sql, svc$, memtas, mepocs, sophos, veeam, backup, GxVss, GxBlr, GxFWD, GxCVD, GxCIMgr, DefWatch, ccEvtMgr, ccSetMgr, SavRoam, RTVscan, QBFCService, QBIDPService, Intuit.QuickBooks.FCS, QBCFMonitorService, YooBackup, YooIT, zhudongfangyu, sophos, stc _ raw _ agent, VSNAPVSS, VeeamTransportSvc, VeeamDeploymentService, VeeamNFSSvc, veeam, PDVFSService, BackupExecVSSProvider, BackupExecA- gentAccelerator, BackupExecAgentBrowser, BackupExecDiveciMediaService, BackupExecJobEngine, BackupExecManagementService, BackupExecRPCService, AcrSch2Svc, AcronisAgent, CASAD2DWebSvc, CAARCUpdateSvc, Process List sql.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, encsvc.exe, firefox.exe, tbirdconfig.exe, mydesktopqos.exe, ocomm.exe, dbeng50.exe, sqbcoreser- vice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, notepad.exe Mutexes \Sessions\1\BaseNamedObjects\babuk _ v2 \Sessions\1\BaseNamedObjects\babuk _ v3 \Sessions\1\BaseNamedObjects\DoYouWantToHaveSexWith- CoungDong YARA Rule rule Ransom _ Babuk { meta: description = “Rule to detect Babuk Locker unpacked” author = “McAfee ATR” date = “2021-01-19” hash = “e10713a4a5f635767dcd54d609bed977” rule _ version = “v1.1” malware _ family = “Ransom:Win/Babuk” malware _ type = “Ransom” mitre _ attack = “T1027, T1083, T1057, T1082, T1129, T1490, T1543.003”