babuk | a9ce03985ab87b07c8481da5d59db8608b2fc946df99d0ff19dc0d34d66945ee

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
04-07-2022 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
Size

811KB
MD5

7d710e304c5d5d1febe8c0e1bf14615a
SHA1

34d813aedb66d14ece1276f8ee61a568546c8dbe
SHA256

b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9
SHA512

6ece233063306b29c3abf1d4449a9cf172a77f44f2f2ceb48ea23161de57aa795c720d263ea9d6964c7ec5756024e21a6464cabd47c6a8ca9e49263b2b339bab

Score

10^/10

babuk ransomware

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note

..;===+. .:=iiiiii=+= .=i))=;::+)i=+, ,=i);)I)))I):=i=; .=i==))))ii)))I:i++ +)+))iiiiiiii))I=i+:' .,:;;++++++;:,. )iii+:::;iii))+i=' .:;++=iiiiiiiiii=++;. =::,,,:::=i));=+' ,;+==ii)))))))))))ii==+;, ,,,:=i))+=: ,;+=ii))))))IIIIII))))ii===;. ,,:=i)=i+ ;+=ii)))IIIIITIIIIII))))iiii=+, ,:=));=, ,+=i))IIIIIITTTTTITIIIIII)))I)i=+,,:+i)=i+ ,+i))IIIIIITTTTTTTTTTTTI))IIII))i=::i))i=' ,=i))IIIIITLLTTTTTTTTTTIITTTTIII)+;+i)+i` =i))IIITTLTLTTTTTTTTTIITTLLTTTII+:i)ii:' +i))IITTTLLLTTTTTTTTTTTTLLLTTTT+:i)))=, =))ITTTTTTTTTTTLTTTTTTLLLLLLTi:=)IIiii; .i)IIITTTTTTTTLTTTITLLLLLLLT);=)I)))))i; :))# ASTRA LOCKER 2.0 #);=) :i)IIITTTTTTTTTLLLHLLHLL)+=)II)ITTTI)i= .i)IIITTTTITTLLLHHLLLL);=)II)ITTTTII)i+ =i)IIIIIITTLLLLLLHLL=:i)II)TTTTTTIII)i' +i)i)))IITTLLLLLLLLT=:i)II)TTTTLTTIII)i; +ii)i:)IITTLLTLLLLT=;+i)I)ITTTTLTTTII))i; =;)i=:,=)ITTTTLTTI=:i))I)TTTLLLTTTTTII)i; +i)ii::, +)IIITI+:+i)I))TTTTLLTTTTTII))=, :=;)i=:,, ,i++::i))I)ITTTTTTTTTTIIII)=+' .+ii)i=::,, ,,::=i)))iIITTTTTTTTIIIII)=+ ,==)ii=;:,,,,:::=ii)i)iIIIITIIITIIII))i+:' +=:))i==;:::;=iii)+)= `:i)))IIIII)ii+' .+=:))iiiiiiii)))+ii; .+=;))iiiiii)));ii+ .+=i:)))))))=+ii+ .;==i+::::=)i=; ,+==iiiiii+, `+=+++;` What happend? ---------------------------------------------- All Your files has been succesfully encrypted by AstraLocker 2.0 Can I get My files back? ---------------------------------------------- Sure! But You dont have much time for this. Your computer is infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without my help. What can I do to get my files back? ---------------------------------------------- You can buy my decryption software, this software will allow you to recover all of your data and remove the Ransomware from your computer. The price for the software is about 50$ (USD). Payment can be made in Monero, or Bitcoin (Cryptocurrency) only. What guarantees? ---------------------------------------------- I value my reputation. If i do not do my work and liabilities, nobody will pay me. This is not in my interests. All my decryption software is perfectly tested and will decrypt your data. How do I pay, where do I get Monero or Bitcoin? ---------------------------------------------- Purchasing Monero or Bitcoin varies from country to country, you are best advised to do a quick Google search yourself to find out how to buy Monero or Bitcoin. Amount of Bitcoin to pay: 0,0012 (Bitcoin) or Amount of Monero to pay: 0,30 (XMR) Where i can pay? ---------------------------------------------- Monero Address: 47moe29QP2xF2myDYaaMCJHpLGsXLPw14aDK6F7pVSp7Nes4XDPMmNUgTeCPQi5arDUe4gP8h4w4pXCtX1gg7SpGAgh6qqS Bitcoin Addres: bc1qpjftnrmahzc8cjs23snk2rq0vt6l0ehu4gqxus Contact ---------------------------------------------- After payment contact: AstraLocker@ or astralocker@ to get the decryptor The best way is contact both. Warning! If you report these emails, they may be suspended and NOBODY gets help. It is in Your INTEREST to get the decryptor. Do NOT: 1)Change the extension of the files. You can harm it. 2)Move encrypted files 3)Try to recover files by Yourself. It is impossible. Your files are encrypted with Curve25519 encryption algorithm, You can't decrypt files without private key.

Signatures

Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
ransomware babuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\AddSync.raw => C:\Users\Admin\Pictures\AddSync.raw.babyk	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
File opened for modification	C:\Users\Admin\Pictures\AddSync.raw.babyk	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
File renamed	C:\Users\Admin\Pictures\LimitProtect.png => C:\Users\Admin\Pictures\LimitProtect.png.babyk	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
File renamed	C:\Users\Admin\Pictures\ResolveJoin.raw => C:\Users\Admin\Pictures\ResolveJoin.raw.babyk	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
File opened for modification	C:\Users\Admin\Pictures\ResolveJoin.raw.babyk	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
File renamed	C:\Users\Admin\Pictures\UnprotectSuspend.tiff => C:\Users\Admin\Pictures\UnprotectSuspend.tiff.babyk	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectSuspend.tiff.babyk	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectSuspend.tiff	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
File opened for modification	C:\Users\Admin\Pictures\LimitProtect.png.babyk	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe

description	ioc	process
File opened (read-only)	\??\S:	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
File opened (read-only)	\??\J:	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
File opened (read-only)	\??\L:	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
File opened (read-only)	\??\W:	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
File opened (read-only)	\??\E:	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
File opened (read-only)	\??\R:	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
File opened (read-only)	\??\T:	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
File opened (read-only)	\??\M:	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
File opened (read-only)	\??\O:	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
File opened (read-only)	\??\A:	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
File opened (read-only)	\??\Z:	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
File opened (read-only)	\??\B:	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
File opened (read-only)	\??\K:	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
File opened (read-only)	\??\X:	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
File opened (read-only)	\??\V:	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
File opened (read-only)	\??\N:	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
File opened (read-only)	\??\Y:	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
File opened (read-only)	\??\I:	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
File opened (read-only)	\??\P:	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
File opened (read-only)	\??\F:	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
File opened (read-only)	\??\Q:	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
File opened (read-only)	\??\U:	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
File opened (read-only)	\??\G:	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
File opened (read-only)	\??\H:	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

Processes:

b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe

pid	process
1528	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
1528	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
1528	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
1528	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
1528	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
1528	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
1528	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
1528	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
1528	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
1528	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
1528	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
1528	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
1528	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
1528	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
1528	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
1528	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2036 vssadmin.exe
1108 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe

pid process

1528 b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1724 vssvc.exe
Token: SeRestorePrivilege 1724 vssvc.exe
Token: SeAuditPrivilege 1724 vssvc.exe

pid	process
2036	vssadmin.exe
1108	vssadmin.exe

description	pid	process
Token: SeBackupPrivilege	1724	vssvc.exe
Token: SeRestorePrivilege	1724	vssvc.exe
Token: SeAuditPrivilege	1724	vssvc.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.execmd.execmd.exe

description	pid	process	target process
PID 1528 wrote to memory of 984	1528	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe	cmd.exe
PID 1528 wrote to memory of 984	1528	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe	cmd.exe
PID 1528 wrote to memory of 984	1528	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe	cmd.exe
PID 1528 wrote to memory of 984	1528	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe	cmd.exe
PID 984 wrote to memory of 2036	984	cmd.exe	vssadmin.exe
PID 984 wrote to memory of 2036	984	cmd.exe	vssadmin.exe
PID 984 wrote to memory of 2036	984	cmd.exe	vssadmin.exe
PID 1528 wrote to memory of 580	1528	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe	cmd.exe
PID 1528 wrote to memory of 580	1528	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe	cmd.exe
PID 1528 wrote to memory of 580	1528	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe	cmd.exe
PID 1528 wrote to memory of 580	1528	b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe	cmd.exe
PID 580 wrote to memory of 1108	580	cmd.exe	vssadmin.exe
PID 580 wrote to memory of 1108	580	cmd.exe	vssadmin.exe
PID 580 wrote to memory of 1108	580	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe
"C:\Users\Admin\AppData\Local\Temp\b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2036

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1724

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/580-4815-0x0000000000000000-mapping.dmp

Download
memory/984-4811-0x0000000000000000-mapping.dmp

Download
memory/1108-4817-0x0000000000000000-mapping.dmp

Download
memory/1528-54-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1528-56-0x00000000772D0000-0x0000000077317000-memory.dmp

Filesize
284KB

Download
memory/1528-289-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/1528-463-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-464-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-465-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-467-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-466-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-468-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-469-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-470-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-471-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-475-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-476-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-474-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-473-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-472-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-477-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-480-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-479-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-478-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-482-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-481-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-484-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-485-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-486-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-483-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-487-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-488-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-490-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-497-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-498-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-499-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-500-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-496-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-501-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-495-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-494-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-493-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-492-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-502-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-491-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-503-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-505-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-506-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-507-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-508-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-511-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-513-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-515-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-516-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-517-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-518-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-514-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-512-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-519-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-510-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-509-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-504-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-489-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-520-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-523-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-524-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-522-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-521-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-1478-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/1528-1480-0x00000000021A0000-0x0000000002321000-memory.dmp

Filesize
1.5MB

Download
memory/1528-4809-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1528-4810-0x00000000006B0000-0x00000000007B1000-memory.dmp

Filesize
1.0MB

Download
memory/1528-4812-0x0000000002060000-0x0000000002101000-memory.dmp

Filesize
644KB

Download
memory/1528-4814-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/1528-4816-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2036-4813-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads