483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74

Resubmissions

31-03-2024 07:20

240331-h5425sfh6t 10

14-01-2024 09:31

240114-lg9t9sfgfj 9

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
31-03-2024 07:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe
Size

974KB
MD5

45d20637261dea248644a849818659a0
SHA1

29a81b7cf0f5f4a69fe47c4ccf3d06a300899997
SHA256

483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74
SHA512

a9c935eb23fba99ba74299db7b8ac3a158183d9fe9ccaaa87e8a1b9d39c518d223563378d981e6bf386f058b159609fb42e14ca45c023f7688ca57e0c61d2519
SSDEEP

12288:fFDF/UI+c+xTOQUMnufZUgxXu/VzcccSCO4lkAjx9h/MR1V:fjnb+OQUMnufZ+tzcccSCO6ke3/Mf

Score

10^/10

evasion ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\Albabat_README.html

Ransom Note

Top | About | Payment | Contact | Decryption | FAQ | Translator 116 files on your machine have been encrypted! Your PERSONAL ID: bbade731b4a2cc2d6482baba ::> How important are your files to you? Read this document for information on what happened and how to recover your files again. [+] 1 - ABOUT "Albabat Ransomware" [+] The "Albabat Ransomware" is a cross-platform ransomware that encrypts various files important to the USER on computer storage disks using symmetric encryption algorithm with military-grade identification. The "Albabat Ransomware" will automatically create a folder called "Albabat" in your machine's user directory, but precisely in: "C:\Users\Admin\Albabat\". IT IS RECOMMENDED to make a BACKUP of the ENTIRE "C:\Users\Admin\Albabat\" folder, as it contains important files for recovering your files, which will be explained later in this document about each of them. This folder also contains these same note documents, in: "C:\Users\Admin\Albabat\readme\README.html". - 1.1 - THE KEY TO CRYPTOGRAPHY Your files were encrypted with a KEY that was stored in the file "Albabat.ekey". Present in the "C:\Users\Admin\Albabat\" directory. However, this KEY was also ENCRYPTED with a PUBLIC KEY (asymmetric encryption), which means that it requires a PRIVATE KEY to be decrypted, and only I (tH3_CyberXY) have the PRIVATE KEY to perform this decryption, so that you can use the KEY "Albabat.key" in recovering your files. There is no way to decrypt your files without my data decryption service. There is no way to decrypt the files without decrypting the "Albabat.ekey" key. Don't delete, don't rename, don't lose the "Albabat.ekey" key. - 1.2 - YOUR PERSONAL ID Just like "Albabat.ekey", the PERSONAL ID is important in the process of decrypting your files, which will be used in the decryptor, which will be discussed later in the "DECRYPTION PROCESS" section. This number maintains a unique identity in your machine's encryption process. In addition to being informed in this document, your PERSONAL ID will also be printed in the "personal_id.txt" file in "C:\Users\Admin\Albabat\". Do not lose your PERSONAL ID, just as you should NOT lose the "Albabat.ekey" key. - 1.3 - THE ENCRYPTION PROCESS Encrypted files have the extension ".abbt". Don't try to rename it, it won't work. On the contrary, you may corrupt your files. The size of the files that the "Albabat Ransomware" encrypts is a maximum of 5 Megabytes (MB). The "Albabat Ransomware" randomly recursively traverses all directories it does not belong to the operation of the Operating System. Encrypts files in the user directory, even database locations and drives mounted on the machine if any. The "Albabat Ransomware" only encrypts files that are relevant. The Operating System and binary files will be intact. We didn't choose that. The "Albabat Ransomware" saves a log file named "Albabat_Logs.log" in the "C:\Users\Admin\Albabat\" directory. This file you can see all files that were encrypted by "Albabat Ransomware" in path form. [+] 2 - HOW TO CONTACT [+] These are the only ways to get in touch to recover your files. Any other form found on the internet will be fake. Contact methods: Email: albabat.help@protonmail.com [+] 3 - PAYMENT [+] The decryption process is PAID in Bitcoin, so you need to have a Bitcoin balance on a cryptocurrency exchange or in a cryptocurrency wallet to make the deposit. You may want to read the FAQ page to know what Bitcoin is. Payment data: Bitcoin address: bc1qxsjjna67tccvf0e35e9z79d4utu3v9pg2rp7rj Amount to pay: 0,0015 BTC - To make payment and restore your files, follow these steps - (1) Write down the data to make the transfer via the Bitcoin address and the AMOUNT to pay specified above. Note: Remembering that the price of Bitcoin may vary monetarily depending on when you make the payment. (2) - Once you make the payment to the Bitcoin address above, send an email with a structure similar to this: Subject: Albabat Ransomware - I did the payment! Message: Hello, I made the payment. My BTC address where I made the payment is "xxx". The version of the "Albabat Ransomware" running on my machine was "0.3.0". Follow the attached KEY "Albabat.ekey". IMPORANT: Payment will be verifying using YOUR BTC ADDRESS ("xxx") in which the transaction was carried out, so it is IMPORTANT to inform when sending this email. It is also IMPORTANT that you send the KEY "Albabat.ekey" as an attachment, regardless of the contact method you chose. The key will be decrypted for you. You will receive in your email the KEY "Albabat.key", that is, the KEY "Albabat.ekey" decrypted, and the decryptor "decryptor.exe" attached (zipped). Albabat.key" and "decryptor.exe" within 24 hours, but it may vary by more or less depending on my availability times and the amount of demands I receive. Be patient. [+] 4 - DECRYPTION PROCESS [+] > To decrypt your files follow the steps below: (1) Place the "Albabat.key" that you received by email, inside the "C:\Users\Admin\Albabat\" directory, or, if you prefer, keep it in the same directory as "decryptor.exe". > IMPORTANT:At this point, it is very important that you close all open Explorer windows, and heavy programs, to prevent "decryptor.exe" from crashing and/or have poor performance. And also disable your ANTIVIRUS PERMANENTLY so that it does not interfere with the decryption process. (2) Run "decryptor.exe" and enter YOUR PERSONAL ID, then press ENTER. An alert message will appear informing you that the decryption started, just click Ok. Note: If you are on Linux, open a terminal and run from the command line to see the process. E.g: ./decryptor (3) Wait for the decryption completion message to be displayed in console, this may take a while depending on the quantity of files that have been encrypted and power of your machine. You can see the decryption process by I live from your files, if I have time for that. (4) After decryption is complete, all your files will be restored and the decryption log file "Albabat_Logs.log". will be created in the decryptor directory. If you have further questions, such as: "How can I be sure my files can be decrypted?", you can read the FAQ page. Copyright (c) 2021-2023 Albabat Ransomware - All Right Reserved. Maintained by: tH3_CyberXY.

Emails

albabat.help@protonmail.com

Extracted

Path

C:\Users\Admin\Albabat\readme\pages\faq.html

Ransom Note

Home | FAQ | Translator [+] FAQ [+] (1) - What is Bitcoin? How to get Bitcoin? A:- You can search on the internet what Bitcoin is, but in short it is a digital currency (cryptocurrency), created in a network protected by layers and layers of code, where to obtain balance from it you need to buy it at a cryptocurrency broker, or on the official Bitcoin website itself. The official Bitcoin website is bitcoin.org. By accessing the official website, you will have more information and also the possibility of purchasing your Bitcoins. (2) - How can I be sure my files can be decrypted? I like working with evidence. To do this, you can send me the key "Albabat.ekey", your PERSONAL ID, (both present in "C:\Users\Admin\Albabat\"), and an encrypted file. I will decrypt this file and take a screenshot for you as proof that I have access to decrypt your files. (3) Where do I find the software to decrypt my files? A:- The only way to decrypt files that the "Albabat Ransomware" has encrypted is with decryption software of the "Albabat Ransomware" itself. The same is called decryptor.exe. You can get the same after the payment action you take to rescue your data. (4) My encrypted files are not being found and decrypted, what do I do? A:- This can occur due to several factors, directory or file permission is one of those factors. To solve this, you can create a folder in your user's root directory, but precisely in "C:\Users\Admin", with the name "Albabat_Search", and place your encrypted files inside that folder. decryptor.exe will do a "recursive loop" through everything that is encrypted inside that folder, and will consequently decrypt everything. (5) What options for contacting you? A:- At the moment, there is only 1 (one) way to contact me, which is through my email (albabat.help@protonmail.com), any other form of contact attributed to me offering ransom is false. (6) I have a balance in another cryptocurrency, can I use it instead of Bitcoin? A:- NO! We only accept Bitcoin as a payment method. Do not try to transfer with another cryptocurrency, you will lose your coins. (7) Can I move my encrypted files or rename them? A:- It's not recommended. If you place your encrypted files in a directory that "Albabat Ransomware" did not traverse, will not be found for decryption. You can even rename the encrypted file, but you MUST NOT change the ".abbt" extension of the files before decrypting, it is through this extension that the files will be found for decryption. (8) If I use other software to decrypt KEY Albabat.ekey and my files will it work? A:- Negative! DO NOT attempt to decrypt your files and/or the KEY Albabat.ekey with any software, as it may become corrupted and will not work, and there is a high chance that you will lose forever. There are several recovery software developers promising this, but it is not true, they do this to people buy their removal software. (9) I am unable to pay the amount, do you offer a discount? A:- We do not negotiate changes to the payment amount, DO NOT insist. The value is immutable! Also DO NOT send "PAID" to my email without paying, the price WILL go up due to disobedience and lies. For this reason, we do not include an estimated deadline for payment to be made, so you have as much time as you want. This is our greatest kindness in negotiation. (10) I lost my Albabat.ekey and/or my PERSONAL ID, is it possible to recover my files without them? A:- Unfortunately, you will not be able to recover your files if you have lost your PERSONAL ID or Albabat.ekey. Therefore, we recommend backing up the folder: C:\Users\Admin\Albabat\. Copyright (c) 2021-2023 Albabat Ransomware - All Right Reserved.

Emails

albabat.help@protonmail.com

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (116) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
evasion
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Albabat\\wallpaper_albabat.jpg"	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

884 sc.exe
2180 sc.exe
2004 sc.exe
1200 sc.exe
948 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2516 vssadmin.exe

pid	process
884	sc.exe
2180	sc.exe
2004	sc.exe
1200	sc.exe
948	sc.exe

pid	process
2516	vssadmin.exe

Kills process with taskkill 17 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1984	taskkill.exe
1952	taskkill.exe
1516	taskkill.exe
1240	taskkill.exe
3056	taskkill.exe
876	taskkill.exe
684	taskkill.exe
1656	taskkill.exe
2356	taskkill.exe
1812	taskkill.exe
1944	taskkill.exe
2676	taskkill.exe
2668	taskkill.exe
1500	taskkill.exe
1948	taskkill.exe
2220	taskkill.exe
1740	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3ED4D509-EF2F-11EE-A1FB-E299A69EE862} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{28A4E2A1-EF2F-11EE-A1FB-E299A69EE862} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40f9aefe3b83da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000412d44019109b317a6c5ef4c39363474f3c6f0b2c4be77a951d4b5c6eb6fe496000000000e80000000020000200000008ed7fa98710683649629ca02a4f35a6e2096ee6215af4eff73d45824b688269120000000e2fb6668a1b3508b85b4e58bb5b02d4f959c59c4f5cf5108c075846cd9e9ff7740000000317ef9081cc561d694389b471e5b99d54aee0f23e53f19572b129ad1ec6fc6bdcdf741ed249dfcc488a57414122777c95067de2a454fbc2e858cf3c089098924	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000ef5e733256195b8dcafde78ff239902f455f25a4785c279f58dbb244907fb919000000000e800000000200002000000029ec345a7dc576612ab9830ca1be6db4922248270ad2c0a7635ee5cdc186396890000000555d9e11e445a67a8f64289321c47bfbd37b109d8281c976d23a2e4e6936e6f8a6fa0b8700e3d7efc083d74df97985c79fae388e5128a70405d9cff9f2d8be1a17ea9b43387b0072fb4cf1f0e58a4e4b20d2b65c0200a8ae548913e96ef6aca7abc77e7fc0620ddf25bbf3cb1e7dfb881fbf556df33d584412d020f5d48ea5bb5df522062e10be895bec49eedab3f14240000000e14bb39d066719754685f20609c2bc335fdd232cf960890a7fba808b14295d1adfd231b6d1106a85efb4da97f51b7046802221f68685c35459b22e30d2dc492c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe

pid process

2868 483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings	rundll32.exe

pid	process
2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

vssvc.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exeAUDIODG.EXE7zG.exe7zFM.exe

description	pid	process
Token: SeBackupPrivilege	932	vssvc.exe
Token: SeRestorePrivilege	932	vssvc.exe
Token: SeAuditPrivilege	932	vssvc.exe
Token: SeDebugPrivilege	2676	taskkill.exe
Token: SeDebugPrivilege	2668	taskkill.exe
Token: SeDebugPrivilege	2356	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	1948	taskkill.exe
Token: SeDebugPrivilege	1656	taskkill.exe
Token: SeDebugPrivilege	1812	taskkill.exe
Token: SeDebugPrivilege	684	taskkill.exe
Token: SeDebugPrivilege	2220	taskkill.exe
Token: SeDebugPrivilege	1740	taskkill.exe
Token: SeDebugPrivilege	3056	taskkill.exe
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	1984	taskkill.exe
Token: SeDebugPrivilege	1516	taskkill.exe
Token: SeDebugPrivilege	1944	taskkill.exe
Token: SeDebugPrivilege	1240	taskkill.exe
Token: SeDebugPrivilege	876	taskkill.exe
Token: 35	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe
Token: 33	664	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	664	AUDIODG.EXE
Token: 33	664	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	664	AUDIODG.EXE
Token: SeRestorePrivilege	348	7zG.exe
Token: 35	348	7zG.exe
Token: SeSecurityPrivilege	348	7zG.exe
Token: SeSecurityPrivilege	348	7zG.exe
Token: SeRestorePrivilege	2964	7zFM.exe
Token: 35	2964	7zFM.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exeiexplore.exe7zG.exe7zFM.exe

pid process

2544 iexplore.exe
2092 iexplore.exe
348 7zG.exe
2964 7zFM.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
2544	iexplore.exe
2544	iexplore.exe
2464	IEXPLORE.EXE
2464	IEXPLORE.EXE
2464	IEXPLORE.EXE
2464	IEXPLORE.EXE
2464	IEXPLORE.EXE
2092	iexplore.exe
2092	iexplore.exe
2420	IEXPLORE.EXE
2420	IEXPLORE.EXE
2420	IEXPLORE.EXE
2420	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe

description	pid	process	target process
PID 2868 wrote to memory of 2516	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	vssadmin.exe
PID 2868 wrote to memory of 2516	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	vssadmin.exe
PID 2868 wrote to memory of 2516	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	vssadmin.exe
PID 2868 wrote to memory of 2552	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	reg.exe
PID 2868 wrote to memory of 2552	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	reg.exe
PID 2868 wrote to memory of 2552	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	reg.exe
PID 2868 wrote to memory of 2660	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2660	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2660	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2688	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2688	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2688	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2628	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2628	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2628	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2564	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2564	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2564	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2608	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2608	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2608	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2612	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2612	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2612	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2588	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2588	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2588	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2532	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2532	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2532	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2540	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2540	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2540	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2600	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2600	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2600	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2692	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2692	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2692	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2568	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2568	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2568	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2436	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2436	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2436	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2720	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2720	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2720	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2704	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2704	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2704	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2432	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2432	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2432	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2572	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2572	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2572	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2388	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2388	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2388	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2364	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2364	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 2364	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe
PID 2868 wrote to memory of 924	2868	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe
"C:\Users\Admin\AppData\Local\Temp\483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe"
1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:2516

C:\Windows\system32\reg.exe
"reg" add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableTaskMgr /t REG_DWORD /d 0
2⤵
PID:2552

C:\Windows\system32\cmd.exe
"cmd" /c taskkill /F /IM chrome.exe
2⤵
PID:2660

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\system32\cmd.exe
"cmd" /c taskkill /F /IM mspub.exe
2⤵
PID:2688

C:\Windows\system32\taskkill.exe
taskkill /F /IM mspub.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\system32\cmd.exe
"cmd" /c taskkill /F /IM msedge.exe
2⤵
PID:2628

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:876

C:\Windows\system32\cmd.exe
"cmd" /c taskkill /F /IM winword.exe
2⤵
PID:2564

C:\Windows\system32\taskkill.exe
taskkill /F /IM winword.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\system32\cmd.exe
"cmd" /c taskkill /F /IM outlook.exe
2⤵
PID:2608

C:\Windows\system32\taskkill.exe
taskkill /F /IM outlook.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Windows\system32\cmd.exe
"cmd" /c taskkill /F /IM windowsterminal.exe
2⤵
PID:2612

C:\Windows\system32\taskkill.exe
taskkill /F /IM windowsterminal.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\system32\cmd.exe
"cmd" /c taskkill /F /IM sublime_text.exe
2⤵
PID:2588

C:\Windows\system32\taskkill.exe
taskkill /F /IM sublime_text.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\system32\cmd.exe
"cmd" /c taskkill /F /IM code.exe
2⤵
PID:2532

C:\Windows\system32\taskkill.exe
taskkill /F /IM code.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\system32\cmd.exe
"cmd" /c taskkill /F /IM mysqlworkbench.exe
2⤵
PID:2540

C:\Windows\system32\taskkill.exe
taskkill /F /IM mysqlworkbench.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\system32\cmd.exe
"cmd" /c taskkill /F /IM onedrive.exe
2⤵
PID:2600

C:\Windows\system32\taskkill.exe
taskkill /F /IM onedrive.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\system32\cmd.exe
"cmd" /c taskkill /F /IM msaccess.exe
2⤵
PID:2692

C:\Windows\system32\taskkill.exe
taskkill /F /IM msaccess.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\system32\cmd.exe
"cmd" /c taskkill /F /IM excel.exe
2⤵
PID:2568

C:\Windows\system32\taskkill.exe
taskkill /F /IM excel.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\system32\cmd.exe
"cmd" /c taskkill /F /IM steam.exe
2⤵
PID:2436

C:\Windows\system32\taskkill.exe
taskkill /F /IM steam.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\system32\cmd.exe
"cmd" /c taskkill /F /IM powerpnt.exe
2⤵
PID:2720

C:\Windows\system32\taskkill.exe
taskkill /F /IM powerpnt.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\system32\cmd.exe
"cmd" /c taskkill /F /IM cs2.exe
2⤵
PID:2704

C:\Windows\system32\taskkill.exe
taskkill /F /IM cs2.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\system32\cmd.exe
"cmd" /c taskkill /F /IM taskmgr.exe
2⤵
PID:2432

C:\Windows\system32\taskkill.exe
taskkill /F /IM taskmgr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\system32\cmd.exe
"cmd" /c taskkill /F /IM postgres.exe
2⤵
PID:2572

C:\Windows\system32\taskkill.exe
taskkill /F /IM postgres.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\system32\cmd.exe
"cmd" /c sc stop MySQL57
2⤵
PID:2388

C:\Windows\system32\sc.exe
sc stop MySQL57
3⤵
- Launches sc.exe
PID:948

C:\Windows\system32\cmd.exe
"cmd" /c sc stop MySQL80
2⤵
PID:2364

C:\Windows\system32\sc.exe
sc stop MySQL80
3⤵
- Launches sc.exe
PID:2004

C:\Windows\system32\cmd.exe
"cmd" /c sc stop MySQL82
2⤵
PID:924

C:\Windows\system32\sc.exe
sc stop MySQL82
3⤵
- Launches sc.exe
PID:884

C:\Windows\system32\cmd.exe
"cmd" /c sc stop postgresql-x64-14
2⤵
PID:2080

C:\Windows\system32\sc.exe
sc stop postgresql-x64-14
3⤵
- Launches sc.exe
PID:1200

C:\Windows\system32\cmd.exe
"cmd" /c sc stop postgresql-x64-15
2⤵
PID:984

C:\Windows\system32\sc.exe
sc stop postgresql-x64-15
3⤵
- Launches sc.exe
PID:2180

C:\Windows\system32\cmd.exe
"cmd" /C "del C:\Users\Admin\AppData\Roaming\483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe"
2⤵
PID:2468

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\AddPop.emf.abbt
1⤵
- Modifies registry class
PID:2724

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\Albabat_README.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2544

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2544 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2464

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\Albabat_README.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2092

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2092 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2420

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:664

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap27935:382:7zEvent32116 -ad -saa -- "C:\Users\Admin\Albabat\Albabat"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:348

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\Albabat.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2964

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Albabat\Albabat.ekey
Filesize
256B

MD5
2c62bf80c17ce4bdab37f9d7e6bc3e9d

SHA1
8bdcfccf3961d76a7bbdbe85b9c728b734cd50f3

SHA256
d894f83cd1a347d5d050c8662088e6e59034d5d968a79856fe123ac85eb9142f

SHA512
b8f8004c847bc1c4461a96e512a2ec5f22260ed58f0cf0d4087b2df2dd931b5b30d789f01d57fc971c1ae6612034aa902fbc5d3bb37524ce99b6d4dcf85951b2

Download Submit
C:\Users\Admin\Albabat\Albabat_Logs.log
Filesize
4KB

MD5
e1d9224642fe51be13f1a28d460d3e07

SHA1
ebb9d40a9bd79c7c6ec319ce1d7cc6e483b41a89

SHA256
519bbf4659e09426289a81f5fa01c75730d6496913457ed3b7317155c7647ae6

SHA512
3f442f02dbd7b685a36169b3f5ee6821c00aa96dfa386c670710478621ca13cb5f24b4847adc651e876cec71fc9b1dcdd84c1d8fb73db080a8851745a36e7e50

Download Submit
C:\Users\Admin\Albabat\Albabat_Logs.log
Filesize
10KB

MD5
f4bb69d7553e2b9dd6bfef74740bfaee

SHA1
fe40018c719437998526c1a832e81206a90ef9bf

SHA256
54059ff189e9c009ae4b362394cc1cd2b330b2311ed9044c931acf55f0f82ddd

SHA512
ab1cfc8e94d348df744ea39233994397366ae86f2a8462bf3fd84744bed1d478b8f0f796dd37b53bc69136909cf5ac77e4b97660baf877062fb3a1f379db9ce2

Download Submit
C:\Users\Admin\Albabat\Albabat_Logs.log
Filesize
2KB

MD5
fa7f78a3ee8415d5b73e436c3b3282a4

SHA1
14fa29f95470fdf886945bf4dc6becac2a431ee7

SHA256
c25ea6ee5c5174abb04185c54172fef43b32a8d62d0786690537f1e1eedaf20f

SHA512
f97b508309043eaa039cf4b972fbcceb2c66af61bf98076141d9e037a95d9860b4cd5fd8ba1f8d024d643aaf240633fc6aa338ce208e478e9be1c629163d23a5

Download Submit
C:\Users\Admin\Albabat\personal_id.txt
Filesize
24B

MD5
be8e4e3d9bcdbb65c030486c265df163

SHA1
cf2e1ff7c633f4976c877cba24d6a2a7edefde49

SHA256
6c4d15e22bb0ff314f8dca416f972f835a9d4f56f00a98da165fc0ecc4652638

SHA512
ceeef21b682f5905519e9dc0f34d30e5871c537c7b3cf8a467550a816119f9515fae2c1ba70619a8f20ac0ce2d4f8a8639d1ef273c5be8ba068cb81affa0ee7d

Download Submit
C:\Users\Admin\Albabat\readme\assets\banner.jpg
Filesize
34KB

MD5
cdd21e46a5979655fe9debcf8d59cd4b

SHA1
94f8ce57c0507b88952fadc3f6f244fce64d2085

SHA256
de25a55ff7e70c900c5e49e32aad2a0704ab074af5fee3eac230dc9bab373f04

SHA512
bd0ce1c5098ffcfb52e3e183ba025ef1be4d0dd4a3fe8a90b60bb139d4717263e427339f1028aeec6aa8d32ff31181ebff8d306d2c34b57015b2a3049c21f45e

Download Submit
C:\Users\Admin\Albabat\readme\assets\script.js
Filesize
1KB

MD5
e9f53c2fe8f64fb7d0734d13ee9a4e32

SHA1
f93d0cfffe122ed8a1731b811593094c813a8456

SHA256
ec235d691cfabc4ef54a889398e17d11541b10f27a066e10444429c86a4565bd

SHA512
ec67691036ff7047aeed7b4dade254164d2a5e60cfd5a58269023ac843252e7d916c826e6f0a186fb6398a11e651e6fca9cf889a81894095efd43253fd5e1e7e

Download Submit
C:\Users\Admin\Albabat\readme\assets\style.css
Filesize
2KB

MD5
a4aa4f0c506a5e9c608773293ff7b794

SHA1
b360063387c81c49184cd67341c1da46e7ee6693

SHA256
c18a7519a841d7b8b32f5fedfb8d7cb1107c0d03c1c0d5ec7b6c41564814dddf

SHA512
23e17b9ca42520c0a07a1031ae096dfb837196d3928205c8eadbceda87bfff5f1655ee953bd725298175564f96d96e751d9f02ee0b83d25b134b292fea175815

Download Submit
C:\Users\Admin\Albabat\readme\pages\faq.html
Filesize
5KB

MD5
bd56d83cfe34f7a74a973c8a16bd31b4

SHA1
eb5b249ebc021e0adaa2de327eda001fb8c580f3

SHA256
992a0ffdbd1aab2b11c5154a7a04f9b585573d816d7cc001782f694e34e11aaf

SHA512
0aa419d37727aa6ff762fce7199562927c341c5ffae78f27a165b302262da398ec723938f82c09c11230d4767e7a752d3707df9637a1a3d34fa8eba706c14ec5

Download Submit
C:\Users\Admin\Albabat\wallpaper_albabat.jpg
Filesize
64KB

MD5
dd6a01a3e997e928925f9c622386abed

SHA1
6984838d03a2f3fbfb8a1bec6e76b75dbfd561ff

SHA256
b99b597a7b549570222df5026f5f98effbf1b4c84fd30e8e2778759d77c0df1b

SHA512
df4afac45b506b2bd0524a986a60b500f2922b0ab07411f0a15249ee8e79a55f573edf34eafbb46c85c7b44ec7d833ed161edaada035ecc04e82efc2697e6559

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
e6daf5f437c2297311e8a67b53c59a81

SHA1
a994388c5d08e1285b7ce9b5c402d5801b976ac4

SHA256
037269ed7bdfe40e63e34c5c739e784d405d7864649b49e877faa38eecefd863

SHA512
fdcc7eea95a1a6fbbeb881efbacac7d135f42ecd115f74f257c39a3b30b2590f2b48bf71893bdd1e7a5a949cadd68e30e9a7ceb66578876a979ea9bea132568d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_12A01E2DD41364228929C51A0E5AEB57
Filesize
471B

MD5
32e2c606239bbcd4f8684c0547dd6a03

SHA1
78d3b7d991ea4d5a79534c67ce0a66a4d39d1e63

SHA256
51d4da3ebaec6ee345790e9dc75fba1471f8cdc03612e93b8ddea09d2f36e2f2

SHA512
dd9d8ff84a2c831b408b14beeb1927a91332af0cafbd75bbba7ef38264abfb98a8ab1130ae0fb6abb37fa23597734fd7ff965f122d4f4db8558996c3eec66209

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_E6E5AFC8E26F79D2A2EBCDC0BC547682
Filesize
472B

MD5
0c59135f238d8c4d4878491b21e8921a

SHA1
b155fd336e279362bae5d04181b0a5efeefa6a33

SHA256
e10a760ee91ffb0bcd0172fdbbcb2a8dca39cf0e44f68ebb3c75f43ea505c796

SHA512
c37e9e3757c79645758219332f64b28cf5fedb04b1419f0a72941b562a36f2226f5a661e4c2e69d0ae09ae816670ebbe9a2860db671994b432613688484a2e90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_97FAD8EBB31B0B74F135144564816C0E
Filesize
471B

MD5
016e484dc53e44d40099604f876dcf6f

SHA1
47d481fab5c1d678bad838cbe5b6ce1efe51040e

SHA256
4dab7477accde69f459be501f5cc4103c6d32251a8d966ba7e7cf385ecffac66

SHA512
24ca802985ba71e76d3d10dfcb5b49c67c05924c72a65e3a90d8e569f0a3a4e8bec6492a08e631a9437847b38453e0fe83279fbf266a7a120100b6acede54b25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
33defd9acd25113b51cd1031c19b828e

SHA1
a147d97ecb99053ad06fcf292135b238c778ed12

SHA256
2eff2e43d87b62df7916b1316f9a438360249f4aac2078a30e1f58e026ff2e17

SHA512
dbd41f6b755891cc0254b8e1447606400fa862620ea79badcd856985b1ff8d3db3fd4a94ce336d7cfa7b4e8472ef493aa25fc1f13d6efd99d8c7ffbbc0fba865

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_12A01E2DD41364228929C51A0E5AEB57
Filesize
406B

MD5
770667e652b1ae8a2ae74611e908ff38

SHA1
67a01188ac797ee43c0aa53479bf73f41c50b58c

SHA256
2e5cba25a8fab168a54ebddc9072a32987818926dd79b682d66580fad97df250

SHA512
e600c90fde272f6360d6befea107ac03b8fd7e84293c19047ffd2d2d9cc8e65bacc621f6cc2a57e00eee91819471002eaafe4a79040792bf5d6e7361e47bb5d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_E6E5AFC8E26F79D2A2EBCDC0BC547682
Filesize
402B

MD5
28b1c8621725350c458d16a9a3ab9d0c

SHA1
dec09b8ec133d926ea7d201539aa6b24e63182c2

SHA256
e47113c1301e90651bb5d4578cdbd4bc54e45d02743ccd5bd7ef585b6d3a10cb

SHA512
20ff2182ce83cbe620fa354f610568aaea75e5320cb06e8c99dca0e49efc2fb37eaad336ca558a8ea2034d7c816916ac4f63a282966d5ddf55d427ee12b9589a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
252B

MD5
e3ee93a3542190e3cd3ec62bf1e1092a

SHA1
e56b02b3105b1edfb8faaad37c1438b3313ac47f

SHA256
0e098215dfab2d190d2eb5d2bc6f74c2555376f1b6facdd8ae270b3f59ef4ea7

SHA512
bee3076394dbbc1fe0582f4e99fd680fb923e53f22114b86e14b98780ab5ef246b93daf39602b09e6f3228a142788b73c35dce8ae48e57ddb6384dce71a8b9c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a1ba3b0dd09f337fb53450510d892a0e

SHA1
2d16fb0c347d6d68e7d6ec4dec38db43b0812f68

SHA256
21871b29d6518c3e8056f33ea93f59eb33825d6073b9139ae1b6a068bed3ccd0

SHA512
cc1ca2af7207ba73357dca091872486a4c168da1d6d2f1b77084fd3bfe67b250efa74799a4978e83940e4159e33ca037abb59ea1faa2acd0c85b3d4b045e212a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9eab629b5f66d8cffe459686e018463a

SHA1
f72086f217f437038c77799c8a93a8807c0abc29

SHA256
dc8053e4aa25dbd2b1be54623267f58fca8c41a33cfa70eedb853bfe1fda0c85

SHA512
d13a3f114a1d6c74b6d211d8730b232cc4e4baca3109a733c6842ce65952b7425900a11615e9b55a2715661bd69b2d4b2a55bf8f0d0105ad1bd9fc333719c53f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c7d1f65b6f2a7503665e6eec2025c3ef

SHA1
a5cacd25c56bdfde629c53c62b3d16816898a505

SHA256
c7b3819ebfeb4189d1ea933d42cd237d9ece51448a80a60e9501c31ad34b4717

SHA512
398fd4cfbdb73ce15fed44619f21d25e9ff6337425485063f6a04dbc726a86aca2b32c445f71d608ce1da904673f35763782ce9307452562e32e75ade91f5657

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
882fff84ca3514a63fb7c3ce7712e425

SHA1
542ac3a58100ad5a745268b89cf7838651a87bc1

SHA256
6c835ecbb6110eae458e8a51a42ffa3d55a1f07e7cfcccc7d6f27e6eb8f30315

SHA512
17e64422e73c3458aaa553c48827f2b291dc1ee9bd3e9a7a42b063af9fd44c3b6b453a91ba9b0c60a4e5f8192c1dce6e3f7cc46a34e943441ee09bdaae25c383

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ea93c51d88af11706c748e7b35b62d45

SHA1
111905a704b17bbe6d59d09658342a3d45c483ff

SHA256
851d7072c99866c167ec6877201e782da166a0db5ce544085585ef39e694f387

SHA512
c7f8903c3121a9e63739b5c595b71d7e720c7d6fa004f714ddbf9d17031ba0fa72b8450dda6bee0fb067172f7f66fe6f12dc7f3679f66e581cf1a62b12b2121e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ec9411b18734520f6ef64ede4158c1ea

SHA1
abd9003ee4a6d767b733d409c9810ec67a9e6ac5

SHA256
b9b99de5bbc48fa460c1850a039d1d0eb0ca3549c2d6eb0779f50803d2b15cf3

SHA512
fc3ec395d19e863391ac9bb848720a9056fd3515f77c78ab7e8fc8677a2bafbb06679ceaf8c9c2e170069d818298b776ce0c69a3c7977451b512090779a741ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
96377a25470b8bbbc0bf6edc029c025d

SHA1
838bf534a0969732a0d1802a9ac63795f9476f9b

SHA256
b0d5a4a79e93b00c413f88ef7949fbc84858d568ef2535da786429c1236d9599

SHA512
02c7bab3d0160717cbeeb58301b1eb7b26e7fb4382fd4514cbbc77e355aa810c3ef011d10561bb7cf994605684aacf0164fb8f54ef9e4c47c7c7fb47b12747ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a783f0760d8403f122a0def22bd9473a

SHA1
71e30719f8ee6e18522a30b4431a65c4609093e9

SHA256
09004a71316f3acdc8a5abb039ac78cb9ba61c9168d176dec3c3797a5f057ee5

SHA512
8d505cb724d0c950786ba0e709102ea3997b9751fd024a6a720376d6b3e40075a6f0e5cb4b800a50676d46d037c977cf96dedd4048847e146d690bc3f4a4bcf1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a0cec69800662aaafbd70973b117b53e

SHA1
a53cf9f33ab1b97f2038013c3e53413e1023e33b

SHA256
4393102237c001311af0ae18d9fcee92f50a1e3af9cfa5e049bfbee11a61525f

SHA512
8032177bc29144f4ed68e9c52c7eeddf340e3a914ccb0ae57967e95bce642684f0247ff3a2954afe13c0acf41e029d8f39485730446c1ec6e514d616e0fd9e3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8f7162e56d656e4828e229e0e6ee30c2

SHA1
5db2c8bb43ce9bf88a2a572801ee9752a123ccdc

SHA256
8c511833fd2ec5509037aca8bbaa8bb14c1bc8ff783b88c2d6572deca441cb37

SHA512
5324c46b6361da031fe34027baf9a23a1b078224976f26a518fc6ba7a06197ba8a4b046f2d722c313e1b47c277282520aaa1d3e984d6d6772fddada54ca47e11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
fea2ac64044019af20f3239c3b433844

SHA1
2808e19c950b4c22e0726575afe8d727e765c6c1

SHA256
3a98fe495a06ca9d30094618393c2c3d44d50e476ec32ff94b6b2948ca38bccb

SHA512
66d1763efcbef201a9c5108db653665fd4b37b59b03a330d580917cd40dbb3934e9815ce177e865950b8b629b039f3f851a03af4141d61d94d7b90aa7e6e3dda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
da569331d6d18f905646c4598574762c

SHA1
7b65b7add7f3434056ace33ef27cf9683f94a7d2

SHA256
13c99c4608fa12830547d3fe979245779f9fdc34d0408dc676ed1bc545e9b899

SHA512
c30b8a5dc0cc00fee37ba962283653cc5dad264afaaab0f0f5d6e4cc1e5aec0fde7ac3e3e344e88c852c9ac4efe6cd10136495d859f49b918317f7c472178c9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
fda6e52f6091478430e5c12fae5240c6

SHA1
d91e2ae45d90bf67680675091beb3c1364bcb76f

SHA256
25518d56965fbe40786b05d86db9d596f8284ecaf3ac0a79db25706f1a7a9258

SHA512
8f1a4ae851935534e4979512b7e8c0b5cef2da745507b7cb685b25ec8dbc6d7a2d1bbf42c056b02f1a6fcfde3f5859fba07ddce2cd6a010af6436c2039d94cda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e531e4b9c42b69ba5e83da58121a34a6

SHA1
3f9b39e0659917b3cf1dafe69064739a0ceebe91

SHA256
c038ae343078ec6ce975536a615feec5b984a1542779ae3a3226a7bd0699a4d6

SHA512
2544379a0a270236888cefc3e61fb6d71f146143f416c0f60a8b2b38134b8f8b984c9d4a18f327dab49e684fb24f20b9861238cbbc712f77180fd518c83ceeaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ea912110f6d118be090643984e2ca7f5

SHA1
20eff996bd10b720394c091c5ab054ec35c646b7

SHA256
bd53258f6e0b7841d198b2347d9722de12b828dc1d9a573677b68240ee33a440

SHA512
f3907f09149396db743e7fe3d8ed380381888a930b30aefe7e2ed4320014ea51abdad216a3b11dce5e704c15effd2d73a5c8139be1e386fa24f69c45db718bcc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7132275dddd01c9dc3263e915d068c7d

SHA1
3fbaace9e13c24335805ce0ca0e8cf573bd2d802

SHA256
e5f02026a7e7bcdbd48ff2f163b2c159ad798b91a4ec945c868f6836ed51f704

SHA512
d9907cfa7142430807b5bf52f7c0d31833823794c9674ddd0eb73a85ec49879ad46edc43fa924d241c028237cb8b48f81307c9f3b6cbf8d4cdf643490e547d62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5c28badc903a214ef8948629b61ea979

SHA1
9765bd98bd013d736e8a7823c9ce9baf91e4e4f1

SHA256
59129581d63ee0543cc6c47579afcc0e0c5a123fccbd56a2e47d7200c7e4f764

SHA512
bcbd55369021a8eb2ee5f4f82a6b327eca01c10b1b090f3d31c2e2a515153eedcdcd1eddbfcf0c452b83df07b951b67d0411ea7def85353f964094b733c0aa96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
eb44d81a082edcefebdaade1211febec

SHA1
5487e8e15ff272d6381dcbcaf45abbff5d70ac8d

SHA256
a4725e361a035e0b86c4f6fe8b117df9c297bd7576e0db0d5adab3fec6744ff0

SHA512
1bf59848306b5b7f6065c10c34a6af8da8d85e0c6d52e0979ad860d72af644964347dc328ba07463db90c654ce4300e1bec4d8ef79b1bec04c444dbad4a42e46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
dfe81fd867fc365e7c682c0d9524e999

SHA1
b2d1df1ce12472ebd68ab69d00fc7abdaf3a04c2

SHA256
ca0897487225d6dfd9007ca292e8a056dd34c4ba2c18b0318853386321230b56

SHA512
c66e3733c9d7cdc2644b5a55b842e5dc4c55daa0d195c27e6f0afafd7ea4a00bc6205ba91b412ec9b3371dbb0e1c7f3e4796a9e9520b233651f61208bd35258f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d32f645c01a7a9a55db8cedbb5dff9be

SHA1
a5bda23506a9c5e7e58c64070451217be4897f3b

SHA256
5d8a5f8c3884ecc2131eea75b99a44c12291801dd33f546e449c88761019447e

SHA512
7f18b3ff804cfa2a6608eb1e5ceef35ae19d2be19fd5fa8d611fa37d27605db50c62d78230da42e9b21558761d9172bcef8baf52b1dfb32ad9be032bc4514e08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8597d02ad23111c98d4bd34dbc35dc5c

SHA1
e7cec07b8813d477f5c0a8899d61641b58e507eb

SHA256
5fe7055544ec66bc3bd9c7ef866a07855e24f602bcafcdfd3b158df773d10ff0

SHA512
7123def021344ad46ac671966c40f72bcadeb808241b4b8a6abed2dc8a323515aefda290790dc9eb06f58f41483355f8b223b961698757dfb50a4738ad6e918e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4729cee38a9ac8fa8a0bf2a5feaf0acb

SHA1
4794fdf5631f202410ad7d20a9d16dfef6797b50

SHA256
5492bd37dbc90791b0336b43e7aeb3a9e701733ad504a427d1658fd3e65cff96

SHA512
2f3e3dd379fe068c83d14b5e8cad56b3f8216e42a32f05881398f260a30bde12e3555f00c663d8e6149b393e76bf002107a278c5b46e147bb8cb2ee44cf409f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_97FAD8EBB31B0B74F135144564816C0E
Filesize
406B

MD5
4cb10fbb9d78d0322e983eb883085904

SHA1
0caa1e4922bd6a0d97d824ae635d5d4e98f71f47

SHA256
fd0f9680683c34ec525d61a901769a6ebf49001bfdb85b176e3e65ccd1f71c25

SHA512
3535186a9289a1e248b90a2b4bdbec26423c868e69742da44eabc17cb4d7483fc69070cfdf26b2ae337e762cf8293e0fe74a8fd50820b456e32233c2150d6117

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
392B

MD5
582217984b6ff7d6827d432023af135b

SHA1
f9d55ac45188e44a5739d1142c5082ca2b39e431

SHA256
e64401dce13f48c5bfe7dc92a37a69c19e888e20ad90fc96bd9e332e55122974

SHA512
1c5a337e423b045cb0752154297ae4b32df9e7ce8659872ec3238fefcc67c0d55356076a08b58b7c638fb4b9018df407a7ebc37557dbb9867f7e81b88871092f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
ffa192996912b6e5bdae6ad0e867115b

SHA1
c61fe76b6eb9b219365b5b9ae6ddceeedc47e7b0

SHA256
ed015bb8ebb25b05a02bd8a9d35672db998387ca501c2d52ccbc6f7a2fbefe7f

SHA512
50d6d878e95f93d5da4ff09fe8f57a98ba03b10a4bdb2ca50ded98e62030264d69dc1b2b85578da3a6007c05d93e46a831d5c48b3c1ece831699c1183b1d7274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{BA76E2A0-D0CB-11EE-AB17-C695CBC44580}.dat
Filesize
5KB

MD5
1383d73559c365d513dd12a55f0026f8

SHA1
03955af8e14e47013f5d27d087fc017577c20c33

SHA256
197c33008ec4908c84e29503a5b041e4879dcf37ad949b096274f879383741be

SHA512
adb73520dd58e5e66134d2f6bc0c3cb8b48d1e0c326b1af1a1ce0fb966744d9bb2deb426b784b11b4bf6e065b82a09744de1c3e1cad346f431a39cdfb34c6466

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{2E9B15A8-EF2F-11EE-A1FB-E299A69EE862}.dat
Filesize
4KB

MD5
49e789e19c892ea2796b56ed4085d24b

SHA1
d9da491f5103fd47580377824707650fa445136a

SHA256
14be6d03ad5fdfacb927a217c95f742e754a8542608cc413c2a6e7037ca99408

SHA512
9b80df41deb7720ba92ea43ef5eacc35e3f4a68a6120814d52f01eb2c247d3c90e21c27db7e9dcd5dfe9df806837680f11aded8093ef3267a7b3608d65ea83c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\m=el_main[1].js
Filesize
208KB

MD5
50654f59cfffb3f1e34add936ff802fc

SHA1
1ace74b798d98c1d75ce0f2c04e06c0e6dbaafed

SHA256
b45eb0213332742630b66fcf7985820eef511353ad9a863e75f010129b909319

SHA512
508294dc5845b8b3799258bf070dba68d620175dd39df26f7046caa199d1100845cdf3c608cb83de8203fa431254f62fe44e07ecdd3bd85c9d1b68533f307b42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\m=el_main_css[1].css
Filesize
19KB

MD5
ece37b7141d806ee65edeed7e1a7fa4d

SHA1
4df420e785778e5e4ea1d3708e83f9177ecaf3f7

SHA256
aedbcc46e00deb73efd45fd02fe1d4b5264d2cfbd7dcbcbf1e1411de34237ca6

SHA512
c96590c5048ad20337f16a956c94a53f6257743d0ff6658a35a524a0936833382e5614f4f386658193bb7efed727b72290da4903879dcf6b8e012a2c859932c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCC84.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCC96.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCDB5.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFAA6B60274F41FCBA.TMP
Filesize
16KB

MD5
7c3187bbf04b9da886d5443fdccef8f4

SHA1
48e3d9f3ff48eedbbb87f9adfc839e29917f04a7

SHA256
2c4f2e77b3a61e9ceb21a82f3a707c37de3f7622ccc84ca499b0bfb30e6de27d

SHA512
140de1dbc3568f53f7df2a1ba84b3047a27df359ffe3884eeaa6c3da6ae842634616945aa8bf747cf89dcc1927b454bc45e79fede05394361407410344afc0cb

Download Submit
C:\Users\Admin\Desktop\Albabat.7z
Filesize
82KB

MD5
2197fe2bc2715b9156c8d3575e6ae6ea

SHA1
0024c9cd73db3af5cf3414b6f2ba9e2ff337be09

SHA256
89da5cc055d19bd7c56eb2d2ccb36603d2d454432c3285657a774c264673297f

SHA512
636825e535f0fec47e51a01d3d5978d1c803bb9d81160f479a065d597388d218ec213d40f2bad86425b539eab37deb8393cf0cf4cc83275aa3927b037e57c609

Download Submit
C:\Users\Admin\Desktop\Albabat_README.html
Filesize
11KB

MD5
3ec55160423448cbf087463e535e3360

SHA1
81a7dbd9256aecf3ee33e8679f5b1b3566aeb418

SHA256
91c189eb1442d1e48d6dce030fc0170a727a38f3facee86f2312c262a591df53

SHA512
a6d55f91d98afad4e4ba40300f7ff191315ae4508f24e751f4fd343daa8c15fbc909aa0c2307dfb547ffa8e4d818b4e7617b7d4206280df3ae23119a739563e3

Download Submit