e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9

Resubmissions

14/12/2023, 08:25

231214-kbc3nsdha2 10

14/12/2023, 07:45

231214-jlfe4sccbr 10

Analysis

max time kernel
600s
max time network
501s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
14/12/2023, 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe
Size

1.1MB
MD5

4c7d2ec42f5b225982d9e2e96383a2fd
SHA1

6edc8db346032a83402d7104c5783cc1e929e402
SHA256

e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9
SHA512

c83cd4b6394a2629ab7148cf1db73ae040d247809660e34ec895cee37af56e655f99db0eb88711d206407076b949dd5f5e4dad3be9f272bf2b7985575e147861
SSDEEP

12288:TUOEh1CfIQ9wcSEzPXgFSuYxZyJhLA/3lqYV1lYT/S:oOq1cwcnjXgFSuYxZy72kYV1lYT

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Albabat\readme.html

Ransom Note

Home | FAQ | Translator 127 files on your machine have been encrypted! [+] I - ABOUT "Albabat Ransomware" The "Albabat Ransomware" (White Bat - Translated from Latin) is a cross-platform ransomware that encrypts various files important to the USER on computer storage disks using military-grade symmetric and asymmetric encryption algorithm. [+] II - THE KEY TO CRYPTOGRAPHY [+] The "Albabat Ransomware" will automatically create a folder named "Albabat" in your user directory on your machine, but precisely in: "C:\Users\Admin\Albabat\" This folder contains the encryption KEY named "Albabat.ekey", and this same "README" file. This KEY Albabat.ekey performed the CRYPTOGRAPHY of your files, however, this KEY was also ENCRYPTED with a PUBLIC KEY (asymmetric encryption), and only I (tH3_CyberXY) have the PRIVATE KEY to decrypt the "Albabat.ekey" KEY, and thus, you use it to decrypt your files. There is no way to decrypt your files without our data decryption service. There is no way to decrypt the files without decrypting the "Albabat.ekey" key. Don't delete, don't rename, don't lose the "Albabat.ekey" key. For security reasons, we even recommend making a BACKUP of the Albabat.ekey key. [+] III - THE ENCRYPTION PROCESS [+] Encrypted files have the extension ".abbt". Don't try to rename it, it won't work. On the contrary, you may corrupt your files. The size of the files that the "Albabat Ransomware" encrypts is a maximum of 5 Megabytes (MB). The "Albabat Ransomware" randomly recursively traverses all directories it does not belong to the operation of the Operating System. Encrypts files in the user directory, even database locations and drives mounted on the machine if any. The "Albabat Ransomware" only encrypts files that are relevant. The Operating System and binary files will be intact. We didn't choose that. The "Albabat Ransomware" saves a log file named "Albabat.log" in the "C:\Users\Admin\Albabat\" directory. This file you can see all files that were encrypted by "Albabat Ransomware" in path form. [+] IV - HOW TO CONTACT US [+] These are the only ways to contact us. Any other form found on the internet will be false. Contact by: Our Email: [email protected] [+] V - PAYMENT [+] The decryption process is PAID in Bitcoin, so you need to have Bitcoin balance at a cryptocurrency broker or in a cryptocurrency wallet to make the deposit in our Bitcoin address. You may want to read the FAQ page to know what Bitcoin is. Payment data: Our Bitcoin address: bc1qxsjjna67tccvf0e35e9z79d4utu3v9pg2rp7rj Amount to pay: 0,0015 - To make payment and restore your files, follow these steps - (1) Write down the data to make the transfer through our Bitcoin address and the AMOUNT payable specified. Note: Remembering that the price of Bitcoin may vary monetarily depending on when you make the payment. (2) - As soon as you make the payment to our Bitcoin address, send us an email. An example of an email to send us: Subject: Albabat Ransomware - I did the payment! Message: Hello, I made the payment. My BTC address where I made the payment is "BTC ADDRESS". The version of the "Albabat Ransomware" running on my machine was "0.1.0". Follow the attached KEY "Albabat.ekey". IMPORANT: We will check if the payment was made using YOUR Bitcoin ADDRESS "BTC ADDRESS" in which the transaction was made, so it is IMPORTANT to inform us when sending us this email. It is also IMPORTANT to send us the KEY "Albabat.ekey" as an attachment, regardless of the form of communication you choose to use with us. We will decrypt it for you. You will receive in your email the KEY "Albabat.key", that is, the KEY "Albabat.ekey" decrypted, and the decryptor "Albabat Ransomware Decryptor" attached (zipped). Albabat.key" and the "Albabat Ransomware Decryptor" within 24 hours, but it may vary for longer or less depending on our availability hours, and the number of demands we we received. Be patient. After payment, we will send the decrypted KEY to you and o "Albabat Ransomware Decryptor", we are fair! [+] VI - DECRYPTION [+] > To decrypt your files follow the steps below: (1) Place the "Albabat.key" that you received by email, inside the "C:\Users\Admin\Albabat\" directory, or, if you prefer, keep it in the same directory as "Albabat Ransomware Decryptor". > IMPORTANT:At this point, it is very important that you close all open Explorer windows, and heavy programs, to prevent "Albabat Ransomware Decryptor" from crashing. And also disable your ANTIVIRUS PERMANENTLY so that it does not interfere with the decryption process, as disabling it for just a few minutes remains active. (2) Run "Albabat Ransomware Decryptor". An alert message will appear informing you that the decryption started, just click Ok. (3) Wait for the decryption completion message to be displayed in console, this may take a while depending on the quantity of files that have been encrypted and power of your machine. You can see the decryption process by I live from your files, if I have time for that. (4) After decryption is complete, all your files will be restored. If you have further questions, such as: "How can I be sure you will decrypt my files?", you can read the FAQ page. Copyright (c) 2021-2023 Albabat Ransomware - All Right Reserved. Maintained by: tH3_CyberXY.

Emails

[email protected]

Signatures

Renames multiple (127) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Albabat\\wallpaper_albabat.jpg"	e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4768	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133470135458789035"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3128	chrome.exe
3128	chrome.exe
4628	chrome.exe
4628	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3128	chrome.exe
3128	chrome.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1652	e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 35	1652	e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 4768	1652	e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe	95
PID 1652 wrote to memory of 4768	1652	e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe	95
PID 1652 wrote to memory of 3128	1652	e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe	100
PID 1652 wrote to memory of 3128	1652	e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe	100
PID 1652 wrote to memory of 5104	1652	e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe	99
PID 1652 wrote to memory of 5104	1652	e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe	99
PID 3128 wrote to memory of 4780	3128	chrome.exe	102
PID 3128 wrote to memory of 4780	3128	chrome.exe	102
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 4696	3128	chrome.exe	104
PID 3128 wrote to memory of 3056	3128	chrome.exe	105
PID 3128 wrote to memory of 3056	3128	chrome.exe	105
PID 3128 wrote to memory of 2972	3128	chrome.exe	106
PID 3128 wrote to memory of 2972	3128	chrome.exe	106
PID 3128 wrote to memory of 2972	3128	chrome.exe	106
PID 3128 wrote to memory of 2972	3128	chrome.exe	106
PID 3128 wrote to memory of 2972	3128	chrome.exe	106
PID 3128 wrote to memory of 2972	3128	chrome.exe	106
PID 3128 wrote to memory of 2972	3128	chrome.exe	106
PID 3128 wrote to memory of 2972	3128	chrome.exe	106
PID 3128 wrote to memory of 2972	3128	chrome.exe	106
PID 3128 wrote to memory of 2972	3128	chrome.exe	106
PID 3128 wrote to memory of 2972	3128	chrome.exe	106
PID 3128 wrote to memory of 2972	3128	chrome.exe	106
PID 3128 wrote to memory of 2972	3128	chrome.exe	106
PID 3128 wrote to memory of 2972	3128	chrome.exe	106
PID 3128 wrote to memory of 2972	3128	chrome.exe	106
PID 3128 wrote to memory of 2972	3128	chrome.exe	106

C:\Users\Admin\AppData\Local\Temp\e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe
"C:\Users\Admin\AppData\Local\Temp\e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe"
1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\system32\taskkill.exe
  "taskkill" /f /im chrome.exe
  2⤵
  - Kills process with taskkill
  PID:4768
- C:\Windows\system32\cmd.exe
  "cmd" /C "del C:\Users\Admin\AppData\Roaming\e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe"
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-fullscreen C:\Users\Admin\Albabat\readme.html --incognito
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffadfe19758,0x7ffadfe19768,0x7ffadfe19778
    3⤵
    PID:4780
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1852,i,11047140980934045787,9125607204309115621,131072 /prefetch:2
    3⤵
    PID:4696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1852,i,11047140980934045787,9125607204309115621,131072 /prefetch:8
    3⤵
    PID:3056
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2248 --field-trial-handle=1852,i,11047140980934045787,9125607204309115621,131072 /prefetch:8
    3⤵
    PID:2972
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3136 --field-trial-handle=1852,i,11047140980934045787,9125607204309115621,131072 /prefetch:1
    3⤵
    PID:216
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3116 --field-trial-handle=1852,i,11047140980934045787,9125607204309115621,131072 /prefetch:1
    3⤵
    PID:1172
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 --field-trial-handle=1852,i,11047140980934045787,9125607204309115621,131072 /prefetch:8
    3⤵
    PID:2488
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 --field-trial-handle=1852,i,11047140980934045787,9125607204309115621,131072 /prefetch:8
    3⤵
    PID:2912
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2876 --field-trial-handle=1852,i,11047140980934045787,9125607204309115621,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4628

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Albabat\Albabat.log

Filesize
5KB

MD5
8439e6947b3c5371d62b00a46767950d

SHA1
118d827b2000e67b55df195b2329dbd19c0e5dca

SHA256
d309a4eac2a465ab0b6aa6ec4202384da12cfceaa817f2361e522c22e0064089

SHA512
b22a825dbefd07d7903264fb72b0ea0cd0a25a894bcc27efe7f0a3710d779db4c83cfb5a2250bf60ea60ad416602b11f11708a4cdd29cd177b33d193d39803eb

Download Submit
C:\Users\Admin\Albabat\Albabat.log

Filesize
6KB

MD5
d3629e4875df260f2c9240c180c034a6

SHA1
5845cecfc56f9d92cce70234c4a88bb0134af939

SHA256
c3904df61107958b1c88a31be0ff111e3f25b378c6af5951c83ce7e8af6662e1

SHA512
5d29201298215c0ae73fa17fc6073086753d9506ed90a2ee163dd1e6e7a1587b73d95cd60c799a501622e152956688aafb8cb3fe7c9e2404dd221bf752735a21

Download Submit
C:\Users\Admin\Albabat\readme.html

Filesize
10KB

MD5
e3e1a4c1335206e00832d1271f11c855

SHA1
613623c2631cec00760d7b3eedd22a03dbcb60d8

SHA256
aadb0fe785e0f09b0b4b8c0382e724f7bc85f14780e126ea0bff1ade337e7dcc

SHA512
e9f2c9fb467bdbc2e294c6bb0e9e486abaf8b855a2f67ed231d641c40a2b89e9c3d257d5fc9d2d54c696e0cf2772c983f1bfed6fe241e11490dc181bfeacac4b

Download Submit
C:\Users\Admin\Albabat\www\banner.jpg

Filesize
34KB

MD5
cdd21e46a5979655fe9debcf8d59cd4b

SHA1
94f8ce57c0507b88952fadc3f6f244fce64d2085

SHA256
de25a55ff7e70c900c5e49e32aad2a0704ab074af5fee3eac230dc9bab373f04

SHA512
bd0ce1c5098ffcfb52e3e183ba025ef1be4d0dd4a3fe8a90b60bb139d4717263e427339f1028aeec6aa8d32ff31181ebff8d306d2c34b57015b2a3049c21f45e

Download Submit
C:\Users\Admin\Albabat\www\script.js

Filesize
1KB

MD5
12cc88e90926ee7f39908fde78191942

SHA1
e868d0f2c71c21232758183fa5d0523e68218d9f

SHA256
42031a79c0c671b46e8e932c6259cbdc46f9a016afee4017d3867bfad600ae65

SHA512
2a659cf4586abaee898cdfb46b48f2e8e381653bd0f98c49f6b240b77d4086a8577034c29b6bb3ae0d733900064dc6ed1efffe05ee64645f9a604a8d8b539c0d

Download Submit
C:\Users\Admin\Albabat\www\style.css

Filesize
2KB

MD5
004cc273978cefcf34495c5f4db1beac

SHA1
2d220b4b833fbca58f62d1441e9b62e9447af708

SHA256
9729ced9f3d6f006b45294e7d8c8c1f8ebdfe66f31e4777a14ab8c88be594f92

SHA512
47f9cda00d7dc9ff6393233c5cf6101f3e4bcd8fb283adc144627eec3443f13d2b4862cf3c24b7433529a892eacf272549fc2db2d6e294793a722926eaaf5057

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
2d0a206a39f34faec3e4137b42a1dfdb

SHA1
de023b787342d1b2c569da53d1b7e44ea4c44057

SHA256
c05e6721486c67410a215862b4c3091e6af000476f46581c910937317bfcd92d

SHA512
b068420651b5d3d602aac1472770d72f377f3521b017870f874465cd86922cdfa8d114f298a934ccf9eec0f662e559b43a814b920c0a4537fc6e655191ee43de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
98fe2dd722e382555e259e36024cc7a2

SHA1
65179f65f110d538a204111a97a0fa4e510bfae9

SHA256
89819d3472926332c6e7198dece31c13fe67ad93978802374104a7456881201d

SHA512
ee180cd567c3ce5a343d6d735bf3aa25437888a0d0105165dfc259f475868a19ba39f938e61595138817def836e6d709067de565b11c3f265cbcd193cc19b1e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
81476998384e38d4d3fd69086a11e505

SHA1
9bc47056f08c9629fb8cb5b5223da58c63d47cb4

SHA256
eb05c5079e165939489b79272557e1b79fd622ad4cad71eece1bd5fd162ee4a9

SHA512
aba45f6885de78c681a27b7998be382457ddb36590f6c5cd9c21b41079bf725b59c79b679f8a23925dc1735b316adfdad01dfa3a3d1048f89c8e621dfe4b1da9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
225KB

MD5
da20fb2b7cb342850f3e2bf4c63f8833

SHA1
74b083657fbbac795c63d343050c40f8cb2fd484

SHA256
52f61f96adf5714e741767ff730a5cd9e9a2ff97bf9ef56596a22fed06f7b00d

SHA512
d6e011da2fc5b4ee1c4ec86a0ffac513d951bcb76b6ba4e000d6079983990768c60bcbd46fcbe7495da575b5b77b13dc93d0f6a1965dc3884731016d748f94c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit