483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74

Resubmissions

31/03/2024, 07:20

240331-h5425sfh6t 10

14/01/2024, 09:31

240114-lg9t9sfgfj 9

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2024, 07:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe
Size

974KB
MD5

45d20637261dea248644a849818659a0
SHA1

29a81b7cf0f5f4a69fe47c4ccf3d06a300899997
SHA256

483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74
SHA512

a9c935eb23fba99ba74299db7b8ac3a158183d9fe9ccaaa87e8a1b9d39c518d223563378d981e6bf386f058b159609fb42e14ca45c023f7688ca57e0c61d2519
SSDEEP

12288:fFDF/UI+c+xTOQUMnufZUgxXu/VzcccSCO4lkAjx9h/MR1V:fjnb+OQUMnufZ+tzcccSCO6ke3/Mf

Score

10^/10

evasion ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Albabat\readme\README.html

Ransom Note

Top | About | Payment | Contact | Decryption | FAQ | Translator 156 files on your machine have been encrypted! Your PERSONAL ID: 475cb3b6a5b60f962c94c1da ::> How important are your files to you? Read this document for information on what happened and how to recover your files again. [+] 1 - ABOUT "Albabat Ransomware" [+] The "Albabat Ransomware" is a cross-platform ransomware that encrypts various files important to the USER on computer storage disks using symmetric encryption algorithm with military-grade identification. The "Albabat Ransomware" will automatically create a folder called "Albabat" in your machine's user directory, but precisely in: "C:\Users\Admin\Albabat\". IT IS RECOMMENDED to make a BACKUP of the ENTIRE "C:\Users\Admin\Albabat\" folder, as it contains important files for recovering your files, which will be explained later in this document about each of them. This folder also contains these same note documents, in: "C:\Users\Admin\Albabat\readme\README.html". - 1.1 - THE KEY TO CRYPTOGRAPHY Your files were encrypted with a KEY that was stored in the file "Albabat.ekey". Present in the "C:\Users\Admin\Albabat\" directory. However, this KEY was also ENCRYPTED with a PUBLIC KEY (asymmetric encryption), which means that it requires a PRIVATE KEY to be decrypted, and only I (tH3_CyberXY) have the PRIVATE KEY to perform this decryption, so that you can use the KEY "Albabat.key" in recovering your files. There is no way to decrypt your files without my data decryption service. There is no way to decrypt the files without decrypting the "Albabat.ekey" key. Don't delete, don't rename, don't lose the "Albabat.ekey" key. - 1.2 - YOUR PERSONAL ID Just like "Albabat.ekey", the PERSONAL ID is important in the process of decrypting your files, which will be used in the decryptor, which will be discussed later in the "DECRYPTION PROCESS" section. This number maintains a unique identity in your machine's encryption process. In addition to being informed in this document, your PERSONAL ID will also be printed in the "personal_id.txt" file in "C:\Users\Admin\Albabat\". Do not lose your PERSONAL ID, just as you should NOT lose the "Albabat.ekey" key. - 1.3 - THE ENCRYPTION PROCESS Encrypted files have the extension ".abbt". Don't try to rename it, it won't work. On the contrary, you may corrupt your files. The size of the files that the "Albabat Ransomware" encrypts is a maximum of 5 Megabytes (MB). The "Albabat Ransomware" randomly recursively traverses all directories it does not belong to the operation of the Operating System. Encrypts files in the user directory, even database locations and drives mounted on the machine if any. The "Albabat Ransomware" only encrypts files that are relevant. The Operating System and binary files will be intact. We didn't choose that. The "Albabat Ransomware" saves a log file named "Albabat_Logs.log" in the "C:\Users\Admin\Albabat\" directory. This file you can see all files that were encrypted by "Albabat Ransomware" in path form. [+] 2 - HOW TO CONTACT [+] These are the only ways to get in touch to recover your files. Any other form found on the internet will be fake. Contact methods: Email: [email protected] [+] 3 - PAYMENT [+] The decryption process is PAID in Bitcoin, so you need to have a Bitcoin balance on a cryptocurrency exchange or in a cryptocurrency wallet to make the deposit. You may want to read the FAQ page to know what Bitcoin is. Payment data: Bitcoin address: bc1qxsjjna67tccvf0e35e9z79d4utu3v9pg2rp7rj Amount to pay: 0,0015 BTC - To make payment and restore your files, follow these steps - (1) Write down the data to make the transfer via the Bitcoin address and the AMOUNT to pay specified above. Note: Remembering that the price of Bitcoin may vary monetarily depending on when you make the payment. (2) - Once you make the payment to the Bitcoin address above, send an email with a structure similar to this: Subject: Albabat Ransomware - I did the payment! Message: Hello, I made the payment. My BTC address where I made the payment is "xxx". The version of the "Albabat Ransomware" running on my machine was "0.3.0". Follow the attached KEY "Albabat.ekey". IMPORANT: Payment will be verifying using YOUR BTC ADDRESS ("xxx") in which the transaction was carried out, so it is IMPORTANT to inform when sending this email. It is also IMPORTANT that you send the KEY "Albabat.ekey" as an attachment, regardless of the contact method you chose. The key will be decrypted for you. You will receive in your email the KEY "Albabat.key", that is, the KEY "Albabat.ekey" decrypted, and the decryptor "decryptor.exe" attached (zipped). Albabat.key" and "decryptor.exe" within 24 hours, but it may vary by more or less depending on my availability times and the amount of demands I receive. Be patient. [+] 4 - DECRYPTION PROCESS [+] > To decrypt your files follow the steps below: (1) Place the "Albabat.key" that you received by email, inside the "C:\Users\Admin\Albabat\" directory, or, if you prefer, keep it in the same directory as "decryptor.exe". > IMPORTANT:At this point, it is very important that you close all open Explorer windows, and heavy programs, to prevent "decryptor.exe" from crashing and/or have poor performance. And also disable your ANTIVIRUS PERMANENTLY so that it does not interfere with the decryption process. (2) Run "decryptor.exe" and enter YOUR PERSONAL ID, then press ENTER. An alert message will appear informing you that the decryption started, just click Ok. Note: If you are on Linux, open a terminal and run from the command line to see the process. E.g: ./decryptor (3) Wait for the decryption completion message to be displayed in console, this may take a while depending on the quantity of files that have been encrypted and power of your machine. You can see the decryption process by I live from your files, if I have time for that. (4) After decryption is complete, all your files will be restored and the decryption log file "Albabat_Logs.log". will be created in the decryptor directory. If you have further questions, such as: "How can I be sure my files can be decrypted?", you can read the FAQ page. Copyright (c) 2021-2023 Albabat Ransomware - All Right Reserved. Maintained by: tH3_CyberXY.

Emails

[email protected]

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (154) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
evasion
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Albabat\\wallpaper_albabat.jpg"	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\83dbecdd-7ceb-4717-a92d-cff1af21c67a.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20240331072028.pma	setup.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1516	sc.exe
6372	sc.exe
6420	sc.exe
6480	sc.exe
6652	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4132	vssadmin.exe

Kills process with taskkill 17 IoCs

evasion

pid	Process
4128	taskkill.exe
3592	taskkill.exe
6284	taskkill.exe
6452	taskkill.exe
6444	taskkill.exe
6312	taskkill.exe
6380	taskkill.exe
6436	taskkill.exe
4596	taskkill.exe
6468	taskkill.exe
6460	taskkill.exe
6428	taskkill.exe
3408	taskkill.exe
1200	taskkill.exe
3436	taskkill.exe
6364	taskkill.exe
6408	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
6340	msedge.exe
6340	msedge.exe
5828	msedge.exe
5828	msedge.exe
220	identity_helper.exe
220	identity_helper.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
5828	msedge.exe
5828	msedge.exe
5828	msedge.exe
5828	msedge.exe
5828	msedge.exe
5828	msedge.exe
5828	msedge.exe
5828	msedge.exe
5828	msedge.exe
5828	msedge.exe
5828	msedge.exe
5828	msedge.exe
5828	msedge.exe
5828	msedge.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeBackupPrivilege	3140	vssvc.exe
Token: SeRestorePrivilege	3140	vssvc.exe
Token: SeAuditPrivilege	3140	vssvc.exe
Token: SeDebugPrivilege	4596	taskkill.exe
Token: SeDebugPrivilege	3408	taskkill.exe
Token: SeDebugPrivilege	6284	taskkill.exe
Token: SeDebugPrivilege	4128	taskkill.exe
Token: SeDebugPrivilege	3592	taskkill.exe
Token: SeDebugPrivilege	3436	taskkill.exe
Token: SeDebugPrivilege	6452	taskkill.exe
Token: SeDebugPrivilege	1200	taskkill.exe
Token: SeDebugPrivilege	6312	taskkill.exe
Token: SeDebugPrivilege	6444	taskkill.exe
Token: SeDebugPrivilege	6364	taskkill.exe
Token: SeDebugPrivilege	6428	taskkill.exe
Token: SeDebugPrivilege	6460	taskkill.exe
Token: SeDebugPrivilege	6468	taskkill.exe
Token: SeDebugPrivilege	6380	taskkill.exe
Token: SeDebugPrivilege	6436	taskkill.exe
Token: SeDebugPrivilege	6408	taskkill.exe
Token: 35	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5828	msedge.exe
5828	msedge.exe
5828	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 4132	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	88
PID 4280 wrote to memory of 4132	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	88
PID 4280 wrote to memory of 4360	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	89
PID 4280 wrote to memory of 4360	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	89
PID 4280 wrote to memory of 2616	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	92
PID 4280 wrote to memory of 2616	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	92
PID 4280 wrote to memory of 5108	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	93
PID 4280 wrote to memory of 5108	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	93
PID 4280 wrote to memory of 4764	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	94
PID 4280 wrote to memory of 4764	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	94
PID 4280 wrote to memory of 3584	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	95
PID 4280 wrote to memory of 3584	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	95
PID 4280 wrote to memory of 4828	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	96
PID 4280 wrote to memory of 4828	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	96
PID 4280 wrote to memory of 3652	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	97
PID 4280 wrote to memory of 3652	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	97
PID 4280 wrote to memory of 1272	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	98
PID 4280 wrote to memory of 1272	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	98
PID 4280 wrote to memory of 1444	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	99
PID 4280 wrote to memory of 1444	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	99
PID 4280 wrote to memory of 2056	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	104
PID 4280 wrote to memory of 2056	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	104
PID 4280 wrote to memory of 1480	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	107
PID 4280 wrote to memory of 1480	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	107
PID 4280 wrote to memory of 4568	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	108
PID 4280 wrote to memory of 4568	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	108
PID 4280 wrote to memory of 2932	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	112
PID 4280 wrote to memory of 2932	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	112
PID 4280 wrote to memory of 3864	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	113
PID 4280 wrote to memory of 3864	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	113
PID 4280 wrote to memory of 3372	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	115
PID 4280 wrote to memory of 3372	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	115
PID 4280 wrote to memory of 2440	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	119
PID 4280 wrote to memory of 2440	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	119
PID 4280 wrote to memory of 5072	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	120
PID 4280 wrote to memory of 5072	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	120
PID 4280 wrote to memory of 4372	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	121
PID 4280 wrote to memory of 4372	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	121
PID 4280 wrote to memory of 4820	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	124
PID 4280 wrote to memory of 4820	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	124
PID 4280 wrote to memory of 496	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	127
PID 4280 wrote to memory of 496	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	127
PID 4280 wrote to memory of 3004	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	128
PID 4280 wrote to memory of 3004	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	128
PID 4280 wrote to memory of 1304	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	132
PID 4280 wrote to memory of 1304	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	132
PID 4280 wrote to memory of 3896	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	133
PID 4280 wrote to memory of 3896	4280	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	133
PID 4764 wrote to memory of 4596	4764	cmd.exe	137
PID 4764 wrote to memory of 4596	4764	cmd.exe	137
PID 2616 wrote to memory of 3408	2616	cmd.exe	138
PID 2616 wrote to memory of 3408	2616	cmd.exe	138
PID 3652 wrote to memory of 3592	3652	cmd.exe	139
PID 3652 wrote to memory of 3592	3652	cmd.exe	139
PID 1480 wrote to memory of 4128	1480	cmd.exe	140
PID 1480 wrote to memory of 4128	1480	cmd.exe	140
PID 1304 wrote to memory of 1516	1304	cmd.exe	141
PID 1304 wrote to memory of 1516	1304	cmd.exe	141
PID 3864 wrote to memory of 3436	3864	cmd.exe	142
PID 3864 wrote to memory of 3436	3864	cmd.exe	142
PID 4568 wrote to memory of 1200	4568	cmd.exe	143
PID 4568 wrote to memory of 1200	4568	cmd.exe	143
PID 2932 wrote to memory of 6284	2932	cmd.exe	145
PID 2932 wrote to memory of 6284	2932	cmd.exe	145

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe
"C:\Users\Admin\AppData\Local\Temp\483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe"
1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Windows\System32\vssadmin.exe
  "C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:4132
- C:\Windows\system32\reg.exe
  "reg" add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableTaskMgr /t REG_DWORD /d 0
  2⤵
  PID:4360
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM code.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM code.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3408
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM chrome.exe
  2⤵
  PID:5108
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6408
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM taskmgr.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM taskmgr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4596
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM winword.exe
  2⤵
  PID:3584
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM winword.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6444
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM postgres.exe
  2⤵
  PID:4828
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM postgres.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6428
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM steam.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM steam.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3592
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM excel.exe
  2⤵
  PID:1272
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM excel.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6364
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM outlook.exe
  2⤵
  PID:1444
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM outlook.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6452
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM mspub.exe
  2⤵
  PID:2056
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM mspub.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6312
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM sublime_text.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM sublime_text.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4128
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM msedge.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM msedge.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1200
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM msaccess.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM msaccess.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6284
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM mysqlworkbench.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3864
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM mysqlworkbench.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3436
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM onedrive.exe
  2⤵
  PID:3372
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM onedrive.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6460
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM cs2.exe
  2⤵
  PID:2440
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cs2.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6436
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM windowsterminal.exe
  2⤵
  PID:5072
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM windowsterminal.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6468
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM powerpnt.exe
  2⤵
  PID:4372
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM powerpnt.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6380
- C:\Windows\system32\cmd.exe
  "cmd" /c sc stop MySQL57
  2⤵
  PID:4820
- - C:\Windows\system32\sc.exe
    sc stop MySQL57
    3⤵
    - Launches sc.exe
    PID:6420
- C:\Windows\system32\cmd.exe
  "cmd" /c sc stop MySQL82
  2⤵
  PID:496
- - C:\Windows\system32\sc.exe
    sc stop MySQL82
    3⤵
    - Launches sc.exe
    PID:6480
- C:\Windows\system32\cmd.exe
  "cmd" /c sc stop MySQL80
  2⤵
  PID:3004
- - C:\Windows\system32\sc.exe
    sc stop MySQL80
    3⤵
    - Launches sc.exe
    PID:6652
- C:\Windows\system32\cmd.exe
  "cmd" /c sc stop postgresql-x64-14
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Windows\system32\sc.exe
    sc stop postgresql-x64-14
    3⤵
    - Launches sc.exe
    PID:1516
- C:\Windows\system32\cmd.exe
  "cmd" /c sc stop postgresql-x64-15
  2⤵
  PID:3896
- - C:\Windows\system32\sc.exe
    sc stop postgresql-x64-15
    3⤵
    - Launches sc.exe
    PID:6372
- C:\Windows\system32\cmd.exe
  "cmd" /c start msedge.exe --kiosk C:\Users\Admin\Albabat\readme\README.html --edge-kiosk-type=fullscreen
  2⤵
  - Checks computer location settings
  PID:5636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk C:\Users\Admin\Albabat\readme\README.html --edge-kiosk-type=fullscreen
    3⤵
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:5828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe154b46f8,0x7ffe154b4708,0x7ffe154b4718
      4⤵
      PID:5912
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,5310393378965762383,230539041320661831,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
      4⤵
      PID:4412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,5310393378965762383,230539041320661831,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6340
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,5310393378965762383,230539041320661831,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
      4⤵
      PID:6596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,5310393378965762383,230539041320661831,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
      4⤵
      PID:6732
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,5310393378965762383,230539041320661831,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
      4⤵
      PID:6868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,5310393378965762383,230539041320661831,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
      4⤵
      PID:7052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,5310393378965762383,230539041320661831,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
      4⤵
      PID:7056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,5310393378965762383,230539041320661831,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1
      4⤵
      PID:4600
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,5310393378965762383,230539041320661831,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
      4⤵
      PID:5344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,5310393378965762383,230539041320661831,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4420 /prefetch:1
      4⤵
      PID:5572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,5310393378965762383,230539041320661831,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4428 /prefetch:1
      4⤵
      PID:5708
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,5310393378965762383,230539041320661831,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4436 /prefetch:1
      4⤵
      PID:6120
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,5310393378965762383,230539041320661831,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4460 /prefetch:1
      4⤵
      PID:3304
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,5310393378965762383,230539041320661831,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4472 /prefetch:1
      4⤵
      PID:3276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,5310393378965762383,230539041320661831,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:1
      4⤵
      PID:896
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,5310393378965762383,230539041320661831,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4464 /prefetch:1
      4⤵
      PID:4852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,5310393378965762383,230539041320661831,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:1
      4⤵
      PID:4532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:4384
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe8,0xe4,0xf0,0x1f0,0xec,0x7ff67cdd5460,0x7ff67cdd5470,0x7ff67cdd5480
        5⤵
        
        PID:2884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,5310393378965762383,230539041320661831,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6368 /prefetch:8
      4⤵
      PID:64
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,5310393378965762383,230539041320661831,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6368 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:220
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,5310393378965762383,230539041320661831,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5984 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3968
- C:\Windows\system32\cmd.exe
  "cmd" /C "del C:\Users\Admin\AppData\Roaming\483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe"
  2⤵
  PID:5644

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Albabat\Albabat_Logs.log

Filesize
9KB

MD5
e4aefd852a8b0bee45f15b74ffdabd04

SHA1
8a4b40c4901e57c0372f7c194b1596da9ff62df0

SHA256
b70e2f5571b04035e6aae3be217bd0a9df6282bf3feae1232fed80e01f15428d

SHA512
26931d9999cf929fad5778d1a623f1337aa3b7b7ae0c9ddf4a6ef6ea4709d0b0c2b6279c7b383da26ebdeda008b1a3b6d846bc12470239bc6cbf127090fe2f29

Download Submit
C:\Users\Admin\Albabat\readme\README.html

Filesize
11KB

MD5
7d5bd380a702336dbb02ce5bef3a41f1

SHA1
b399a7b01e460690af3713c8bd8ecef564ef9f11

SHA256
4dd6fc170395a880ffc98c2ade058c3450b42d3a6180d24cdf74ea96a4cce610

SHA512
67ed0f0f3e0ef063534c6114d460777be05a7e3cdc7e117f7404c6208dc34caecc6fc02f6e8df42763553199e71b75b55d57c0187a62d32ac4f585b27a61afdf

Download Submit
C:\Users\Admin\Albabat\readme\assets\banner.jpg

Filesize
34KB

MD5
cdd21e46a5979655fe9debcf8d59cd4b

SHA1
94f8ce57c0507b88952fadc3f6f244fce64d2085

SHA256
de25a55ff7e70c900c5e49e32aad2a0704ab074af5fee3eac230dc9bab373f04

SHA512
bd0ce1c5098ffcfb52e3e183ba025ef1be4d0dd4a3fe8a90b60bb139d4717263e427339f1028aeec6aa8d32ff31181ebff8d306d2c34b57015b2a3049c21f45e

Download Submit
C:\Users\Admin\Albabat\readme\assets\script.js

Filesize
1KB

MD5
e9f53c2fe8f64fb7d0734d13ee9a4e32

SHA1
f93d0cfffe122ed8a1731b811593094c813a8456

SHA256
ec235d691cfabc4ef54a889398e17d11541b10f27a066e10444429c86a4565bd

SHA512
ec67691036ff7047aeed7b4dade254164d2a5e60cfd5a58269023ac843252e7d916c826e6f0a186fb6398a11e651e6fca9cf889a81894095efd43253fd5e1e7e

Download Submit
C:\Users\Admin\Albabat\readme\assets\style.css

Filesize
2KB

MD5
a4aa4f0c506a5e9c608773293ff7b794

SHA1
b360063387c81c49184cd67341c1da46e7ee6693

SHA256
c18a7519a841d7b8b32f5fedfb8d7cb1107c0d03c1c0d5ec7b6c41564814dddf

SHA512
23e17b9ca42520c0a07a1031ae096dfb837196d3928205c8eadbceda87bfff5f1655ee953bd725298175564f96d96e751d9f02ee0b83d25b134b292fea175815

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\2ca4ae51-5a0e-4627-a781-5edd78b036e2.tmp

Filesize
11KB

MD5
7fe591eb79ba0d58c569161cd56a6cf9

SHA1
d85b169af74a677a4a50ebfb92a37c4c54a68072

SHA256
fd4ec9c14f3bd3d22eca268c35d6767c35e7578c44aef989190f1d73af3b1571

SHA512
7b4f422e469cabfc4fe7fccf388a673abc29fa1896a071656110b03e3877ee8a19ab76eddd796ce004494c0856b82887ae8be76768ab79c0ef0abaae78aeec8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

Filesize
152B

MD5
68bafc2e4b99a62e61b9b50718e4ea99

SHA1
d7c53eedea5ef08fb020eec3dace629902279f7c

SHA256
202b9ba3559bbfefaae1b7874441ce237e98b2ae745e371ddec21dc35568c965

SHA512
5487a35730929f99263c9df78767283b93bca5b4dc9b8533c63382b835bd6d043df5e90fde590d58371594196246cc5dfbdbeb159616e55a0a76d14915f5ec7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

Filesize
152B

MD5
5cd4d8d154f4947bffde15bf4ac86184

SHA1
7eaca95132949ddbf400caf01b4f8a6592d22e1c

SHA256
ff7f95d9f5d94adcc4eed8d11e9568c46c94fa3a7a6f5991bbec1487db8ed29e

SHA512
f0e3dd4cc8c9ae6586e44bc5e515189ab7e67700214bd506d77b3232af90d1b7e2c4fbe63a900722adbc62dc21cd8fd88b6d44798592b87e3e0bb777d6596827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

Filesize
152B

MD5
f9c7cd072427547b775b8954d6654130

SHA1
2cf73b766544dc43ec6bce7c13315d31cb972d39

SHA256
37a393106027eaa6230420a113d85b69131ac15b0f3ce23299abe441dfe689e5

SHA512
150547707eeeb864bb7334ec8732a79e3242163c59b7abd6d0d36a486230ff6f88037d53f218195c2819d6ee7fbdd75d96108637227173aa185f9ef31daf8d7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Microsoft Edge.lnk

Filesize
1KB

MD5
f317838f0466fbff0adb5d567e254e21

SHA1
d13c943209871d850f69a4e525780101ad92fac8

SHA256
f33c094eb3f8e8b057b661f047ddb428e88527948dc82b28a92882a208a918db

SHA512
02721fa4ab76b9291b7da4ecdc69ac9e00ce8ba2f43e7a07573aff2b7a21708586ebdd7fab645089c96fcb172ec4bf09228f9556d11e8f300f244f546676c8c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences

Filesize
4KB

MD5
38c9d0f7c3e7dee1c4d915c41b8962cc

SHA1
bc9e0d15a57c877cf1b9f7c4fef38deea7faf6ac

SHA256
61a042bd7a9b5d4af6d993ee64c4f4ec2bc941638cfd48328902c27699655246

SHA512
dcbc2f8f7d8ad0b26ed4eef06c40756aa784600c06d63227db70defa4526956b5f6fe0b9bf2c57fbb090569e06b2a8464d4abe31e10e2f40d654b92099991beb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences

Filesize
3KB

MD5
3a7c7fb37e9825f43f7ea6e7b1364e91

SHA1
eedad3657cd0bc8ee39bec162ed43ab06fd7bc3e

SHA256
025261ca5f49fd2a97890459e0e387c5a8339a9b8866cdb7071a8ffcc6748d71

SHA512
b00de33acaf4bdfea418e5162c345f544d1000f847f8e921083990614dfe3b09410894099cd5b657628faf0296ff413ce3112892a8705979af25aaa9015c9e5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences

Filesize
4KB

MD5
65c247c209cdac706f7c206ee2650bf3

SHA1
0d46712abae1f6924ec31aa1ebf6e6b3846779ed

SHA256
ab62366b3493402e14b141194d39160f855b0a2b3ab036bf7da11bf9f2e7022d

SHA512
38ec001c27d3f43809a6dde792718c20e8440079dd63df0bb3971caa0fa9546f4a31c42422cf7a136280fe7e7517b47764b28384792bdbcd8053d4fd243b0353

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences~RFe57853d.TMP

Filesize
3KB

MD5
3dce687dea2215b7e1554e798fbf4c99

SHA1
0daf90c1b4d829808740cad53dd575282f96897e

SHA256
0874613af3721bcfebd6660b3a872b68466abd21827a716ee3d128113c6202d1

SHA512
842914eea245e34726f8495d58afd44189ba3686e0f777d183f4b6e33f6079a8a28b47158f81d98197f5954e3c9704f01e08ab567730dc65524518e6c11b919f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences

Filesize
24KB

MD5
0f3c9fda22d1ffcd698161a22837c85e

SHA1
c255dea12df6d285153bde20b12d1503fc92d74c

SHA256
3c03d1d30de761908c609515da45d79679e95ad64c641d44bb5fd2f5c2fe4763

SHA512
00de5a46335d63f1d10cb27e888ff62f3b3e0c937026731635bbb1c3b2f9a513aaf83e4852d7108ffa1ae73f3ea30f9a0202048ccb429faedf0c3464992e433f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RFe57ac5d.TMP

Filesize
24KB

MD5
c1807cfb31d23c11747e286d1cda24ea

SHA1
54a6ccb38be714fac2a0d5efc9fcd7aee7bbe0a2

SHA256
c792c3dafcb210561969266581d7464e84c15abcac8a6cf83eba837a19390ed2

SHA512
3bd11068285c95eead4be069965c90571a115c44fa3f5cea14cd188a2d2996ab3e661e2161179e929964683ddf02674fb40dca7c16cf401aff165ebb4d929409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\77HZ65NRXV5EZX5CFHCL.temp

Filesize
3KB

MD5
49801777b20a3dbead7f80332ece53e6

SHA1
d394322dfb9ed172f53c164217962378452313d0

SHA256
5385055addc2dff1f2c8d7acd5e45a4343d837b3a289849823a653242a8bfe43

SHA512
936ca5ce1a515903d1f36af85aa0684efcabbd6a6b36ecc28b1bbb981c4a6b7ff8f0fff7f9f6356f202fbed1165ff5d2db5766b5d161e9d7a988ac68678df3ee

Download Submit
C:\Users\Admin\Downloads\CloseMeasure.TTS.abbt

Filesize
1.2MB

MD5
41ee134d3db32977e1144a9def9f7d87

SHA1
95e0d9e2f156f3e390175f8abc98b4bf6e88a824

SHA256
f81e3d3c0cc482527b34d05cd65b8eca2684a32c659849a6f86f82183b343f6c

SHA512
ccb3930139299c850d67ed91772fb4a11b6deabeef1c055bf6667b034bbe040af0b91315151857929010f52eed6549771fe666601225859cf4b0f442c22afa7b

Download Submit
C:\Users\Admin\Downloads\JoinMerge.wm.abbt

Filesize
664KB

MD5
c4be8b729c82f390c78269db7d5a75db

SHA1
28617079cb6a494406579ed9b78873194a27b610

SHA256
3b043f91ff17ce2bd67fc9393959d9e02dc264c4ea4bda4ef50cfed7d1bd93dd

SHA512
8f1a7f22f54d8073064ce86f1d40df39111475ea43a9cb67c5bd27111e87bfaea6ce950d3831e96b5e6d90f531e4d51939af98834da47af49dcb300b7a418d92

Download Submit
C:\Users\Admin\Downloads\MeasureBlock.potx.abbt

Filesize
16B

MD5
043e905074d21cb814e154954e45f7ab

SHA1
399da6b4cf23c83a2080376963faab2e26796274

SHA256
b1677951f2e53bb517cfb3bcbe7086f97835f450c1ce997598ee85cc15ccc116

SHA512
7a660572a7644f50ac63fa359782cdf7bc0e178690e2d306deb215dfff3c62e07ec19c7aafeac6c6de68d3f64bc705d6601ef6d0371432023707a3c25f5b9522

Download Submit
C:\Users\Admin\Downloads\PublishReset.M2TS.abbt

Filesize
757KB

MD5
9b2655db3f7e93bc9fcc22b73a11ef54

SHA1
475691f4028b2c83b24a0db70171e3ebe8378f54

SHA256
1386bcaf8a59bae34711ee7c71d08084141d5908aec596d51410c1514743d46f

SHA512
c8e8743f1f09e0a8b92efea571a52cbb1a713eb9dbcc236559f2540d78c95c8ea60b1d7aaea0c7e5fd3e1f8f19630fdd2882960dab764b97aa0cd0eb673650f2

Download Submit