e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9

Resubmissions

14/12/2023, 08:25

231214-kbc3nsdha2 10

14/12/2023, 07:45

231214-jlfe4sccbr 10

Analysis

max time kernel
265s
max time network
279s
platform
windows7_x64
resource
win7-20231130-en
resource tags

arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system
submitted
14/12/2023, 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe
Size

1.1MB
MD5

4c7d2ec42f5b225982d9e2e96383a2fd
SHA1

6edc8db346032a83402d7104c5783cc1e929e402
SHA256

e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9
SHA512

c83cd4b6394a2629ab7148cf1db73ae040d247809660e34ec895cee37af56e655f99db0eb88711d206407076b949dd5f5e4dad3be9f272bf2b7985575e147861
SSDEEP

12288:TUOEh1CfIQ9wcSEzPXgFSuYxZyJhLA/3lqYV1lYT/S:oOq1cwcnjXgFSuYxZy72kYV1lYT

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Albabat\readme.html

Ransom Note

Home | FAQ | Translator 157 files on your machine have been encrypted! [+] I - ABOUT "Albabat Ransomware" The "Albabat Ransomware" (White Bat - Translated from Latin) is a cross-platform ransomware that encrypts various files important to the USER on computer storage disks using military-grade symmetric and asymmetric encryption algorithm. [+] II - THE KEY TO CRYPTOGRAPHY [+] The "Albabat Ransomware" will automatically create a folder named "Albabat" in your user directory on your machine, but precisely in: "C:\Users\Admin\Albabat\" This folder contains the encryption KEY named "Albabat.ekey", and this same "README" file. This KEY Albabat.ekey performed the CRYPTOGRAPHY of your files, however, this KEY was also ENCRYPTED with a PUBLIC KEY (asymmetric encryption), and only I (tH3_CyberXY) have the PRIVATE KEY to decrypt the "Albabat.ekey" KEY, and thus, you use it to decrypt your files. There is no way to decrypt your files without our data decryption service. There is no way to decrypt the files without decrypting the "Albabat.ekey" key. Don't delete, don't rename, don't lose the "Albabat.ekey" key. For security reasons, we even recommend making a BACKUP of the Albabat.ekey key. [+] III - THE ENCRYPTION PROCESS [+] Encrypted files have the extension ".abbt". Don't try to rename it, it won't work. On the contrary, you may corrupt your files. The size of the files that the "Albabat Ransomware" encrypts is a maximum of 5 Megabytes (MB). The "Albabat Ransomware" randomly recursively traverses all directories it does not belong to the operation of the Operating System. Encrypts files in the user directory, even database locations and drives mounted on the machine if any. The "Albabat Ransomware" only encrypts files that are relevant. The Operating System and binary files will be intact. We didn't choose that. The "Albabat Ransomware" saves a log file named "Albabat.log" in the "C:\Users\Admin\Albabat\" directory. This file you can see all files that were encrypted by "Albabat Ransomware" in path form. [+] IV - HOW TO CONTACT US [+] These are the only ways to contact us. Any other form found on the internet will be false. Contact by: Our Email: [email protected] [+] V - PAYMENT [+] The decryption process is PAID in Bitcoin, so you need to have Bitcoin balance at a cryptocurrency broker or in a cryptocurrency wallet to make the deposit in our Bitcoin address. You may want to read the FAQ page to know what Bitcoin is. Payment data: Our Bitcoin address: bc1qxsjjna67tccvf0e35e9z79d4utu3v9pg2rp7rj Amount to pay: 0,0015 - To make payment and restore your files, follow these steps - (1) Write down the data to make the transfer through our Bitcoin address and the AMOUNT payable specified. Note: Remembering that the price of Bitcoin may vary monetarily depending on when you make the payment. (2) - As soon as you make the payment to our Bitcoin address, send us an email. An example of an email to send us: Subject: Albabat Ransomware - I did the payment! Message: Hello, I made the payment. My BTC address where I made the payment is "BTC ADDRESS". The version of the "Albabat Ransomware" running on my machine was "0.1.0". Follow the attached KEY "Albabat.ekey". IMPORANT: We will check if the payment was made using YOUR Bitcoin ADDRESS "BTC ADDRESS" in which the transaction was made, so it is IMPORTANT to inform us when sending us this email. It is also IMPORTANT to send us the KEY "Albabat.ekey" as an attachment, regardless of the form of communication you choose to use with us. We will decrypt it for you. You will receive in your email the KEY "Albabat.key", that is, the KEY "Albabat.ekey" decrypted, and the decryptor "Albabat Ransomware Decryptor" attached (zipped). Albabat.key" and the "Albabat Ransomware Decryptor" within 24 hours, but it may vary for longer or less depending on our availability hours, and the number of demands we we received. Be patient. After payment, we will send the decrypted KEY to you and o "Albabat Ransomware Decryptor", we are fair! [+] VI - DECRYPTION [+] > To decrypt your files follow the steps below: (1) Place the "Albabat.key" that you received by email, inside the "C:\Users\Admin\Albabat\" directory, or, if you prefer, keep it in the same directory as "Albabat Ransomware Decryptor". > IMPORTANT:At this point, it is very important that you close all open Explorer windows, and heavy programs, to prevent "Albabat Ransomware Decryptor" from crashing. And also disable your ANTIVIRUS PERMANENTLY so that it does not interfere with the decryption process, as disabling it for just a few minutes remains active. (2) Run "Albabat Ransomware Decryptor". An alert message will appear informing you that the decryption started, just click Ok. (3) Wait for the decryption completion message to be displayed in console, this may take a while depending on the quantity of files that have been encrypted and power of your machine. You can see the decryption process by I live from your files, if I have time for that. (4) After decryption is complete, all your files will be restored. If you have further questions, such as: "How can I be sure you will decrypt my files?", you can read the FAQ page. Copyright (c) 2021-2023 Albabat Ransomware - All Right Reserved. Maintained by: tH3_CyberXY.

Emails

[email protected]

Signatures

Renames multiple (119) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Albabat\\wallpaper_albabat.jpg"	e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
272	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3016	chrome.exe
3016	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3060	e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3060	e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: 35	3060	e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe
Token: SeDebugPrivilege	272	taskkill.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 272	3060	e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe	31
PID 3060 wrote to memory of 272	3060	e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe	31
PID 3060 wrote to memory of 272	3060	e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe	31
PID 3060 wrote to memory of 3016	3060	e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe	34
PID 3060 wrote to memory of 3016	3060	e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe	34
PID 3060 wrote to memory of 3016	3060	e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe	34
PID 3060 wrote to memory of 2564	3060	e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe	35
PID 3060 wrote to memory of 2564	3060	e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe	35
PID 3060 wrote to memory of 2564	3060	e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe	35
PID 3016 wrote to memory of 2308	3016	chrome.exe	36
PID 3016 wrote to memory of 2308	3016	chrome.exe	36
PID 3016 wrote to memory of 2308	3016	chrome.exe	36
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2624	3016	chrome.exe	39
PID 3016 wrote to memory of 2832	3016	chrome.exe	40
PID 3016 wrote to memory of 2832	3016	chrome.exe	40
PID 3016 wrote to memory of 2832	3016	chrome.exe	40
PID 3016 wrote to memory of 2840	3016	chrome.exe	41
PID 3016 wrote to memory of 2840	3016	chrome.exe	41
PID 3016 wrote to memory of 2840	3016	chrome.exe	41
PID 3016 wrote to memory of 2840	3016	chrome.exe	41
PID 3016 wrote to memory of 2840	3016	chrome.exe	41
PID 3016 wrote to memory of 2840	3016	chrome.exe	41
PID 3016 wrote to memory of 2840	3016	chrome.exe	41
PID 3016 wrote to memory of 2840	3016	chrome.exe	41
PID 3016 wrote to memory of 2840	3016	chrome.exe	41
PID 3016 wrote to memory of 2840	3016	chrome.exe	41

C:\Users\Admin\AppData\Local\Temp\e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe
"C:\Users\Admin\AppData\Local\Temp\e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe"
1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\system32\taskkill.exe
  "taskkill" /f /im chrome.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-fullscreen C:\Users\Admin\Albabat\readme.html --incognito
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6c29758,0x7fef6c29768,0x7fef6c29778
    3⤵
    PID:2308
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1396,i,7216291235386864935,17017420004233595887,131072 /prefetch:2
    3⤵
    PID:2624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1532 --field-trial-handle=1396,i,7216291235386864935,17017420004233595887,131072 /prefetch:8
    3⤵
    PID:2832
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1568 --field-trial-handle=1396,i,7216291235386864935,17017420004233595887,131072 /prefetch:8
    3⤵
    PID:2840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1528 --field-trial-handle=1396,i,7216291235386864935,17017420004233595887,131072 /prefetch:1
    3⤵
    PID:1584
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2176 --field-trial-handle=1396,i,7216291235386864935,17017420004233595887,131072 /prefetch:1
    3⤵
    PID:1388
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1488 --field-trial-handle=1396,i,7216291235386864935,17017420004233595887,131072 /prefetch:2
    3⤵
    PID:3032
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3556 --field-trial-handle=1396,i,7216291235386864935,17017420004233595887,131072 /prefetch:8
    3⤵
    PID:1836
- C:\Windows\system32\cmd.exe
  "cmd" /C "del C:\Users\Admin\AppData\Roaming\e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe"
  2⤵
  PID:2564

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Albabat\Albabat.log

Filesize
4KB

MD5
b5372b8fcb685d75e4698774d545eca2

SHA1
a283886d20fe2268eb9429c405b05caabf705a2d

SHA256
84f75937ac19a625090d0785624a9c49c7f49f51b3ebbc2ca05fbcd40e98282b

SHA512
49b843580593f28da279dd7049373191647162b8966ad9d80c0838196997db8d4a3ec115091bd6ef001fd309b5e3db071ac0dadbecf7d0e256a45d11a17b2373

Download Submit
C:\Users\Admin\Albabat\Albabat.log

Filesize
3KB

MD5
be85cfd138111fb993347cc1c8d4ab36

SHA1
1a77d1cb54a44fc420c8b026f66bb9df3acc4cbb

SHA256
d85cb60db0720931dbb12095ca23588ec477fc49a9c69d270a3297533c10dba5

SHA512
2a7aa8465f50146aa5f97e7aa44b1c20ca60d6e8a1d17ad884dcf52e1627c60b5edc71e640b1d156af5dd432a73e2186f2039e18188692410c59ca43a6e9d849

Download Submit
C:\Users\Admin\Albabat\readme.html

Filesize
10KB

MD5
153072868fe201affa6f94639f96d0b8

SHA1
f3a98690a593077abf80e5923d31d3ce02a85dd3

SHA256
51f44b02f3b79be51c057a1657c7ca1e17b357067da113b539219343e126c5d4

SHA512
cf60147016e1c100c917b384e0f10380d8439216eb5616df9b15f6b855358c7777bc52259a7721aa7805db8e6b1c3d4fe5f764f97e444e60a082a52806c1f237

Download Submit
C:\Users\Admin\Albabat\www\banner.jpg

Filesize
34KB

MD5
cdd21e46a5979655fe9debcf8d59cd4b

SHA1
94f8ce57c0507b88952fadc3f6f244fce64d2085

SHA256
de25a55ff7e70c900c5e49e32aad2a0704ab074af5fee3eac230dc9bab373f04

SHA512
bd0ce1c5098ffcfb52e3e183ba025ef1be4d0dd4a3fe8a90b60bb139d4717263e427339f1028aeec6aa8d32ff31181ebff8d306d2c34b57015b2a3049c21f45e

Download Submit
C:\Users\Admin\Albabat\www\script.js

Filesize
1KB

MD5
12cc88e90926ee7f39908fde78191942

SHA1
e868d0f2c71c21232758183fa5d0523e68218d9f

SHA256
42031a79c0c671b46e8e932c6259cbdc46f9a016afee4017d3867bfad600ae65

SHA512
2a659cf4586abaee898cdfb46b48f2e8e381653bd0f98c49f6b240b77d4086a8577034c29b6bb3ae0d733900064dc6ed1efffe05ee64645f9a604a8d8b539c0d

Download Submit
C:\Users\Admin\Albabat\www\style.css

Filesize
2KB

MD5
004cc273978cefcf34495c5f4db1beac

SHA1
2d220b4b833fbca58f62d1441e9b62e9447af708

SHA256
9729ced9f3d6f006b45294e7d8c8c1f8ebdfe66f31e4777a14ab8c88be594f92

SHA512
47f9cda00d7dc9ff6393233c5cf6101f3e4bcd8fb283adc144627eec3443f13d2b4862cf3c24b7433529a892eacf272549fc2db2d6e294793a722926eaaf5057

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b8ca49653afee29b394d7237573df9ce

SHA1
36c4ee50f58a4231fe6c896fb590c5e800806939

SHA256
8c883ce51a609a74f5376a57afdff92991e24fb6e0c1222c86d55a489c770c25

SHA512
e2fa76c459ffec0491d300aafa4965af4c37fbfe828118ee07b35c9edd2e8418595d5334d17214e899b672e62d108f3d6cbf42d1450bf795afce8cd26568e315

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
e1740946e11fa0a98797cb258909fdd1

SHA1
d327bc69856afd5c26d7f1cf3282674f182a358d

SHA256
e687ae63e8a3ad1b165fc1c8e7491c916ce762be37fb3a157cebe0cc69f50873

SHA512
75f6d28b11d7e1916e97eb9191d38bf096757bbe4bc040273a1c664ada8419502271b55325f3c71553ab894d29315f8cfc9b50f24e95262bfd22ac707340743e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
95990ad93c276edcb30f40ec4532250b

SHA1
cd2d81ac56234784c4ba8c6bef94fe45b0049c1d

SHA256
6b218af68297f3a5ddd2a118e240759e3afe6a48d5b03eef1211078eb07b66f0

SHA512
4a382eb00980c6cc934551d534a56066d11f65a0ea4ba25c823dbb75937f21994537eccbdbb40214cc7259bc7519029306631f01dfd1ddf184819be23bd37c25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\fb4e47dc-e2c8-47ce-b400-781e38a15bc1.tmp

Filesize
114KB

MD5
a6a4cdb3631c93084134d1b1d4c06b6b

SHA1
282be66622b950a1ea3347a1ee29de23bd620325

SHA256
c5ef43b3feb7bb8a319b9b2ac197f3fefb94325131441900b13b2e18dc3ae860

SHA512
eacae76ee4cbbe29879e97562c4c898239e21ef0777043e09ab1621f305d8b413e7096e53530649620f55d9e27a961566711af2be1981426f35debe0e8db6011

Download Submit