
        PID:3092
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        80⤵
        
        PID:3136
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        80⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        80⤵
        
        PID:4864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        81⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        80⤵
        Checks computer location settings
        
        PID:672
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        81⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        81⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        82⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        81⤵
        Checks computer location settings
        
        PID:764
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        82⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        82⤵
        
        PID:988
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        83⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        82⤵
        
        PID:4016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        83⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        83⤵
        
        PID:3184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        84⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        83⤵
        
        PID:3116
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        84⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        84⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        85⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        84⤵
        Checks computer location settings
        
        PID:4988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        85⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        85⤵
        
        PID:3260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        86⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        86⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        85⤵
        Checks computer location settings
        
        PID:2592
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        86⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        86⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        87⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        87⤵
        
        PID:2200
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        87⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        87⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        88⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        87⤵
        Checks computer location settings
        
        PID:4144
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        88⤵
        
        PID:1316
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        88⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        88⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        89⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        88⤵
        
        PID:4700
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        89⤵
        
        PID:2356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        90⤵
        
        PID:880
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        90⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        89⤵
        
        PID:4952
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        90⤵
        
        PID:1556
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        90⤵
        
        PID:980
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        91⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        90⤵
        Checks computer location settings
        
        PID:4852
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        91⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        91⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        92⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        91⤵
        
        PID:1124
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        92⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        92⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        93⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        92⤵
        Checks computer location settings
        
        PID:1432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        93⤵
        
        PID:2520
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        93⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        93⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        94⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        93⤵
        Checks computer location settings
        
        PID:1976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        94⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        95⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        94⤵
        
        PID:4864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        95⤵
        
        PID:1748
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        95⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        95⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        96⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        95⤵
        
        PID:432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        96⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        96⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        97⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        96⤵
        Checks computer location settings
        
        PID:4992
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        97⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        97⤵
        
        PID:2128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        98⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        98⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        97⤵
        Checks computer location settings
        
        PID:2920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        98⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        98⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        99⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        98⤵
        Checks computer location settings
        
        PID:852
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        99⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        99⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        100⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        99⤵
        
        PID:5044
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        100⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        100⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        101⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        100⤵
        
        PID:1400
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        101⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        101⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        102⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        101⤵
        
        PID:4772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        102⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        102⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        103⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        102⤵
        
        PID:1708
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        103⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        103⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        104⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        103⤵
        
        PID:2256
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        104⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        104⤵
        
        PID:220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        105⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        104⤵
        
        PID:4428
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        105⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        105⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        106⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        105⤵
        Checks computer location settings
        
        PID:1864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        107⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        106⤵
        
        PID:3240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        107⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        107⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        108⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        108⤵
        
        PID:4632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        108⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        108⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        109⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        108⤵
        Checks computer location settings
        
        PID:4360
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        109⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        109⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        110⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        109⤵
        Checks computer location settings
        
        PID:4648
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        110⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        110⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        111⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        110⤵
        Checks computer location settings
        
        PID:1380
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        111⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        111⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        112⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        111⤵
        
        PID:4988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        112⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        112⤵
        
        PID:3288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        113⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        112⤵
        
        PID:3204
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        113⤵
        
        PID:4992
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        113⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        113⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        114⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        113⤵
        
        PID:4808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        114⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        114⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        115⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        114⤵
        
        PID:4884
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        115⤵
        
        PID:3960
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        115⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        115⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        116⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        115⤵
        
        PID:384
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        116⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        116⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        117⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        116⤵
        Checks computer location settings
        
        PID:2412
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        117⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        117⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        118⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        117⤵
        
        PID:4700
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        118⤵
        
        PID:4908
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        118⤵
        
        PID:4912
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        118⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        118⤵
        
        PID:2584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        119⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        118⤵
        Checks computer location settings
        
        PID:2716
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        119⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        120⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        120⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        119⤵
        Checks computer location settings
        
        PID:3336
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        120⤵
        
        PID:4180
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        120⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        120⤵
        
        PID:2476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        121⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        120⤵
        Checks computer location settings
        
        PID:2072
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        121⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        121⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        122⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        121⤵
        
        PID:1208
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        122⤵
        
        PID:1564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        122⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        122⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        123⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        122⤵
        
        PID:3124
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        123⤵
        
        PID:2696
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        123⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        123⤵
        
        PID:764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        124⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        124⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        123⤵
        Checks computer location settings
        
        PID:4556
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        124⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        124⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        125⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        124⤵
        Checks computer location settings
        
        PID:4012
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        125⤵
        
        PID:4176
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        125⤵
        
        PID:468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        126⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        126⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        125⤵
        Checks computer location settings
        
        PID:2996
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        126⤵
        
        PID:728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        126⤵
        
        PID:2420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        127⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        126⤵
        Checks computer location settings
        
        PID:2720
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        127⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        127⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        128⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        127⤵
        
        PID:768
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        128⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        128⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        129⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        128⤵
        Checks computer location settings
        
        PID:4348
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        129⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        130⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        130⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        130⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        131⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        131⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        131⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        132⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        131⤵
        
        PID:1484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        132⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        132⤵
        
        PID:2064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        133⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        132⤵
        
        PID:548
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        133⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        134⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        133⤵
        Checks computer location settings
        
        PID:4104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        134⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        134⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        134⤵
        
        PID:2620
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        135⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        135⤵
        
        PID:2024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        136⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        136⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        135⤵
        
        PID:3688
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        136⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        136⤵
        
        PID:1644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        137⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        136⤵
        
        PID:4860
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        137⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        137⤵
        
        PID:5052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        138⤵
        
        PID:220
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        138⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        137⤵
        Checks computer location settings
        
        PID:1748
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        138⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        139⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        138⤵
        Checks computer location settings
        
        PID:2372
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        139⤵
        
        PID:3568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        140⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        140⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        139⤵
        
        PID:2216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        140⤵
        
        PID:1936
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        140⤵
        
        PID:3104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        140⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        140⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        141⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        140⤵
        
        PID:3260
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        141⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        141⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        142⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        141⤵
        
        PID:384
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        142⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        142⤵
        
        PID:928
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        143⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        142⤵
        
        PID:4396
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        143⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        143⤵
        
        PID:4624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        144⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        144⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        143⤵
        
        PID:4572
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        144⤵
        
        PID:2488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:988
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        144⤵
        
        PID:2368
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        145⤵
        
        PID:1040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        145⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        145⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        146⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        145⤵
        
        PID:548
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        146⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        146⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        147⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        146⤵
        Checks computer location settings
        
        PID:4692
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        147⤵
        
        PID:5064
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        147⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        147⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        148⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        147⤵
        
        PID:4280
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        148⤵
        
        PID:1732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:784
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        149⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:1236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        149⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        149⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        150⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        149⤵
        
        PID:3312
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        150⤵
        
        PID:2256
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        150⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        150⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        151⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        150⤵
        Checks computer location settings
        
        PID:4892
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        151⤵
        
        PID:672
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        151⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        151⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        152⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        151⤵
        
        PID:884
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        152⤵
        
        PID:3856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        152⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        152⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        153⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        152⤵
        
        PID:3776
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        153⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        153⤵
        
        PID:3660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        154⤵
        
        PID:384
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        154⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        153⤵
        
        PID:2888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        154⤵
        
        PID:4620
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        154⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        154⤵
        
        PID:908
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        155⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        154⤵
        
        PID:5060
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        155⤵
        
        PID:464
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        155⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        156⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        156⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        155⤵
        
        PID:2224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        156⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        156⤵
        
        PID:932
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        156⤵
        Checks computer location settings
        
        PID:3416
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        157⤵
        Checks computer location settings
        
        PID:548
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        158⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        158⤵
        
        PID:4380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        159⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        158⤵
        
        PID:2008
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        159⤵
        
        PID:772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        159⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        160⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        159⤵
        
        PID:3472
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        160⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        160⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        161⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        160⤵
        
        PID:1816
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        161⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        161⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        162⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        161⤵
        Checks computer location settings
        
        PID:3820
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        162⤵
        
        PID:3152
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        162⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        162⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        163⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        162⤵
        
        PID:4944
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        163⤵
        
        PID:2408
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        163⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        163⤵
        
        PID:1432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        164⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        163⤵
        
        PID:2432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        164⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        164⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        165⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        164⤵
        
        PID:772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        165⤵
        
        PID:4568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        165⤵
        
        PID:3856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        165⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        165⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        166⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        165⤵
        
        PID:3288
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        166⤵
        
        PID:3436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        166⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        166⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        166⤵
        
        PID:3208
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        167⤵
        
        PID:2056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        167⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        167⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        168⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        167⤵
        
        PID:1556
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        168⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        168⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        169⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        169⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        169⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        170⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        169⤵
        
        PID:2004
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        170⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        170⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        171⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        170⤵
        
        PID:4808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        171⤵
        
        PID:716
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        172⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        171⤵
        
        PID:1484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        172⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        172⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        173⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        173⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        173⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        174⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        174⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        175⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        174⤵
        
        PID:556
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        175⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        175⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        176⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        175⤵
        Checks computer location settings
        
        PID:644
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        176⤵
        
        PID:2224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        176⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:3876
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        177⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        176⤵
        Checks computer location settings
        
        PID:380
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        177⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        177⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        178⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        177⤵
        
        PID:3644
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        178⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        178⤵
        
        PID:4676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        179⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        178⤵
        Checks computer location settings
        
        PID:3632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        179⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        179⤵
        
        PID:4840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        180⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        180⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        179⤵
        
        PID:1188
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        180⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        181⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        180⤵
        Checks computer location settings
        
        PID:4980
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        181⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        181⤵
        
        PID:384
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        182⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        181⤵
        
        PID:2040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        182⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        182⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        183⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        182⤵
        
        PID:2420
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        183⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        183⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        184⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        183⤵
        Checks computer location settings
        
        PID:3964
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        184⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        184⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        185⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        184⤵
        
        PID:1956
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        185⤵
        
        PID:2384
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        185⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        185⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        186⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        185⤵
        
        PID:208
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        186⤵
        
        PID:404
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        186⤵
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        186⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        187⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        186⤵
        
        PID:2720
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        187⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        187⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        187⤵
        
        PID:1040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        188⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        188⤵
        
        PID:5040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        189⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        188⤵
        Checks computer location settings
        
        PID:1676
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        189⤵
        
        PID:3204
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        189⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        189⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        190⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        189⤵
        
        PID:2696
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        190⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:3876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:468
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        191⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        190⤵
        
        PID:2952
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        191⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        191⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        192⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        191⤵
        
        PID:3108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        192⤵
        
        PID:3096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        192⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        192⤵
        
        PID:764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        193⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        192⤵
        
        PID:1116
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        193⤵
        
        PID:1328
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        193⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        193⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        194⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        193⤵
        
        PID:3136
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        194⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        194⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        195⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        194⤵
        
        PID:4660
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        195⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        195⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        196⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        195⤵
        
        PID:4808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        196⤵
        
        PID:332
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        196⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        196⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        197⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        196⤵
        
        PID:3640
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        197⤵
        
        PID:1484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        197⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        197⤵
        
        PID:3192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        198⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        198⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        197⤵
        
        PID:1600
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        198⤵
        
        PID:3332
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        198⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        198⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        199⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        198⤵
        
        PID:2216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        199⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        199⤵
        
        PID:1524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        200⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        200⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        199⤵
        
        PID:1316
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        200⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        200⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        201⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        200⤵
        
        PID:5016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        201⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        201⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        202⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        201⤵
        
        PID:3960
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        202⤵
        
        PID:5040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        202⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        202⤵
        
        PID:5052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        203⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        202⤵
        
        PID:2184
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        203⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        203⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        204⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        203⤵
        
        PID:1968
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        204⤵
        
        PID:4588
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        204⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        204⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        205⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        204⤵
        
        PID:1732
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        205⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        205⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        206⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        205⤵
        
        PID:2364
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        206⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        206⤵
        
        PID:1896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        207⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        206⤵
        
        PID:3900
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        207⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        207⤵
        
        PID:4012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        208⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        208⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        207⤵
        
        PID:3380
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        208⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        208⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        209⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        208⤵
        
        PID:5016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        209⤵
        
        PID:2040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        209⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        209⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        210⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        209⤵
        
        PID:3196
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        210⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        210⤵
        
        PID:3208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        211⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        210⤵
        
        PID:4444
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        211⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        211⤵
        
        PID:316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        212⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        212⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        211⤵
        
        PID:4864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        212⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        212⤵
        
        PID:1708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:980
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        213⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        212⤵
        
        PID:2596
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        213⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        213⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        214⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        213⤵
        
        PID:1192
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        214⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        214⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        215⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        214⤵
        
        PID:1140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        215⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        215⤵
        
        PID:1716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        216⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        216⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        215⤵
        
        PID:1940
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        216⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        216⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        217⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        216⤵
        
        PID:2996
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        217⤵
        
        PID:4212
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        217⤵
        
        PID:3568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        217⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        217⤵
        
        PID:1520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        218⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        218⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        217⤵
        
        PID:2416
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        218⤵
        
        PID:4108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        218⤵
        
        PID:4988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        218⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        218⤵
        
        PID:3220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        219⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        218⤵
        
        PID:4908
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        219⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        219⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        220⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        219⤵
        
        PID:3964
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        220⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        220⤵
        
        PID:1612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        221⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        220⤵
        
        PID:8
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        221⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        221⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        222⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        221⤵
        
        PID:4380
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        222⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        222⤵
        
        PID:1140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        223⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        222⤵
        
        PID:4584
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        223⤵
        
        PID:1640
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        223⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        223⤵
        
        PID:524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        224⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        224⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        223⤵
        
        PID:5020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        224⤵
        
        PID:2728
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        224⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        224⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        225⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        224⤵
        
        PID:4952
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        225⤵
        
        PID:2172
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        225⤵
        
        PID:5024
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        225⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd.exe"
        225⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        226⤵
        
        PID:4788

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 62965c23493ebdfb7b02fffe20110af4 uJZj0Nu/aUWJA7kGqUuafA.0.1.0.0.0
1⤵
PID:2584

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2340

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv uJZj0Nu/aUWJA7kGqUuafA.0.2
1⤵
PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2428-3-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2428-7-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2428-13-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2428-11-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2428-10-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2428-15-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2428-5-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3968-0-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

Filesize
4KB

Download
memory/3968-1-0x0000000000130000-0x000000000016E000-memory.dmp

Filesize
248KB

Download
memory/3968-2-0x00000000024F0000-0x000000000251A000-memory.dmp

Filesize
168KB

Download
memory/3968-16-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/3968-29-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download