description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ReadClose.crw => C:\Users\Admin\Pictures\ReadClose.crw.OOeeED	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\StopConvert.png.OOeeED	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\GroupBlock.crw.OOeeED	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ReadClose.crw.OOeeED	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\SendInvoke.png.OOeeED	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ResetMerge.crw.OOeeED	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\SelectRevoke.tiff.OOeeED	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\StopConvert.png => C:\Users\Admin\Pictures\StopConvert.png.OOeeED	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\GroupBlock.crw => C:\Users\Admin\Pictures\GroupBlock.crw.OOeeED	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\RedoDeny.tif => C:\Users\Admin\Pictures\RedoDeny.tif.OOeeED	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\ResetMerge.crw => C:\Users\Admin\Pictures\ResetMerge.crw.OOeeED	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\SendInvoke.png => C:\Users\Admin\Pictures\SendInvoke.png.OOeeED	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\RedoDeny.tif.OOeeED	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\SelectRevoke.tiff	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\SelectRevoke.tiff => C:\Users\Admin\Pictures\SelectRevoke.tiff.OOeeED	build-x64-crypt.bin.exe

description	ioc	Process
File opened (read-only)	\??\H:	build-x64-crypt.bin.exe
File opened (read-only)	\??\L:	build-x64-crypt.bin.exe
File opened (read-only)	\??\R:	build-x64-crypt.bin.exe
File opened (read-only)	\??\W:	build-x64-crypt.bin.exe
File opened (read-only)	\??\A:	build-x64-crypt.bin.exe
File opened (read-only)	\??\B:	build-x64-crypt.bin.exe
File opened (read-only)	\??\E:	build-x64-crypt.bin.exe
File opened (read-only)	\??\T:	build-x64-crypt.bin.exe
File opened (read-only)	\??\X:	build-x64-crypt.bin.exe
File opened (read-only)	\??\Y:	build-x64-crypt.bin.exe
File opened (read-only)	\??\Z:	build-x64-crypt.bin.exe
File opened (read-only)	\??\G:	build-x64-crypt.bin.exe
File opened (read-only)	\??\I:	build-x64-crypt.bin.exe
File opened (read-only)	\??\J:	build-x64-crypt.bin.exe
File opened (read-only)	\??\M:	build-x64-crypt.bin.exe
File opened (read-only)	\??\P:	build-x64-crypt.bin.exe
File opened (read-only)	\??\Q:	build-x64-crypt.bin.exe
File opened (read-only)	\??\S:	build-x64-crypt.bin.exe
File opened (read-only)	\??\F:	build-x64-crypt.bin.exe
File opened (read-only)	\??\K:	build-x64-crypt.bin.exe
File opened (read-only)	\??\N:	build-x64-crypt.bin.exe
File opened (read-only)	\??\O:	build-x64-crypt.bin.exe
File opened (read-only)	\??\U:	build-x64-crypt.bin.exe
File opened (read-only)	\??\V:	build-x64-crypt.bin.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe

pid	Process
3584	taskkill.exe
3108	taskkill.exe
2164	taskkill.exe
3112	taskkill.exe
3848	taskkill.exe
3112	taskkill.exe
3848	taskkill.exe
3800	taskkill.exe
3844	taskkill.exe
1732	taskkill.exe
3808	taskkill.exe
3800	taskkill.exe
2528	taskkill.exe
676	taskkill.exe
3112	taskkill.exe
1684	taskkill.exe
3420	taskkill.exe
2856	taskkill.exe
3600	taskkill.exe
568	taskkill.exe
3012	taskkill.exe
3720	taskkill.exe
3064	taskkill.exe
3812	taskkill.exe
3824	taskkill.exe
3844	taskkill.exe
2236	taskkill.exe
1128	taskkill.exe
3712	taskkill.exe
280	taskkill.exe
840	taskkill.exe
260	taskkill.exe
1380	taskkill.exe
3832	taskkill.exe
2184	taskkill.exe
676	taskkill.exe
1264	taskkill.exe
840	taskkill.exe
1036	taskkill.exe
1100	taskkill.exe
3140	taskkill.exe
2984	taskkill.exe
1712	taskkill.exe
1900	taskkill.exe
3436	taskkill.exe
1316	taskkill.exe
1524	taskkill.exe
3232	taskkill.exe
2160	taskkill.exe
3464	taskkill.exe
3436	taskkill.exe
2152	taskkill.exe
3140	taskkill.exe
1684	taskkill.exe
1264	taskkill.exe
2412	taskkill.exe
568	taskkill.exe
3720	taskkill.exe
3720	taskkill.exe
2164	taskkill.exe
3832	taskkill.exe
2856	taskkill.exe
1316	taskkill.exe
1964	taskkill.exe
1652	taskkill.exe
2184	taskkill.exe
1188	taskkill.exe
1384	taskkill.exe
488	taskkill.exe
980	taskkill.exe
3584	taskkill.exe
488	taskkill.exe
640	taskkill.exe
2876	taskkill.exe
3712	taskkill.exe
3444	taskkill.exe
3368	taskkill.exe
3892	taskkill.exe
3800	taskkill.exe
3844	taskkill.exe
3720	taskkill.exe
1560	taskkill.exe
3808	taskkill.exe
2528	taskkill.exe
640	taskkill.exe
3076	taskkill.exe
1972	taskkill.exe
3660	taskkill.exe
1932	taskkill.exe
1260	taskkill.exe
2536	taskkill.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:iykxevszimranzpu	build-x64-crypt.bin.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:xbcqjlijd	build-x64-crypt.bin.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:ivrhwmenumbuocvak	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:tpupnbvzicwro	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:xbcqjlijd	build-x64-crypt.bin.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3820	WMIC.exe
Token: SeSecurityPrivilege	3820	WMIC.exe
Token: SeTakeOwnershipPrivilege	3820	WMIC.exe
Token: SeLoadDriverPrivilege	3820	WMIC.exe
Token: SeSystemProfilePrivilege	3820	WMIC.exe
Token: SeSystemtimePrivilege	3820	WMIC.exe
Token: SeProfSingleProcessPrivilege	3820	WMIC.exe
Token: SeIncBasePriorityPrivilege	3820	WMIC.exe
Token: SeCreatePagefilePrivilege	3820	WMIC.exe
Token: SeBackupPrivilege	3820	WMIC.exe
Token: SeRestorePrivilege	3820	WMIC.exe
Token: SeShutdownPrivilege	3820	WMIC.exe
Token: SeDebugPrivilege	3820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3820	WMIC.exe
Token: SeRemoteShutdownPrivilege	3820	WMIC.exe
Token: SeUndockPrivilege	3820	WMIC.exe
Token: SeManageVolumePrivilege	3820	WMIC.exe
Token: 33	3820	WMIC.exe
Token: 34	3820	WMIC.exe
Token: 35	3820	WMIC.exe
Token: 36	3820	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3820	WMIC.exe
Token: SeSecurityPrivilege	3820	WMIC.exe
Token: SeTakeOwnershipPrivilege	3820	WMIC.exe
Token: SeLoadDriverPrivilege	3820	WMIC.exe
Token: SeSystemProfilePrivilege	3820	WMIC.exe
Token: SeSystemtimePrivilege	3820	WMIC.exe
Token: SeProfSingleProcessPrivilege	3820	WMIC.exe
Token: SeIncBasePriorityPrivilege	3820	WMIC.exe
Token: SeCreatePagefilePrivilege	3820	WMIC.exe
Token: SeBackupPrivilege	3820	WMIC.exe
Token: SeRestorePrivilege	3820	WMIC.exe
Token: SeShutdownPrivilege	3820	WMIC.exe
Token: SeDebugPrivilege	3820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3820	WMIC.exe
Token: SeRemoteShutdownPrivilege	3820	WMIC.exe
Token: SeUndockPrivilege	3820	WMIC.exe
Token: SeManageVolumePrivilege	3820	WMIC.exe
Token: 33	3820	WMIC.exe
Token: 34	3820	WMIC.exe
Token: 35	3820	WMIC.exe
Token: 36	3820	WMIC.exe
Token: SeBackupPrivilege	3988	vssvc.exe
Token: SeRestorePrivilege	3988	vssvc.exe
Token: SeAuditPrivilege	3988	vssvc.exe
Token: SeDebugPrivilege	676	taskkill.exe
Token: SeDebugPrivilege	3112	taskkill.exe
Token: SeDebugPrivilege	1684	taskkill.exe
Token: SeDebugPrivilege	3892	taskkill.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	3660	taskkill.exe
Token: SeDebugPrivilege	676	taskkill.exe
Token: SeDebugPrivilege	3112	taskkill.exe
Token: SeDebugPrivilege	1964	taskkill.exe
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeDebugPrivilege	280	taskkill.exe
Token: SeDebugPrivilege	980	taskkill.exe
Token: SeDebugPrivilege	3140	taskkill.exe
Token: SeDebugPrivilege	3420	taskkill.exe
Token: SeDebugPrivilege	3584	taskkill.exe
Token: SeDebugPrivilege	1684	taskkill.exe
Token: SeDebugPrivilege	3720	taskkill.exe
Token: SeDebugPrivilege	1264	taskkill.exe
Token: SeDebugPrivilege	840	taskkill.exe
Token: SeDebugPrivilege	3800	taskkill.exe
Token: SeDebugPrivilege	3140	taskkill.exe
Token: SeDebugPrivilege	3108	taskkill.exe
Token: SeDebugPrivilege	1652	taskkill.exe
Token: SeDebugPrivilege	2856	taskkill.exe
Token: SeDebugPrivilege	3064	taskkill.exe
Token: SeDebugPrivilege	3720	taskkill.exe
Token: SeDebugPrivilege	1264	taskkill.exe
Token: SeDebugPrivilege	840	taskkill.exe
Token: SeDebugPrivilege	260	taskkill.exe
Token: SeDebugPrivilege	2412	taskkill.exe
Token: SeDebugPrivilege	3812	taskkill.exe
Token: SeDebugPrivilege	2184	taskkill.exe
Token: SeDebugPrivilege	3832	taskkill.exe
Token: SeDebugPrivilege	1260	taskkill.exe
Token: SeDebugPrivilege	1384	taskkill.exe
Token: SeDebugPrivilege	1380	taskkill.exe
Token: SeDebugPrivilege	3844	taskkill.exe
Token: SeDebugPrivilege	3824	taskkill.exe
Token: SeDebugPrivilege	2536	taskkill.exe
Token: SeDebugPrivilege	3584	taskkill.exe
Token: SeDebugPrivilege	3012	taskkill.exe
Token: SeDebugPrivilege	2164	taskkill.exe
Token: SeDebugPrivilege	3832	taskkill.exe
Token: SeDebugPrivilege	568	taskkill.exe
Token: SeDebugPrivilege	488	taskkill.exe
Token: SeDebugPrivilege	1316	taskkill.exe
Token: SeDebugPrivilege	3808	taskkill.exe
Token: SeDebugPrivilege	640	taskkill.exe
Token: SeDebugPrivilege	3436	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	2876	taskkill.exe
Token: SeDebugPrivilege	2236	taskkill.exe
Token: SeDebugPrivilege	1128	taskkill.exe
Token: SeDebugPrivilege	2984	taskkill.exe
Token: SeDebugPrivilege	3720	taskkill.exe
Token: SeDebugPrivilege	3712	taskkill.exe
Token: SeDebugPrivilege	2528	taskkill.exe
Token: SeDebugPrivilege	3800	taskkill.exe
Token: SeDebugPrivilege	3844	taskkill.exe
Token: SeDebugPrivilege	3848	taskkill.exe
Token: SeDebugPrivilege	1712	taskkill.exe
Token: SeDebugPrivilege	3112	taskkill.exe
Token: SeDebugPrivilege	1100	taskkill.exe
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	1900	taskkill.exe
Token: SeDebugPrivilege	3720	taskkill.exe
Token: SeDebugPrivilege	3712	taskkill.exe
Token: SeDebugPrivilege	2528	taskkill.exe
Token: SeDebugPrivilege	3800	taskkill.exe
Token: SeDebugPrivilege	3844	taskkill.exe
Token: SeDebugPrivilege	3848	taskkill.exe
Token: SeDebugPrivilege	3444	taskkill.exe
Token: SeDebugPrivilege	2184	taskkill.exe
Token: SeDebugPrivilege	3368	taskkill.exe
Token: SeDebugPrivilege	1732	taskkill.exe
Token: SeDebugPrivilege	3600	taskkill.exe
Token: SeDebugPrivilege	568	taskkill.exe
Token: SeDebugPrivilege	488	taskkill.exe
Token: SeDebugPrivilege	1316	taskkill.exe
Token: SeDebugPrivilege	3808	taskkill.exe
Token: SeDebugPrivilege	640	taskkill.exe
Token: SeDebugPrivilege	3436	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	3232	taskkill.exe
Token: SeDebugPrivilege	2856	taskkill.exe
Token: SeDebugPrivilege	2160	taskkill.exe
Token: SeDebugPrivilege	3076	taskkill.exe
Token: SeDebugPrivilege	3464	taskkill.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe

pid	Process
3636	bcdedit.exe
3924	bcdedit.exe

description	pid	Process	procid_target
PID 3024 wrote to memory of 3020	3024	build-x64-crypt.bin.exe	68
PID 3024 wrote to memory of 3020	3024	build-x64-crypt.bin.exe	68
PID 3020 wrote to memory of 3820	3020	cmd.exe	70
PID 3020 wrote to memory of 3820	3020	cmd.exe	70
PID 3024 wrote to memory of 4012	3024	build-x64-crypt.bin.exe	74
PID 3024 wrote to memory of 4012	3024	build-x64-crypt.bin.exe	74
PID 4012 wrote to memory of 2536	4012	cmd.exe	76
PID 4012 wrote to memory of 2536	4012	cmd.exe	76
PID 3024 wrote to memory of 3264	3024	build-x64-crypt.bin.exe	77
PID 3024 wrote to memory of 3264	3024	build-x64-crypt.bin.exe	77
PID 3264 wrote to memory of 2684	3264	cmd.exe	79
PID 3264 wrote to memory of 2684	3264	cmd.exe	79
PID 3024 wrote to memory of 2168	3024	build-x64-crypt.bin.exe	80
PID 3024 wrote to memory of 2168	3024	build-x64-crypt.bin.exe	80
PID 2168 wrote to memory of 3636	2168	cmd.exe	82
PID 2168 wrote to memory of 3636	2168	cmd.exe	82
PID 3024 wrote to memory of 1932	3024	build-x64-crypt.bin.exe	83
PID 3024 wrote to memory of 1932	3024	build-x64-crypt.bin.exe	83
PID 1932 wrote to memory of 3924	1932	cmd.exe	85
PID 1932 wrote to memory of 3924	1932	cmd.exe	85
PID 3024 wrote to memory of 3724	3024	build-x64-crypt.bin.exe	86
PID 3024 wrote to memory of 3724	3024	build-x64-crypt.bin.exe	86
PID 3724 wrote to memory of 488	3724	cmd.exe	88
PID 3724 wrote to memory of 488	3724	cmd.exe	88
PID 3024 wrote to memory of 272	3024	build-x64-crypt.bin.exe	89
PID 3024 wrote to memory of 272	3024	build-x64-crypt.bin.exe	89
PID 272 wrote to memory of 3660	272	cmd.exe	91
PID 272 wrote to memory of 3660	272	cmd.exe	91
PID 3024 wrote to memory of 3020	3024	build-x64-crypt.bin.exe	92
PID 3024 wrote to memory of 3020	3024	build-x64-crypt.bin.exe	92
PID 3020 wrote to memory of 676	3020	cmd.exe	94
PID 3020 wrote to memory of 676	3020	cmd.exe	94
PID 3024 wrote to memory of 3544	3024	build-x64-crypt.bin.exe	95
PID 3024 wrote to memory of 3544	3024	build-x64-crypt.bin.exe	95
PID 3544 wrote to memory of 3112	3544	cmd.exe	97
PID 3544 wrote to memory of 3112	3544	cmd.exe	97
PID 3024 wrote to memory of 3616	3024	build-x64-crypt.bin.exe	98
PID 3024 wrote to memory of 3616	3024	build-x64-crypt.bin.exe	98
PID 3616 wrote to memory of 1684	3616	cmd.exe	100
PID 3616 wrote to memory of 1684	3616	cmd.exe	100

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.