Windows Analysis Report
Fqae7BLq4m.exe

Overview

General Information

Sample name: Fqae7BLq4m.exe
Analysis ID: 1579418
MD5: a994f2b3b899758bddf5f35e407a694d
SHA1: a13dedaceed797a4ee8b399c7db20e88535ab6cc
SHA256: 6c547f7a7e7964a03945cef9bd53e792256e2beb24e15be780714ae349c8a81b
Infos:

Detection

Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Loading BitLocker PowerShell Module
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious Program Location with Network Connections
Abnormal high CPU Usage
Checks for available system drives (often done to infect USB drives)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Installs a global mouse hook
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection

barindex
Source: C:\Users\user\AppData\Local\Temp\backup.dll ReversingLabs: Detection: 42%
Source: C:\Users\Public\Bilite\Axialis\libcurl.dll ReversingLabs: Detection: 42%
Source: Fqae7BLq4m.exe ReversingLabs: Detection: 42%
Source: Fqae7BLq4m.exe Virustotal: Detection: 19% Perma Link
Source: Fqae7BLq4m.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.201220974867.0000000008585000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201220974867.00000000085A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \YSS\Release\libcurl.pdb source: RuntimeBrokers.exe, 00000004.00000003.201085672635.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.201214927053.000000000710B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb>1 source: powershell.exe, 0000000E.00000002.201222818106.00000000086C6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: G:\ZCSD\XZRecordAlone\xzrecordalone\Release\XZCalendarServer.pdb source: RuntimeBrokers.exe, 00000004.00000000.200383225107.0000000000CFF000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 0000000E.00000002.201222343312.0000000008672000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.201222818106.00000000086C6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.201198714669.00000000009A3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb], source: powershell.exe, 0000000E.00000002.201198714669.00000000009A3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb, source: powershell.exe, 0000000E.00000002.201222343312.0000000008672000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb0 source: powershell.exe, 0000000E.00000002.201214927053.000000000710B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.201198714669.00000000009A3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.201198714669.00000000009A3000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe File opened: z: Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe File opened: x: Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe File opened: v: Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe File opened: t: Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe File opened: r: Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe File opened: p: Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe File opened: n: Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe File opened: l: Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe File opened: j: Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe File opened: h: Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe File opened: f: Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe File opened: d: Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe File opened: b: Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe File opened: y: Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe File opened: w: Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe File opened: u: Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe File opened: s: Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe File opened: q: Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe File opened: o: Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe File opened: m: Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe File opened: k: Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe File opened: i: Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe File opened: g: Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe File opened: e: Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: c: Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe File opened: [: Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Code function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime, 0_2_0040301A
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Code function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z, 0_2_00402B79

Networking

barindex
Source: Network traffic Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.11.20:49767 -> 43.250.172.42:17091
Source: Network traffic Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.11.20:49774 -> 43.250.172.42:17091
Source: Network traffic Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.11.20:49778 -> 43.250.172.42:17091
Source: Network traffic Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.11.20:49781 -> 43.250.172.42:17092
Source: Network traffic Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.11.20:49783 -> 43.250.172.42:17092
Source: global traffic TCP traffic: 43.250.172.42 ports 18852,17091,17092,1,2,5,8
Source: global traffic TCP traffic: 192.168.11.20:49766 -> 43.250.172.42:18852
Source: Joe Sandbox View ASN Name: VPSQUANUS VPSQUANUS
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.250.172.42
Source: RuntimeBrokers.exe, 00000004.00000003.201085672635.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 0000000D.00000002.201197665101.0000000003320000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201198714669.00000000009A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 0000000D.00000002.201197665101.0000000003320000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201198714669.00000000009A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RuntimeBrokers.exe, 00000004.00000003.201085672635.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: RuntimeBrokers.exe, 00000004.00000003.201085672635.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: RuntimeBrokers.exe, 00000004.00000003.201085672635.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: RuntimeBrokers.exe, 00000004.00000003.201085672635.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: RuntimeBrokers.exe, 00000004.00000003.201085672635.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: RuntimeBrokers.exe, 00000004.00000003.201085672635.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: RuntimeBrokers.exe, 00000004.00000000.200383225107.0000000000CFF000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: http://dump.mgr.xzdesktop.cqttech.com/api/DumpInfoStat%s_%d-%02d-%02d.log
Source: powershell.exe, 0000000D.00000002.201206447534.0000000006368000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201209286352.00000000058F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: RuntimeBrokers.exe, 00000004.00000003.201085672635.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: RuntimeBrokers.exe, 00000004.00000003.201085672635.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 0000000D.00000002.201200701612.0000000005457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201201247161.00000000049E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000D.00000002.201200701612.0000000005457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201201247161.00000000049E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png4
Source: powershell.exe, 0000000D.00000002.201200701612.0000000005AF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.201200701612.0000000005457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201201247161.00000000049E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000D.00000002.201200701612.0000000005301000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201201247161.0000000004891000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000D.00000002.201200701612.0000000005AF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.201200701612.0000000005457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201201247161.00000000049E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000D.00000002.201200701612.0000000005457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201201247161.00000000049E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000D.00000002.201200701612.0000000005457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201201247161.00000000049E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html4
Source: powershell.exe, 0000000E.00000002.201214927053.0000000007114000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.o
Source: powershell.exe, 0000000D.00000002.201197665101.0000000003320000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201198714669.00000000009A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 0000000D.00000002.201200701612.0000000005301000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201201247161.0000000004891000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 0000000E.00000002.201209286352.00000000058F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000E.00000002.201209286352.00000000058F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000E.00000002.201209286352.00000000058F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000D.00000002.201200701612.0000000005457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201201247161.00000000049E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000D.00000002.201200701612.0000000005457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201201247161.00000000049E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester4
Source: powershell.exe, 0000000E.00000002.201220974867.00000000085A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ion=v4.5
Source: powershell.exe, 0000000D.00000002.201206447534.0000000006368000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201209286352.00000000058F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000D.00000002.201197665101.0000000003320000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201198714669.00000000009A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: RuntimeBrokers.exe, 00000004.00000003.201085672635.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr String found in binary or memory: https://sectigo.com/CPS0
Source: RuntimeBrokers.exe, 00000004.00000000.200383225107.0000000000CFF000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: https://update-xztodolist.cqttech.com/api/v1/update/check
Source: RuntimeBrokers.exe, 00000004.00000000.200383225107.0000000000CFF000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: https://update-xztodolist.cqttech.com/api/v1/update/checkXZDesktopCalendarCXZUpdateModule
Source: RuntimeBrokers.exe, 00000004.00000003.201172043695.00000000055C1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DirectInput8Create memstr_664e0faa-d
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Process Stats: CPU usage > 6%
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Code function: 0_2_00404FAA 0_2_00404FAA
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Code function: 0_2_0041206B 0_2_0041206B
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Code function: 0_2_0041022D 0_2_0041022D
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Code function: 0_2_00411F91 0_2_00411F91
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Code function: String function: 0040243B appears 37 times
Source: Fqae7BLq4m.exe, 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameV vs Fqae7BLq4m.exe
Source: Fqae7BLq4m.exe, 00000000.00000003.200307382834.0000000002601000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameV vs Fqae7BLq4m.exe
Source: Fqae7BLq4m.exe Binary or memory string: OriginalFilenameV vs Fqae7BLq4m.exe
Source: Fqae7BLq4m.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal88.troj.evad.winEXE@101/44@0/1
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Code function: 0_2_00407776 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree, 0_2_00407776
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Code function: 0_2_0040118A GetDiskFreeSpaceExW,SendMessageW, 0_2_0040118A
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Code function: 0_2_004034C1 _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z, 0_2_004034C1
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Code function: 0_2_00401BDF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress, 0_2_00401BDF
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe File created: C:\Users\Public\Bilite Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8972:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8856:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3292:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9028:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8856:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9028:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3292:304:WilStaging_02
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Mutant created: \Sessions\1\BaseNamedObjects\2024.12.14
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8972:304:WilStaging_02
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe File created: C:\Users\user\AppData\Local\Temp\monitor.bat Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
Source: Fqae7BLq4m.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\findstr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Fqae7BLq4m.exe ReversingLabs: Detection: 42%
Source: Fqae7BLq4m.exe Virustotal: Detection: 19%
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe File read: C:\Users\user\Desktop\Fqae7BLq4m.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Fqae7BLq4m.exe "C:\Users\user\Desktop\Fqae7BLq4m.exe"
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat" Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: libcurl.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: dinput8.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: devenum.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: msdmo.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: windows.staterepositorycore.dll Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: Firefox Setup 132.0.2.exe.lnk.4.dr LNK file: ..\..\Public\Bilite\Firefox Setup 132.0.2.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Fqae7BLq4m.exe Static file information: File size 70322189 > 1048576
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.201220974867.0000000008585000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201220974867.00000000085A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \YSS\Release\libcurl.pdb source: RuntimeBrokers.exe, 00000004.00000003.201085672635.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.201214927053.000000000710B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb>1 source: powershell.exe, 0000000E.00000002.201222818106.00000000086C6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: G:\ZCSD\XZRecordAlone\xzrecordalone\Release\XZCalendarServer.pdb source: RuntimeBrokers.exe, 00000004.00000000.200383225107.0000000000CFF000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 0000000E.00000002.201222343312.0000000008672000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.201222818106.00000000086C6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.201198714669.00000000009A3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb], source: powershell.exe, 0000000E.00000002.201198714669.00000000009A3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb, source: powershell.exe, 0000000E.00000002.201222343312.0000000008672000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb0 source: powershell.exe, 0000000E.00000002.201214927053.000000000710B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.201198714669.00000000009A3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.201198714669.00000000009A3000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Code function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow, 0_2_00406D5D
Source: libcurl.dll.0.dr Static PE information: section name: .00cfg
Source: backup.dll.4.dr Static PE information: section name: .00cfg
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Code function: 0_2_00411C20 push eax; ret 0_2_00411C4E
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe File created: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Jump to dropped file
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe File created: C:\Users\user\AppData\Local\Temp\backup.dll Jump to dropped file
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe File created: C:\Users\Public\Bilite\Firefox Setup 132.0.2.exe Jump to dropped file
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe File created: C:\Users\Public\Bilite\Axialis\libcurl.dll Jump to dropped file
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe File created: C:\Users\user\AppData\Local\Temp\backup.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Key value created or modified: HKEY_CURRENT_USER\Console\0 9e9e85e05ee16fc372a0c7df6549fbd4 Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Window / User API: threadDelayed 8105 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9806 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9846 Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\backup.dll Jump to dropped file
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Dropped PE file which has not been started: C:\Users\Public\Bilite\Firefox Setup 132.0.2.exe Jump to dropped file
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 8260 Thread sleep time: -73000s >= -30000s Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 8256 Thread sleep count: 105 > 30 Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 8256 Thread sleep time: -315000s >= -30000s Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 8256 Thread sleep count: 8105 > 30 Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 8256 Thread sleep time: -24315000s >= -30000s Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 8864 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 1808 Thread sleep count: 41 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 9136 Thread sleep count: 9806 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 9196 Thread sleep count: 9846 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4608 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 3292 Thread sleep count: 270 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 8144 Thread sleep count: 270 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 6148 Thread sleep count: 269 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 4292 Thread sleep count: 270 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 5432 Thread sleep count: 269 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 5840 Thread sleep count: 270 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 5476 Thread sleep count: 270 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 4560 Thread sleep count: 270 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 7612 Thread sleep count: 270 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 1564 Thread sleep count: 269 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 3384 Thread sleep count: 269 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 32 Thread sleep count: 268 > 30
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Code function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime, 0_2_0040301A
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Code function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z, 0_2_00402B79
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Thread delayed: delay time: 73000 Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: powershell.exe, 0000000E.00000002.201201247161.00000000049E7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 0000000E.00000002.201201247161.00000000049E7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 0000000E.00000002.201201247161.00000000049E7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Get-NetEventVmNetworkAdapter
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Code function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow, 0_2_00406D5D
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Code function: 0_2_0040D72E cpuid 0_2_0040D72E
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar, 0_2_00401F9D
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Code function: 0_2_00401626 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z, 0_2_00401626
Source: C:\Users\user\Desktop\Fqae7BLq4m.exe Code function: 0_2_00404FAA KiUserCallbackDispatcher,GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA, 0_2_00404FAA
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs