550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf

General

Target

550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
Size

22KB
MD5

64f7ac45f930fe0ae05f6a6102ddb511
SHA1

499c21991aecc205fd9c64784909d94eb34a9a71
SHA256

550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf
SHA512

864f551b85dcacfc6ecb0af94292c520366889c09287b1c34fb2971113744ef364eff8c4b77739baa25a8456be3f7bb8b7d19ab21c241b7330bf0a22f63abcd5

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\MSOCache\How To Restore Your Files.txt

Ransom Note

----------- [ Hello, Alentec Orion ] -------------> ****BY BABUK LOCKER**** What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted from your network and copied. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - a universal decoder. This program will restore your entire network. Follow our instructions below and you will recover all your data. If you continue to ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. What information compromised? ---------------------------------------------- We copied more than 10 gb from your internal network, here are some proofs, for additional confirmations, please chat with us In cases of ignoring us, the information will be released to the public. How to contact us? ---------------------------------------------- Using TOR Browser ( https://www.torproject.org/download/ ): http://babukq4e2p4wu4iq.onion/login.php?id=6iAq0NR1jS3TgDD3OoEiWFHJpUPrGc !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!

URLs

http://babukq4e2p4wu4iq.onion/login.php?id=6iAq0NR1jS3TgDD3OoEiWFHJpUPrGc

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 12 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\RestoreRevoke.tiff => C:\Users\Admin\Pictures\RestoreRevoke.tiff.babuk2	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File renamed	C:\Users\Admin\Pictures\SelectMove.png => C:\Users\Admin\Pictures\SelectMove.png.babuk2	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File renamed	C:\Users\Admin\Pictures\StepJoin.tiff => C:\Users\Admin\Pictures\StepJoin.tiff.babuk2	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File renamed	C:\Users\Admin\Pictures\EnterSplit.tif => C:\Users\Admin\Pictures\EnterSplit.tif.babuk2	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File renamed	C:\Users\Admin\Pictures\RedoRevoke.png => C:\Users\Admin\Pictures\RedoRevoke.png.babuk2	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File renamed	C:\Users\Admin\Pictures\RemoveDisconnect.tiff => C:\Users\Admin\Pictures\RemoveDisconnect.tiff.babuk2	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File renamed	C:\Users\Admin\Pictures\RequestSet.tif => C:\Users\Admin\Pictures\RequestSet.tif.babuk2	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File opened for modification	C:\Users\Admin\Pictures\RestoreRevoke.tiff	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File opened for modification	C:\Users\Admin\Pictures\StepJoin.tiff	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File renamed	C:\Users\Admin\Pictures\EnableLimit.png => C:\Users\Admin\Pictures\EnableLimit.png.babuk2	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File renamed	C:\Users\Admin\Pictures\MergeFind.tif => C:\Users\Admin\Pictures\MergeFind.tif.babuk2	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File opened for modification	C:\Users\Admin\Pictures\RemoveDisconnect.tiff	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe

description	ioc	process
File opened (read-only)	\??\V:	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File opened (read-only)	\??\Q:	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File opened (read-only)	\??\W:	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File opened (read-only)	\??\T:	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File opened (read-only)	\??\I:	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File opened (read-only)	\??\P:	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File opened (read-only)	\??\H:	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File opened (read-only)	\??\K:	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File opened (read-only)	\??\B:	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File opened (read-only)	\??\Z:	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File opened (read-only)	\??\E:	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File opened (read-only)	\??\Y:	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File opened (read-only)	\??\O:	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File opened (read-only)	\??\A:	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File opened (read-only)	\??\G:	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File opened (read-only)	\??\J:	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File opened (read-only)	\??\N:	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File opened (read-only)	\??\R:	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File opened (read-only)	\??\U:	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File opened (read-only)	\??\S:	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File opened (read-only)	\??\F:	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File opened (read-only)	\??\L:	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File opened (read-only)	\??\X:	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
File opened (read-only)	\??\M:	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2004 vssadmin.exe
888 vssadmin.exe

pid	process
2004	vssadmin.exe
888	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe

pid	process
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1456 vssvc.exe
Token: SeRestorePrivilege 1456 vssvc.exe
Token: SeAuditPrivilege 1456 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	1456	vssvc.exe
Token: SeRestorePrivilege	1456	vssvc.exe
Token: SeAuditPrivilege	1456	vssvc.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.execmd.execmd.exe

description	pid	process	target process
PID 1652 wrote to memory of 1940	1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe	cmd.exe
PID 1652 wrote to memory of 1940	1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe	cmd.exe
PID 1652 wrote to memory of 1940	1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe	cmd.exe
PID 1652 wrote to memory of 1940	1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe	cmd.exe
PID 1940 wrote to memory of 2004	1940	cmd.exe	vssadmin.exe
PID 1940 wrote to memory of 2004	1940	cmd.exe	vssadmin.exe
PID 1940 wrote to memory of 2004	1940	cmd.exe	vssadmin.exe
PID 1652 wrote to memory of 1704	1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe	cmd.exe
PID 1652 wrote to memory of 1704	1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe	cmd.exe
PID 1652 wrote to memory of 1704	1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe	cmd.exe
PID 1652 wrote to memory of 1704	1652	550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe	cmd.exe
PID 1704 wrote to memory of 888	1704	cmd.exe	vssadmin.exe
PID 1704 wrote to memory of 888	1704	cmd.exe	vssadmin.exe
PID 1704 wrote to memory of 888	1704	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
"C:\Users\Admin\AppData\Local\Temp\550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2004
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:888

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/888-8-0x0000000000000000-mapping.dmp

Download
memory/1652-2-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1652-3-0x0000000001FF0000-0x0000000002001000-memory.dmp

Filesize
68KB

Download
memory/1652-4-0x0000000002400000-0x0000000002411000-memory.dmp

Filesize
68KB

Download
memory/1704-7-0x0000000000000000-mapping.dmp

Download
memory/1940-5-0x0000000000000000-mapping.dmp

Download
memory/2004-6-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads