7b150cde4b4edb0f08add7788018b1e5fc1c25d0e27774531e6208678ebe8d30

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Albabat-0xb.exe
Size

974KB
MD5

45d20637261dea248644a849818659a0
SHA1

29a81b7cf0f5f4a69fe47c4ccf3d06a300899997
SHA256

483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74
SHA512

a9c935eb23fba99ba74299db7b8ac3a158183d9fe9ccaaa87e8a1b9d39c518d223563378d981e6bf386f058b159609fb42e14ca45c023f7688ca57e0c61d2519
SSDEEP

12288:fFDF/UI+c+xTOQUMnufZUgxXu/VzcccSCO4lkAjx9h/MR1V:fjnb+OQUMnufZ+tzcccSCO6ke3/Mf

Score

10^/10

credential_access defense_evasion discovery execution impact ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Albabat\readme\README.html

Ransom Note

Top | About | Payment | Contact | Decryption | FAQ | Translator 89 files on your machine have been encrypted! Your PERSONAL ID: 58cb103aa3934d597ed64ea9 ::> How important are your files to you? Read this document for information on what happened and how to recover your files again. [+] 1 - ABOUT "Albabat Ransomware" [+] The "Albabat Ransomware" is a cross-platform ransomware that encrypts various files important to the USER on computer storage disks using symmetric encryption algorithm with military-grade identification. The "Albabat Ransomware" will automatically create a folder called "Albabat" in your machine's user directory, but precisely in: "C:\Users\Admin\Albabat\". IT IS RECOMMENDED to make a BACKUP of the ENTIRE "C:\Users\Admin\Albabat\" folder, as it contains important files for recovering your files, which will be explained later in this document about each of them. This folder also contains these same note documents, in: "C:\Users\Admin\Albabat\readme\README.html". - 1.1 - THE KEY TO CRYPTOGRAPHY Your files were encrypted with a KEY that was stored in the file "Albabat.ekey". Present in the "C:\Users\Admin\Albabat\" directory. However, this KEY was also ENCRYPTED with a PUBLIC KEY (asymmetric encryption), which means that it requires a PRIVATE KEY to be decrypted, and only I (tH3_CyberXY) have the PRIVATE KEY to perform this decryption, so that you can use the KEY "Albabat.key" in recovering your files. There is no way to decrypt your files without my data decryption service. There is no way to decrypt the files without decrypting the "Albabat.ekey" key. Don't delete, don't rename, don't lose the "Albabat.ekey" key. - 1.2 - YOUR PERSONAL ID Just like "Albabat.ekey", the PERSONAL ID is important in the process of decrypting your files, which will be used in the decryptor, which will be discussed later in the "DECRYPTION PROCESS" section. This number maintains a unique identity in your machine's encryption process. In addition to being informed in this document, your PERSONAL ID will also be printed in the "personal_id.txt" file in "C:\Users\Admin\Albabat\". Do not lose your PERSONAL ID, just as you should NOT lose the "Albabat.ekey" key. - 1.3 - THE ENCRYPTION PROCESS Encrypted files have the extension ".abbt". Don't try to rename it, it won't work. On the contrary, you may corrupt your files. The size of the files that the "Albabat Ransomware" encrypts is a maximum of 5 Megabytes (MB). The "Albabat Ransomware" randomly recursively traverses all directories it does not belong to the operation of the Operating System. Encrypts files in the user directory, even database locations and drives mounted on the machine if any. The "Albabat Ransomware" only encrypts files that are relevant. The Operating System and binary files will be intact. We didn't choose that. The "Albabat Ransomware" saves a log file named "Albabat_Logs.log" in the "C:\Users\Admin\Albabat\" directory. This file you can see all files that were encrypted by "Albabat Ransomware" in path form. [+] 2 - HOW TO CONTACT [+] These are the only ways to get in touch to recover your files. Any other form found on the internet will be fake. Contact methods: Email: [email protected] [+] 3 - PAYMENT [+] The decryption process is PAID in Bitcoin, so you need to have a Bitcoin balance on a cryptocurrency exchange or in a cryptocurrency wallet to make the deposit. You may want to read the FAQ page to know what Bitcoin is. Payment data: Bitcoin address: bc1qxsjjna67tccvf0e35e9z79d4utu3v9pg2rp7rj Amount to pay: 0,0015 BTC - To make payment and restore your files, follow these steps - (1) Write down the data to make the transfer via the Bitcoin address and the AMOUNT to pay specified above. Note: Remembering that the price of Bitcoin may vary monetarily depending on when you make the payment. (2) - Once you make the payment to the Bitcoin address above, send an email with a structure similar to this: Subject: Albabat Ransomware - I did the payment! Message: Hello, I made the payment. My BTC address where I made the payment is "xxx". The version of the "Albabat Ransomware" running on my machine was "0.3.0". Follow the attached KEY "Albabat.ekey". IMPORANT: Payment will be verifying using YOUR BTC ADDRESS ("xxx") in which the transaction was carried out, so it is IMPORTANT to inform when sending this email. It is also IMPORTANT that you send the KEY "Albabat.ekey" as an attachment, regardless of the contact method you chose. The key will be decrypted for you. You will receive in your email the KEY "Albabat.key", that is, the KEY "Albabat.ekey" decrypted, and the decryptor "decryptor.exe" attached (zipped). Albabat.key" and "decryptor.exe" within 24 hours, but it may vary by more or less depending on my availability times and the amount of demands I receive. Be patient. [+] 4 - DECRYPTION PROCESS [+] > To decrypt your files follow the steps below: (1) Place the "Albabat.key" that you received by email, inside the "C:\Users\Admin\Albabat\" directory, or, if you prefer, keep it in the same directory as "decryptor.exe". > IMPORTANT:At this point, it is very important that you close all open Explorer windows, and heavy programs, to prevent "decryptor.exe" from crashing and/or have poor performance. And also disable your ANTIVIRUS PERMANENTLY so that it does not interfere with the decryption process. (2) Run "decryptor.exe" and enter YOUR PERSONAL ID, then press ENTER. An alert message will appear informing you that the decryption started, just click Ok. Note: If you are on Linux, open a terminal and run from the command line to see the process. E.g: ./decryptor (3) Wait for the decryption completion message to be displayed in console, this may take a while depending on the quantity of files that have been encrypted and power of your machine. You can see the decryption process by I live from your files, if I have time for that. (4) After decryption is complete, all your files will be restored and the decryption log file "Albabat_Logs.log". will be created in the decryptor directory. If you have further questions, such as: "How can I be sure my files can be decrypted?", you can read the FAQ page. Copyright (c) 2021-2023 Albabat Ransomware - All Right Reserved. Maintained by: tH3_CyberXY.

Emails

[email protected]

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (88) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
defense_evasion
Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Albabat\\wallpaper_albabat.jpg"	Albabat-0xb.exe

Drops file in Program Files directory 33 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\3d128a2f-1ee3-4144-a901-1c5ccbfe4614.tmp	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4796_1880273360\office_endpoints_list.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4796_479879274\manifest.fingerprint	msedge.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\settings.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\bfbc81d5-6055-49fc-94f7-e7d1eff9509c.tmp	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4796_1490731913\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4796_1880273360\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4796_2074307162\protocols.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4796_766492466\nav_config.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4796_766492466\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4796_1880273360\smart_switch_list.json	msedge.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Program Files\msedge_installer.log	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\6100_13388201920376276_6100.pma	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4796_479879274\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4796_479879274\_metadata\verified_contents.json	msedge.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\throttle_store.dat	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4796_2074307162\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4796_1490731913\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4796_479879274\sets.json	msedge.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\throttle_store.dat	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4796_479879274\manifest.json	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\6708_13388201920332949_6708.pma	setup.exe
File opened for modification	C:\Program Files\msedge_installer.log	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4796_2074307162\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4796_766492466\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4796_1880273360\manifest.fingerprint	msedge.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4468	sc.exe
4360	sc.exe
1240	sc.exe
4424	sc.exe
4344	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2264	vssadmin.exe

Kills process with taskkill 17 IoCs

defense_evasion

pid	Process
6112	taskkill.exe
5444	taskkill.exe
5196	taskkill.exe
760	taskkill.exe
5840	taskkill.exe
60	taskkill.exe
1120	taskkill.exe
4628	taskkill.exe
5784	taskkill.exe
2948	taskkill.exe
1156	taskkill.exe
1140	taskkill.exe
1860	taskkill.exe
4416	taskkill.exe
3120	taskkill.exe
3400	taskkill.exe
2100	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133882019201975409"	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-814918696-1585701690-3140955116-1000\{788EE34C-8FA4-4D7F-A862-7EDC9037C19D}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4796	msedge.exe
4796	msedge.exe
2088	msedge.exe
2088	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4908	Albabat-0xb.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeBackupPrivilege	5620	vssvc.exe
Token: SeRestorePrivilege	5620	vssvc.exe
Token: SeAuditPrivilege	5620	vssvc.exe
Token: SeDebugPrivilege	5444	taskkill.exe
Token: SeDebugPrivilege	60	taskkill.exe
Token: SeDebugPrivilege	1120	taskkill.exe
Token: SeDebugPrivilege	5196	taskkill.exe
Token: SeDebugPrivilege	1860	taskkill.exe
Token: SeDebugPrivilege	5784	taskkill.exe
Token: SeDebugPrivilege	4628	taskkill.exe
Token: SeDebugPrivilege	760	taskkill.exe
Token: SeDebugPrivilege	6112	taskkill.exe
Token: SeDebugPrivilege	2948	taskkill.exe
Token: SeDebugPrivilege	1156	taskkill.exe
Token: SeDebugPrivilege	4416	taskkill.exe
Token: SeDebugPrivilege	3400	taskkill.exe
Token: SeDebugPrivilege	5840	taskkill.exe
Token: SeDebugPrivilege	3120	taskkill.exe
Token: SeDebugPrivilege	1140	taskkill.exe
Token: SeDebugPrivilege	2100	taskkill.exe
Token: 35	4908	Albabat-0xb.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4796	msedge.exe
4796	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 2264	4908	Albabat-0xb.exe	91
PID 4908 wrote to memory of 2264	4908	Albabat-0xb.exe	91
PID 4908 wrote to memory of 5840	4908	Albabat-0xb.exe	92
PID 4908 wrote to memory of 5840	4908	Albabat-0xb.exe	92
PID 4908 wrote to memory of 6052	4908	Albabat-0xb.exe	95
PID 4908 wrote to memory of 6052	4908	Albabat-0xb.exe	95
PID 4908 wrote to memory of 5564	4908	Albabat-0xb.exe	96
PID 4908 wrote to memory of 5564	4908	Albabat-0xb.exe	96
PID 4908 wrote to memory of 3428	4908	Albabat-0xb.exe	97
PID 4908 wrote to memory of 3428	4908	Albabat-0xb.exe	97
PID 4908 wrote to memory of 3968	4908	Albabat-0xb.exe	98
PID 4908 wrote to memory of 3968	4908	Albabat-0xb.exe	98
PID 4908 wrote to memory of 5756	4908	Albabat-0xb.exe	100
PID 4908 wrote to memory of 5756	4908	Albabat-0xb.exe	100
PID 4908 wrote to memory of 5064	4908	Albabat-0xb.exe	101
PID 4908 wrote to memory of 5064	4908	Albabat-0xb.exe	101
PID 4908 wrote to memory of 4528	4908	Albabat-0xb.exe	103
PID 4908 wrote to memory of 4528	4908	Albabat-0xb.exe	103
PID 4908 wrote to memory of 4536	4908	Albabat-0xb.exe	104
PID 4908 wrote to memory of 4536	4908	Albabat-0xb.exe	104
PID 4908 wrote to memory of 4544	4908	Albabat-0xb.exe	105
PID 4908 wrote to memory of 4544	4908	Albabat-0xb.exe	105
PID 4908 wrote to memory of 4728	4908	Albabat-0xb.exe	106
PID 4908 wrote to memory of 4728	4908	Albabat-0xb.exe	106
PID 4908 wrote to memory of 4492	4908	Albabat-0xb.exe	107
PID 4908 wrote to memory of 4492	4908	Albabat-0xb.exe	107
PID 4908 wrote to memory of 4504	4908	Albabat-0xb.exe	108
PID 4908 wrote to memory of 4504	4908	Albabat-0xb.exe	108
PID 4908 wrote to memory of 4552	4908	Albabat-0xb.exe	109
PID 4908 wrote to memory of 4552	4908	Albabat-0xb.exe	109
PID 4908 wrote to memory of 4560	4908	Albabat-0xb.exe	110
PID 4908 wrote to memory of 4560	4908	Albabat-0xb.exe	110
PID 4908 wrote to memory of 4616	4908	Albabat-0xb.exe	111
PID 4908 wrote to memory of 4616	4908	Albabat-0xb.exe	111
PID 4908 wrote to memory of 4576	4908	Albabat-0xb.exe	112
PID 4908 wrote to memory of 4576	4908	Albabat-0xb.exe	112
PID 4908 wrote to memory of 4644	4908	Albabat-0xb.exe	114
PID 4908 wrote to memory of 4644	4908	Albabat-0xb.exe	114
PID 4908 wrote to memory of 4768	4908	Albabat-0xb.exe	125
PID 4908 wrote to memory of 4768	4908	Albabat-0xb.exe	125
PID 4908 wrote to memory of 1572	4908	Albabat-0xb.exe	127
PID 4908 wrote to memory of 1572	4908	Albabat-0xb.exe	127
PID 4908 wrote to memory of 2560	4908	Albabat-0xb.exe	128
PID 4908 wrote to memory of 2560	4908	Albabat-0xb.exe	128
PID 4908 wrote to memory of 5232	4908	Albabat-0xb.exe	129
PID 4908 wrote to memory of 5232	4908	Albabat-0xb.exe	129
PID 4908 wrote to memory of 5732	4908	Albabat-0xb.exe	131
PID 4908 wrote to memory of 5732	4908	Albabat-0xb.exe	131
PID 5756 wrote to memory of 5444	5756	cmd.exe	141
PID 5756 wrote to memory of 5444	5756	cmd.exe	141
PID 2560 wrote to memory of 4468	2560	cmd.exe	142
PID 2560 wrote to memory of 4468	2560	cmd.exe	142
PID 5564 wrote to memory of 60	5564	cmd.exe	143
PID 5564 wrote to memory of 60	5564	cmd.exe	143
PID 4616 wrote to memory of 1120	4616	cmd.exe	144
PID 4616 wrote to memory of 1120	4616	cmd.exe	144
PID 4552 wrote to memory of 4416	4552	cmd.exe	145
PID 4552 wrote to memory of 4416	4552	cmd.exe	145
PID 3968 wrote to memory of 5196	3968	cmd.exe	146
PID 3968 wrote to memory of 5196	3968	cmd.exe	146
PID 3428 wrote to memory of 1860	3428	cmd.exe	147
PID 3428 wrote to memory of 1860	3428	cmd.exe	147
PID 1572 wrote to memory of 1240	1572	cmd.exe	148
PID 1572 wrote to memory of 1240	1572	cmd.exe	148

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Albabat-0xb.exe
"C:\Users\Admin\AppData\Local\Temp\Albabat-0xb.exe"
1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Windows\System32\vssadmin.exe
  "C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2264
- C:\Windows\system32\reg.exe
  "reg" add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableTaskMgr /t REG_DWORD /d 0
  2⤵
  PID:5840
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM taskmgr.exe
  2⤵
  PID:6052
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM taskmgr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4628
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5564
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:60
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM winword.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3428
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM winword.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1860
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM postgres.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM postgres.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5196
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM mysqlworkbench.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5756
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM mysqlworkbench.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5444
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM outlook.exe
  2⤵
  PID:5064
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM outlook.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM windowsterminal.exe
  2⤵
  PID:4528
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM windowsterminal.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2100
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM sublime_text.exe
  2⤵
  PID:4536
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM sublime_text.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1140
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM onedrive.exe
  2⤵
  PID:4544
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM onedrive.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:760
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM msedge.exe
  2⤵
  PID:4728
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM msedge.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5784
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM msaccess.exe
  2⤵
  PID:4492
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM msaccess.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1156
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM excel.exe
  2⤵
  PID:4504
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM excel.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5840
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM steam.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM steam.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4416
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM powerpnt.exe
  2⤵
  PID:4560
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM powerpnt.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6112
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM code.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM code.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1120
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM mspub.exe
  2⤵
  PID:4576
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM mspub.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3120
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM cs2.exe
  2⤵
  PID:4644
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cs2.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3400
- C:\Windows\system32\cmd.exe
  "cmd" /c sc stop MySQL57
  2⤵
  PID:4768
- - C:\Windows\system32\sc.exe
    sc stop MySQL57
    3⤵
    - Launches sc.exe
    PID:4424
- C:\Windows\system32\cmd.exe
  "cmd" /c sc stop MySQL82
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\system32\sc.exe
    sc stop MySQL82
    3⤵
    - Launches sc.exe
    PID:1240
- C:\Windows\system32\cmd.exe
  "cmd" /c sc stop postgresql-x64-14
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\system32\sc.exe
    sc stop postgresql-x64-14
    3⤵
    - Launches sc.exe
    PID:4468
- C:\Windows\system32\cmd.exe
  "cmd" /c sc stop postgresql-x64-15
  2⤵
  PID:5232
- - C:\Windows\system32\sc.exe
    sc stop postgresql-x64-15
    3⤵
    - Launches sc.exe
    PID:4344
- C:\Windows\system32\cmd.exe
  "cmd" /c sc stop MySQL80
  2⤵
  PID:5732
- - C:\Windows\system32\sc.exe
    sc stop MySQL80
    3⤵
    - Launches sc.exe
    PID:4360
- C:\Windows\system32\cmd.exe
  "cmd" /c start msedge.exe --kiosk C:\Users\Admin\Albabat\readme\README.html --edge-kiosk-type=fullscreen
  2⤵
  - Checks computer location settings
  PID:3600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk C:\Users\Admin\Albabat\readme\README.html --edge-kiosk-type=fullscreen
    3⤵
    - Drops file in Program Files directory
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:4796
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x250,0x7ff96109f208,0x7ff96109f214,0x7ff96109f220
      4⤵
      PID:2292
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1884,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=2552 /prefetch:3
      4⤵
      PID:1712
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2512,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=2508 /prefetch:2
      4⤵
      PID:924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1812,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=2568 /prefetch:8
      4⤵
      PID:6072
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3304,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=3316 /prefetch:1
      4⤵
      PID:5536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=2576,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=3324 /prefetch:1
      4⤵
      PID:4596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=3956,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=3932 /prefetch:8
      4⤵
      PID:4108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=3964,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=3936 /prefetch:8
      4⤵
      PID:5444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=3972,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=3944 /prefetch:8
      4⤵
      PID:1532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=4044,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=4052 /prefetch:1
      4⤵
      PID:4572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=4084,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=4068 /prefetch:2
      4⤵
      PID:940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=4104,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=4156 /prefetch:1
      4⤵
      PID:2688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=4296,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=4408 /prefetch:2
      4⤵
      PID:5676
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=4412,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=5072 /prefetch:1
      4⤵
      PID:3400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=4468,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=5100 /prefetch:2
      4⤵
      PID:1752
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=4500,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=5092 /prefetch:1
      4⤵
      PID:5896
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --always-read-main-dll --field-trial-handle=4516,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=5180 /prefetch:2
      4⤵
      PID:1036
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=4748,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=5284 /prefetch:2
      4⤵
      PID:5340
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=5344,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=5296 /prefetch:2
      4⤵
      PID:5712
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --always-read-main-dll --field-trial-handle=5452,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=6092 /prefetch:2
      4⤵
      PID:3332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=5484,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=6124 /prefetch:2
      4⤵
      PID:4844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=5620,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=6148 /prefetch:2
      4⤵
      PID:4880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=5124,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=7112 /prefetch:1
      4⤵
      PID:920
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5156,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=5048 /prefetch:8
      4⤵
      PID:5756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --always-read-main-dll --field-trial-handle=4836,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=5092 /prefetch:1
      4⤵
      PID:4960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --always-read-main-dll --field-trial-handle=5144,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=5824 /prefetch:1
      4⤵
      PID:1928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4292,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=3452 /prefetch:8
      4⤵
      PID:1388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7112,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=4844 /prefetch:8
      4⤵
      PID:1680
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5820,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=4520 /prefetch:8
      4⤵
      PID:2652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7680,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=7704 /prefetch:8
      4⤵
      PID:5420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7680,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=7704 /prefetch:8
      4⤵
      PID:4932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:6100
    - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff644126a68,0x7ff644126a74,0x7ff644126a80
        5⤵
        Drops file in Program Files directory
        
        PID:6672
    - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --msedge --system-level --verbose-logging --installerdata="C:\Program Files (x86)\Microsoft\Edge\Application\master_preferences" --create-shortcuts=1 --install-level=0
        5⤵
        Drops file in Program Files directory
        
        PID:6708
      - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff644126a68,0x7ff644126a74,0x7ff644126a80
        6⤵
        Drops file in Program Files directory
        
        PID:6760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4260,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=5796 /prefetch:8
      4⤵
      PID:6908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7872,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=5404 /prefetch:8
      4⤵
      PID:7052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7988,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=7976 /prefetch:8
      4⤵
      PID:4444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7992,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=7880 /prefetch:8
      4⤵
      PID:3716
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7944,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=8108 /prefetch:8
      4⤵
      PID:6388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5796,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=8256 /prefetch:8
      4⤵
      PID:6396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7932,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=7908 /prefetch:8
      4⤵
      PID:6476
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8136,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=7968 /prefetch:8
      4⤵
      PID:6280
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5168,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=4844 /prefetch:8
      4⤵
      PID:6372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6592,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=6224 /prefetch:8
      4⤵
      PID:2940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5160,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=5228 /prefetch:8
      4⤵
      PID:7008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7640,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=7332 /prefetch:8
      4⤵
      PID:3068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5812,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=6120 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2088
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=1056,i,6833661728333847575,2484976801906544465,262144 --variations-seed-version --mojo-platform-channel-handle=3708 /prefetch:8
      4⤵
      PID:6216
- C:\Windows\system32\cmd.exe
  "cmd" /C "del C:\Users\Admin\AppData\Roaming\Albabat-0xb.exe"
  2⤵
  PID:3228

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies registry class
  PID:4792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x2a8,0x7ff96109f208,0x7ff96109f214,0x7ff96109f220
    3⤵
    PID:5444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2132,i,9886215156666041318,3530229964772137801,262144 --variations-seed-version --mojo-platform-channel-handle=2128 /prefetch:2
    3⤵
    PID:5268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1864,i,9886215156666041318,3530229964772137801,262144 --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:3
    3⤵
    PID:5292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2600,i,9886215156666041318,3530229964772137801,262144 --variations-seed-version --mojo-platform-channel-handle=2644 /prefetch:8
    3⤵
    PID:5584

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:6256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\6100_13388201920376276_6100.pma

Filesize
344B

MD5
1b7cdddfb06152ae01f12d9f253237d6

SHA1
1ef358781a086a0727f4fa95cd53510eb328bc52

SHA256
fd668d6edcf6b6cc176edd9bf7b0d7f1881fe2f0d94ebae656127c27a359550e

SHA512
4705c93b233be92dd2d04649d404b538bc76607bbe655d5e35a739653ac1af776ecdd12ec1cbf81476070ec5bae633f891817155014730a06939efb21bd132ea

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\6708_13388201920332949_6708.pma

Filesize
928B

MD5
4aa4cc69c68801d0a87c9b6b24d9dfa1

SHA1
ddbca7a5748cef997d0f082a6d3fbba64f133c46

SHA256
09fda0ee6ee160e89553b555a3c2b6505626a2fea5caa1d467dbb32e27b68fd7

SHA512
2507e57c64c5be26432544812f0d69f7445ef0645494c1165351f997a5e8a5b6945945742216d9a8cfbb8b9e2f0eefd5158271be6b5c0a87e61059680d4aa72a

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping4796_1490731913\manifest.json

Filesize
43B

MD5
af3a9104ca46f35bb5f6123d89c25966

SHA1
1ffb1b0aa9f44bdbc57bdf4b98d26d3be0207ee8

SHA256
81bd82ac27612a58be30a72dd8956b13f883e32ffb54a58076bd6a42b8afaeea

SHA512
6a7a543fa2d1ead3574b4897d2fc714bb218c60a04a70a7e92ecfd2ea59d67028f91b6a2094313f606560087336c619093f1d38d66a3c63a1d1d235ca03d36d1

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping4796_1880273360\manifest.json

Filesize
160B

MD5
a24a1941bbb8d90784f5ef76712002f5

SHA1
5c2b6323c7ed8913b5d0d65a4d21062c96df24eb

SHA256
2a7fe18a087d8e8be847d9569420b6e8907917ff6ca0fa42be15d4e3653c8747

SHA512
fd7dfec3d46b2af0bddb5aaeae79467507e0c29bab814007a39ea61231e76123659f18a453ed3feb25f16652a0c63c33545e2a0d419fafea89f563fca6a07ce2

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping4796_2074307162\manifest.json

Filesize
134B

MD5
049c307f30407da557545d34db8ced16

SHA1
f10b86ebfe8d30d0dc36210939ca7fa7a819d494

SHA256
c36944790c4a1fa2f2acec5f7809a4d6689ecb7fb3b2f19c831c9adb4e17fc54

SHA512
14f04e768956bdd9634f6a172104f2b630e2eeada2f73b9a249be2ec707f4a47ff60f2f700005ca95addd838db9438ad560e5136a10ed32df1d304d65f445780

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping4796_479879274\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping4796_766492466\manifest.json

Filesize
160B

MD5
c3911ceb35539db42e5654bdd60ac956

SHA1
71be0751e5fc583b119730dbceb2c723f2389f6c

SHA256
31952875f8bb2e71f49231c95349945ffc0c1dd975f06309a0d138f002cfd23d

SHA512
d8b2c7c5b7105a6f0c4bc9c79c05b1202bc8deb90e60a037fec59429c04fc688a745ee1a0d06a8311466b4d14e2921dfb4476104432178c01df1e99deb48b331

Download Submit
C:\Program Files\msedge_installer.log

Filesize
108KB

MD5
cb82d5643b3edf834e6dde62d844ca76

SHA1
9337fe65c906993f7d3e7b9888142ad1d0cb2def

SHA256
f9a2c629e3e33b52698f89e5618ba0aa9e42cbf3ae14a41cab147ca220419d88

SHA512
fbe246c4ae86f68a9af180c5ff6e0445e9d823f37001233e6a1876dfbbe3d8633f3aa834d447d4ba24f72033f050b227eeb0717008fd4dda16f51c07e7395917

Download Submit
C:\Users\Admin\Albabat\Albabat_Logs.log

Filesize
5KB

MD5
c284c2307519e61b8d06f45ff886b9a9

SHA1
4f907d6acd41a19c39257cc47df717e0768e447a

SHA256
324be9d31455a22be4b6bd34a8225b172770a4fe9a13c1e5802c898267bfad30

SHA512
3ef35c09a50b33056b0ea38fb1e5dae86e8b2527b45c6c6f7ff7f28b2d4e26c2b640f984dadec5b61324b2798a62ee29972a77e94d70446fe5d7de06f29b2e87

Download Submit
C:\Users\Admin\Albabat\readme\README.html

Filesize
11KB

MD5
b2f84791f1bb79345fced5a9722b3e6b

SHA1
a26e580e8642c3078f799a1a0594cfed8f697edb

SHA256
2c42622507c48e3a7c389f914fd4b8361c939952d516b2d2f6190c107bd11097

SHA512
dadd15b9bb5f5d543650078ebf495f2b82048dfc225f04cb6b2c38bc042977358f2695911de54fe7b7a2d0a9fcae5041e14e99f710ad90abf37a7341ae4afadb

Download Submit
C:\Users\Admin\Albabat\readme\assets\banner.jpg

Filesize
34KB

MD5
cdd21e46a5979655fe9debcf8d59cd4b

SHA1
94f8ce57c0507b88952fadc3f6f244fce64d2085

SHA256
de25a55ff7e70c900c5e49e32aad2a0704ab074af5fee3eac230dc9bab373f04

SHA512
bd0ce1c5098ffcfb52e3e183ba025ef1be4d0dd4a3fe8a90b60bb139d4717263e427339f1028aeec6aa8d32ff31181ebff8d306d2c34b57015b2a3049c21f45e

Download Submit
C:\Users\Admin\Albabat\readme\assets\script.js

Filesize
1KB

MD5
e9f53c2fe8f64fb7d0734d13ee9a4e32

SHA1
f93d0cfffe122ed8a1731b811593094c813a8456

SHA256
ec235d691cfabc4ef54a889398e17d11541b10f27a066e10444429c86a4565bd

SHA512
ec67691036ff7047aeed7b4dade254164d2a5e60cfd5a58269023ac843252e7d916c826e6f0a186fb6398a11e651e6fca9cf889a81894095efd43253fd5e1e7e

Download Submit
C:\Users\Admin\Albabat\readme\assets\style.css

Filesize
2KB

MD5
a4aa4f0c506a5e9c608773293ff7b794

SHA1
b360063387c81c49184cd67341c1da46e7ee6693

SHA256
c18a7519a841d7b8b32f5fedfb8d7cb1107c0d03c1c0d5ec7b6c41564814dddf

SHA512
23e17b9ca42520c0a07a1031ae096dfb837196d3928205c8eadbceda87bfff5f1655ee953bd725298175564f96d96e751d9f02ee0b83d25b134b292fea175815

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\AutoLaunchProtocolsComponent\1.0.0.9\protocols.json

Filesize
3KB

MD5
f9fd82b572ef4ce41a3d1075acc52d22

SHA1
fdded5eef95391be440cc15f84ded0480c0141e3

SHA256
5f21978e992a53ebd9c138cb5391c481def7769e3525c586a8a94f276b3cd8d6

SHA512
17084cc74462310a608355fbeafa8b51f295fb5fd067dfc641e752e69b1ee4ffba0e9eafa263aab67daab780b9b6be370dd3b54dd4ba8426ab499e50ff5c7339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

Filesize
280B

MD5
dab5d76d357bee93de6856af8a76dfec

SHA1
74dddc65cf48f78193e5c74524c7fe462b7d0828

SHA256
eebd961639f18fece1573beacaebe96d2a5b0b61737e4335d9b1e8a7226f48ea

SHA512
9d986116422567ad036618d9d9cac5e439aed4673380855859f457a24d29f1e48dfb57f6ca4e85c8a235da060debca9eb333e6e913f9373baf315efd9c4b7ae7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

Filesize
280B

MD5
a6e60b1e51901d1bce56502e0382d77d

SHA1
af5f349130c7c61668230ffdd1f983ee5d83cef3

SHA256
a14b6158d1de86ebb90353af5944457758d7a519d953f6f5ffc9c6b536021b91

SHA512
6b4cb3d09cb47bad756a218ec00476dfd55b7abee09709475900738364899f707798fcfa9730bdada7f31f5ac8e24e2a70de7c86f703e6b0762cfcb3ec7fd843

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\66adbc65-46b4-4129-9640-6291efd23091.tmp

Filesize
29KB

MD5
494c8cabeb593af0b171feec04920cdf

SHA1
518dbcea56403554d3c84eafa85d38a3ca79bc6d

SHA256
98bad9c7270b103906625aa13f42ac5df07daf2de666376027d33df24896b043

SHA512
bddfdee6cade120a6084d4c2b8680a3412e44e7f92135f32e282b7891a66c87eae1f68f418e3da526b71cdc751f0ab3aa50a9156b00d35b96dc353ae658dc5e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\6f7e8544-e64f-46d8-b5a5-dfb3a45e8e92.tmp

Filesize
9KB

MD5
286daa108faf61f79b328a0e01a685dc

SHA1
b5263dca5dc8b24db0144b624c33aba3ef9fd1e1

SHA256
81069a4f0776edc6fe7780c18c82f828166175d9331fc32a84473a1bd200e837

SHA512
6c377f806071baa6be6f76e8623b6191d76f7d60970bf4d7ade3c96cd0801d40a3bb5dd23920a8c5131e89169c932a9a9f7568ef3a1ff7d366459a93873156fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
3dad69bbe0b5e679b875b7e19102fdb9

SHA1
682d657c3d19f3d721dea5fe045673dba701fb6e

SHA256
5183e1bd5510e2bb675cb295a3e9eb14a2b6c2b77240e7b35a30f56052c0fcbd

SHA512
4931309ee1cba4dbc10e40e7d83271fcb9b7ef597bc4f6fc90ae0e9c15c053aa2a29f69cdbf6087812bf8aa2ab5bd972053ca61b8c48b9fd43159e1118604ca0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index~RFe57cdcf.TMP

Filesize
48B

MD5
91fec2874f4d2c410c2c39ee2fb82e32

SHA1
e1d32a2c4ece2910391a3477233b40fb5b576a71

SHA256
e95fb24ae92f7b246ad02cc28478d52d4f1c75744195b161870156452c122716

SHA512
2a3cf0b21e5701c100b8353a1ca4c8fb320e9a41a8c8477634871634c7a5ede144057a2093227ff6f0d59582b7dd76ae2c7c00aa047219448cb73fcecc4f4453

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js

Filesize
9KB

MD5
3d20584f7f6c8eac79e17cca4207fb79

SHA1
3c16dcc27ae52431c8cdd92fbaab0341524d3092

SHA256
0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643

SHA512
315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State

Filesize
1KB

MD5
01fbb6664b0544a7f013a4f723055c7d

SHA1
69e646f742c440e70fa6ddd69739226c6f4432c2

SHA256
7878350ae308cf69d8cdc9e4d36d9354dd6909881dd0637eaad4f56e43ce6a41

SHA512
092a12c849e547763a45f776da52f8b50e072285623145c0c77f2739f091f99786f9a26393a6640fba6094d09d885a229793ca1f795f7dc861e1d0f9e81e1533

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences

Filesize
9KB

MD5
516fc18a8e197e32ed10f6b44338a0e5

SHA1
917d958963de4b3c6056ba9312f6aa6d7762f7f0

SHA256
3ce0c2025822c717d7201df13ab758f23432c8c3a1f9b7de7320417b6bff816a

SHA512
9a27008d43e939c1eba6a88a8ad4f01d097d66652e4a078b8946bc21a8e562297904f3e1efcee21503fe0d1970f2974f458d0bc22062e53266355ffb8e85735b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Shared Dictionary\cache\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
784772199f95af24194daa818a24f52b

SHA1
2173ce27d3a92708c79f2c745ffff6b5eef45a53

SHA256
79911949ba753fae6d8c0dff281f5d2f6457ef857814ce33490442856f657df7

SHA512
b24aa88a10e3f68279a338867362f25cf818febe0c7266e9211a33ee003a5f47390a9a98667a4e386df03d2d83731c7a288498d9c5fc16044790d0d777d7b80f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
51e8a3636d516657772cad87c668c999

SHA1
5b6fe35846616af543018c71f9af429700be44a2

SHA256
512f648eba92234cbc795323e12c6d864812da946cdf619a604c3102be13c1af

SHA512
c1bf6d0666eaefc55166aa506f7541736f10922f3c67476c8aabb218f040d621079d620bf3a54082caf8cf5caef3a67d3d7e9f2774e20288fe1e352ec8b7d441

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnWebGPUCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnWebGPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Edge Cloud Config\6e530847-624b-48cc-bcea-cfaffe2645fb.tmp

Filesize
22KB

MD5
3f8927c365639daa9b2c270898e3cf9d

SHA1
c8da31c97c56671c910d28010f754319f1d90fa6

SHA256
fc80d48a732def35ab6168d8fd957a6f13f3c912d7f9baf960c17249e4a9a1f2

SHA512
d75b93f30989428883cb5e76f6125b09f565414cf45d59053527db48c6cf2ac7f54ed9e8f6a713c855cd5d89531145592ef27048cf1c0f63d7434cfb669dbd72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Edge Cloud Config\CloudConfigLog

Filesize
872B

MD5
46dcbaa4ab1f1744fd1f3e1e922ede04

SHA1
e50af67edacb8d6150c081b3a3e52f873840eacb

SHA256
e8bd4d2fd6b6f63ccee564091207a35942c9a3e4633e726a6aeb280a305a9170

SHA512
479c6d126bd3b2be67c526bcd3946d6040a4289c6b7f0719ac648a9abd037e8ac7eea917c0d684a5e8e7b72599265fbdc62d17085380c54efb367e8bdb77ddb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
a86abd59048f92ba68e47716945ec1b3

SHA1
de37513a5ee9c224c1bd9ceb70e3e7e042574a7a

SHA256
3fac5da67fb1ed0f8a14fd3eef516c0c7f1286adcebe86e1a1f5910557b3d0b9

SHA512
6bb1689e44b733064d5469988292797ebc026f64d3008d0eaa34bb9b436a550ba0b8f7f1b893487ac3270fb5184a65ad94d81835da67fccad0b0519460c5fc3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Edge Cloud Config\CloudConfigLog~RFe5867be.TMP

Filesize
465B

MD5
ae3d77a89274f2967b9e820a1d03785a

SHA1
79bf6968e0a574fd85affaa36ad073955da308bc

SHA256
45c235737519beba6570f6ca64458efab260b0755473959036af8ccef138279c

SHA512
6fcc1b45ff9374e38e639bef6da4fe44c32d05600472ff754476e1654aa98ff8b80d02f2a2bd05a46ca1b6bf5012f94fd315063be64e45471c20b2e16d789c9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Edge Data Protection Lists\2.0.0.0\office_endpoints_list.json

Filesize
3KB

MD5
94406cdd51b55c0f006cfea05745effb

SHA1
a15dc50ca0fd54d6f54fbc6e0788f6dcfc876cc9

SHA256
8480f3d58faa017896ba8239f3395e3551325d7a6466497a9a69bf182647b25e

SHA512
d4e621f57454fea7049cffc9cc3adfb0d8016360912e6a580f6fe16677e7dd7aa2ee0671cb3c5092a9435708a817f497c3b2cc7aba237d32dbdaae82f10591c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State

Filesize
3KB

MD5
d45021613f3ea1efd5f1a2c69bf7323d

SHA1
92f9cda461ba22e1e773125756e5ab12869568a2

SHA256
2d581059742fd72eaf39883b23535f6679555e9b191b6de9dc2224455a8887ea

SHA512
743b38f7201fbb690400ee261edf1852c4f1241c550e24828061ec05fc9797b1e3bc87277c4dc1118a060249f6e011e47d800e1f73a7791a671e5b9be0888784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State

Filesize
4KB

MD5
356120cff2051449c809ed7a67ea8c6f

SHA1
ea11b702ed5c5c56851d7ca97392aa51e7657883

SHA256
b9d4b79d7d7d79bfd31f50ce29203b9127465bcf3d5e993c9f3290407bced5f2

SHA512
a69415d308b19324f51d33749665dc24b42b125fc763874dc86def6daec65c28c100fdafab17fcf165187c1900f6ac497703163f3a519a0b97c33063cec1cc0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State

Filesize
29KB

MD5
a7aeee585f05711334d483937980d2c8

SHA1
71fa6c736fb46f4e05c0ab32f436994c4a32cee2

SHA256
65bb2aa0b2a96f110801cb65bddd2f3ab2ec70bd51dbff2ad9d2e2bedfa23a8a

SHA512
f5095bcd7eff9f759c67b47cb065315fa1de4333056bf97c44a698accd1135a7b09b8944d5be30648a526b060b7f30d25d267fe2b7116b95504efaffb4f4ab45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State

Filesize
33KB

MD5
00a08f68a4f827dc3e6a15dc10358ade

SHA1
eb699608cfcc88eb843d5db12cc5f76b4d57243d

SHA256
3efb57aa69b01a084f6a420827e5f145266cbf2ff69fe3e77ed636c2ecf6745b

SHA512
d6f3705cbbe1fc720fd12f6d03dec8622d7d2c5217ab0c1b401981b015b4c60654b6a22a76790a1842cb7d9cd7405f4dcec301a84402e4772f2201b2bfeaedc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RFe577be7.TMP

Filesize
1KB

MD5
974a60b3efac47181b68ccdcacf381b3

SHA1
7d0c1f01950598a9b8c183d3fbfce652092fa2eb

SHA256
6dd7a7ad8b339d6a66710a721f7b39c4f2b3c5aea23c87b12fb0186d450a69c1

SHA512
3c3433ebc670b66348e829f14d0c8345f00bbcf1d0bc4f31f70506517c7c36a5f2bb93aca2d3c77b358f3fdb1abc53028001d756ac938487b3940fbdf407d09c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\WorkspacesNavigationComponent\1.0.0.5\nav_config.json

Filesize
2KB

MD5
499d9e568b96e759959dc69635470211

SHA1
2462a315342e0c09fd6c5fbd7f1e7ff6914c17e6

SHA256
98252dc9f9e81167e893f2c32f08ee60e9a6c43fadb454400ed3bff3a68fbf0d

SHA512
3a5922697b5356fd29ccf8dcc2e5e0e8c1fd955046a5bacf11b8ac5b7c147625d31ade6ff17be86e79c2c613104b2d2aebb11557399084d422e304f287d8b905

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\8efb1ed0-df97-4b5e-8e93-4558759b0320.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
8bd286433e2029dc00f91bee62a2dd41

SHA1
4504618621d367175ca228b53b45925980d43aff

SHA256
1d7e4ba000086607e6ae9ba02af546ca560c41f59d44144b588d7a97f0ad9995

SHA512
5ea5e88fdc07c305a583a2dae510af46113109c8e80fd234e749c7106e8376011c0b10fe2734037bdc3f38d7257146394778b39196189d3de47f3cba33f8258a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
2a587d36c57385e24004c01b10dba2f4

SHA1
455dbf2db6751d8026ab19f97f6315ccef3da2a0

SHA256
2f8a895e6e531964cc579de74777c92b942166efd2c40d83802ad089eb57f1b1

SHA512
5c7a705b0a989b86d3b1e8236ea9d1fbee671dfce1a29c8827548bcccf11b7d7381759af74254df713ef755c48ded3b17b4a437313da3103bf081a6428474dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e1c3bac-c9ec-49b2-9ee0-fe68f9d1e4a0.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\8e924fd1-fd1c-4e60-a86c-27d4f6554270.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4796_2038822722\c08fda6e-2567-4f26-9699-fafadc1b1a19.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KOR8LU1XVBAIJICIMK9T.temp

Filesize
3KB

MD5
d82147c1976242a9008712a405a42fb0

SHA1
d370d7eadf709ef11afd1b3c55b82779068e2b56

SHA256
6bb4abdf4f1da253177b8f463d99ccddb123b0c47d3789d94220f61d5b44f2e3

SHA512
f7cb548292906f04a74827eb704b2d6b04f2939234dfc09e3fa7c406d5c29cd58014e923411d95aab6f3dc16f6a38581f11d480d8b701ffa0e2566ec34a00525

Download Submit
C:\Users\Admin\Desktop\ConvertComplete.bat.abbt

Filesize
450KB

MD5
5d9264b6a1c9d9cf7ba9d1e828ace29a

SHA1
374ae1b55c899d625d543ba81724e6a352f22b74

SHA256
a130142fa8f7703690cde43e72dd19ded2f31e3e1a7de257aa6694253f4bd522

SHA512
4dce2142535cad7e78f6af40f13add8bf476db5dc70b854012a2fde7550f57e8cbb52cfba16666eb349cfd3c51abeec541089e97ef17ce50fcb4c0dc057f13a7

Download Submit
C:\Users\Admin\Desktop\ConvertToUndo.mpp.abbt

Filesize
512KB

MD5
ef0fe2d159fb4709e51dc93de089db70

SHA1
1165a986d86f715dbada39bcd3c3039f84d188d5

SHA256
a933255037cec84bc07c977179536f84fedceb99c034cc09d31e639ae384e786

SHA512
0a199a6d5f7effc4d20a2ae4aca06dffab85925da36d81ecc827bf570f5cd01fb6f5be81d35357ceb14a2d18044b8af7b151c8b1844bf020506a3eee54727f47

Download Submit
C:\Users\Admin\Desktop\DisableUnlock.vstx.abbt

Filesize
798KB

MD5
850c5cc75cc27a29e023d825032d1c58

SHA1
deaf8b1ed0ed76052495f28de0a98fb29107eac3

SHA256
4aa00afc878c1456c34d3d00e20bfcb23fea6bc02be2252feba52aca19776471

SHA512
0f4ce83a976ecce3acf98eee1ea4d9c2e7822edca900958317b7cd4b1e172b4412f7569c04ca31aab3ada643ddb082f54764912a436ff5dc664cde914d0dcc18

Download Submit
C:\Users\Admin\Desktop\DisconnectRestore.mpa.abbt

Filesize
389KB

MD5
bf9203d6dde8bc416acd9a6ac7da0ab6

SHA1
844761d744459ab54941ac5e2a19f435bef3b960

SHA256
fa0f3095cc7ee16b29ffac32b299f6e7ea705b6fc952416564f41fd8cd04fa1b

SHA512
668c0b8446279dcc033e30ce76cff0ae90fbba8320f9db610c49b1cfc822198418ec99dad3f5f0062705baa86fde661e5f46e21d8bc5c360c6c3b1659e11fa91

Download Submit
C:\Users\Admin\Desktop\ExpandInvoke.css.abbt

Filesize
225KB

MD5
ae6459ce1902c708063b71dfe14dd9b5

SHA1
eedee2ed68dbbf0332d53656eb3791e8c6bb93f2

SHA256
a41b65f08781d475552dcc21a70423c26e119b2c3a8f8c25eb73da408745fcb2

SHA512
7f83c75f060df5793010041c092a33fe6984c612189f1e8ccff54528c9c8ff5283bab1fa127c5ed22153de62b436780b3f91cdfefff29e40655ae0f694ccbe54

Download Submit
C:\Users\Admin\Desktop\GetUnprotect.wpl.abbt

Filesize
368KB

MD5
eaca22c075ab3c86b7687bce5f54ba19

SHA1
26f12396b93b3c8cdc7a8df7ef8b9fc8801fc650

SHA256
17d368942608a391b5211d218b4a14fbb959bf35ac3a820fd4861cfc879f81dc

SHA512
8c836fdcdbf240fc92bddb3dc8f84f5219a8acbb43b31aca06904cbbb93fad8fe769ee67105ac55440bd13ecfca21ac560202bcba63f4b55b453262011c2da96

Download Submit
C:\Users\Admin\Desktop\InitializeStop.M2T.abbt

Filesize
532KB

MD5
a96c3da241927384f7a9f74ca68f944e

SHA1
d2f4d71e8a6fab23b1dcd055da847132410d7bf5

SHA256
f28618da0a7d9663ef8bf004d95112bfe7eccaf5171ed091bf0a25f7a2d05a42

SHA512
732e9106a393426c70d3bdb553594bff38265014b6330f5f09483d888eabb50534722956cd4b1c5b5ee242b355ae1da8b32a57012ac37175b0af5b416253d773

Download Submit
C:\Users\Admin\Desktop\NewCompare.vst.abbt

Filesize
286KB

MD5
b399e21dc4948dbabd9dfcb7244c02cd

SHA1
04c550214519ad02fbcb84e08cd103a91d145a9d

SHA256
d791cc4cdb6fe72794191cfeb67744f8c175fbd8138bee4f779257467b64e677

SHA512
4aff3d40a1affa05e572a9fae0f8a351c555ebee4b203838dd76dc6da7fdbb663968e19024f172313ab1b5755990c7cfcb75dce9e444c800a1435348474e3365

Download Submit
C:\Users\Admin\Desktop\OpenLimit.docx.abbt

Filesize
18KB

MD5
9af248811aa8603c3d8fb55e5853f577

SHA1
08d8b18216da1cde4d145c3fe696d5a45a9c004e

SHA256
63034f16e3ea5e419f219889c916bbfb9ac26307d1dfa64873460a02be6fc5bd

SHA512
2be56028e5e052ef0b78db169c9d9f0a180abbc5ef64acdac64f1a55fcfb33156621d9ac31e24a0418c5a89025ba4bb06cee45e037afa7dd68b55f09b5341348

Download Submit
C:\Users\Admin\Desktop\OutApprove.sql.abbt

Filesize
552KB

MD5
511de8f1fa62908dbe83afd9e86424e1

SHA1
0b832728fbc34c415fae0d77bd3f85c6d3dbb892

SHA256
2869b6308e2ba1319d7673892245ddcf73ce5cd7ff76b0ef5d6f663fa71be0b4

SHA512
4433dd720a9b3361ce9349b9ddfcce723b3c2737127af34d6ccbc224af2e809c16f6e107d8e1dfaa89a0ae3644ba16461722d2c63b6e0fd69b338163c72ea695

Download Submit
C:\Users\Admin\Desktop\RedoUnlock.xls.abbt

Filesize
307KB

MD5
84aedec41db4e270c38bf443305a749d

SHA1
3763dea63d95749d088d62ee3bd49a557ab6760d

SHA256
ed73cf54c0ef780c5be02143be667ef8579c6df395ba9ccbb8ba5fd9d6fdb3a0

SHA512
3f49b7bba2d701b861c926bd2520d0d1e7c398e549edf74b65b9aac998a1676b4175b70b0a049d9e7facc92394aee9d95ddeecaa7b8ba9e88cff844fbb4ce643

Download Submit
C:\Users\Admin\Desktop\RegisterPush.xlsx.abbt

Filesize
10KB

MD5
8a43fa7817215822f769b11df6566aba

SHA1
7fc0433e350979d50eca638fc9eba3f05ef1ad00

SHA256
41627ad48b711a55ebc866c238ea84948150326adbd3f1204f1294dc7d163210

SHA512
2af9f7ab73b78a59a5b0c211c39eb82eff23de3f0b1b72395d3bb3be924d7034c2097bfc2cbd89525b2f9ccb9978f7b4063766fd81a83e15c062e7d6e73e6755

Download Submit
C:\Users\Admin\Desktop\RegisterUnblock.xlsx.abbt

Filesize
9KB

MD5
babb1b804bae9a533a617a6229cda6f6

SHA1
529e1e542f62de1d0493c72bdba7454a0b1bdfe8

SHA256
dc08694239b305372e4652ef33b5cae14fa9596a017c83a2ad8a48bb432be66d

SHA512
8fc37505cbd6551e229161dfdd4edbcdb7ce286892fee4f28ef40a8b6b1e8b355db42e045ca6c5986b5efa6e330bddffffd13b4cf67c7f7c91e508de4ff143fa

Download Submit
C:\Users\Admin\Desktop\ResolveMeasure.wax.abbt

Filesize
573KB

MD5
0196ee665631326a0d02d571b18d4f60

SHA1
17885b34b2b94833fc6af328c9948b3d5b45e7a0

SHA256
d5ffaa306c7a067d58a260154aea1447da79cce575a4448fb92b1f4e526892cc

SHA512
ffbc6841f590af1517c410d7026af5d360645fdfca0f266f5c6ce4ba66b157bafd7f6a3582325f8d0b0f2d0cfdff38abb299339778cd1c7b603bd2ddf3c32691

Download Submit
C:\Users\Admin\Desktop\SendWrite.ADTS.abbt

Filesize
409KB

MD5
d6dcd327af9185e37d3376a4dcfa9b6b

SHA1
13bcfc14b1f4a1692b44677ef97a48c31bdfc7b3

SHA256
f378cabcb159586ca7bee25a7ddc86f987e7c01f25e95682b7197e206b0f2c67

SHA512
cd0a7a95a24bdde98f60da96a2f08fca7c878706bfb3e7a7b5094ac27ba84989f3cd9d84f0c2c77e569323afc81a9f668594961f2cf3d316d562569c03b8376f

Download Submit
C:\Users\Admin\Desktop\StopRestore.rle.abbt

Filesize
245KB

MD5
cb3a06837135d6a0708044e1cb5f2496

SHA1
402dbf7bdd19985c7f861135eff3a79cc039bc51

SHA256
2645766cfb44b59cbc6536445247e4b251ded5344007c593304109416592d391

SHA512
3771a60738968dc4fc56e60e60f14ba445d3f3461e98e3854d434f5fbb1fb44b618cde1ba527a5714d477597423420ff182539b00daa0af0dd7e331706b90943

Download Submit
C:\Users\Admin\Desktop\TestRename.mhtml.abbt

Filesize
430KB

MD5
d74d997afe1e3e3dce0269b9da7dc8a4

SHA1
067bf535f8d10c0a169b7466f5ee95b0cd7824d8

SHA256
a7c00ed4360965a97f1fd27a951b6a3d8c0b7fa07a3289c0bfe3915084b29255

SHA512
c49aa30dfaa5c32ada8bf7b4cfb4094eac97e4053803ba991fbea9ef03d0a25dbb4bc7f9a89d27a2e91d6d74fec16fc4280da2ef17354f54c4a158931aa34fe7

Download Submit
C:\Users\Admin\Desktop\UnblockRevoke.html.abbt

Filesize
348KB

MD5
af5cdb2499b6b57c0ed1f69a03945983

SHA1
5b29699bb21cc9e30423826cebc286d820c52a84

SHA256
0233d3cbf92841d7ab09852f1910b143ac2c8f403e24e33fc6b47ba3e14fd7ab

SHA512
8bc923a367b858d1e68fd1fb3f133479a3c9dbcd80287b6e70413a48f142fe8e6b6e5dbb76d61c75ab57f12f9bac746d1af8669f500bf93b7e79f2eb5cf89a96

Download Submit
C:\Users\Admin\Desktop\UnlockExit.MTS.abbt

Filesize
266KB

MD5
b2b8e43bac8cd884c86b2479a03b50fa

SHA1
a136e086c9f86cbf67c5d537eb72712b19dd9f83

SHA256
ac5d17e6891205fd984123cd7fbad35397e0dead6fb646734214169771715935

SHA512
9eff95395cc3e2e81be5c36891f4457a6a68dc31e3606b5f9d3c52f382d22cc01e7c5f0546e31dfb5047243c6d03cd2f9a5c8be9ee2663f7eafebc7e8714ddc1

Download Submit
C:\Users\Admin\Desktop\WatchConfirm.vst.abbt

Filesize
471KB

MD5
50f780595e18d03a8cf004ea9a15e16b

SHA1
cc189b5c3df7fa1b8f898b50dc36ba91216e626c

SHA256
46f1f5bb3804530ea5ab40443e9c02480a8fc6a4ccfbc2155a27fe1d2ac27f10

SHA512
f9a411143bbcd84a390537ef731570c8f603dfdebe456ddcbf2f6b4cb5f74927688ddb6397abe8e64b928b9861f9dcd3a3b300b21a332c12496e44d5d871c5a4

Download Submit
C:\Users\Admin\Downloads\DisconnectWait.xlsm.abbt

Filesize
352KB

MD5
945df1ba60ebdcf80773967a72a6cb73

SHA1
4f83284d75342cf5484d3d7d5295609f80765ce0

SHA256
2fc5a3c93f2f4a49014ef3c2a2b863e1b86b1aec68e1269192bda3f605c30f77

SHA512
f4ab87f606b1db06d38053ad1649b2dffc7510483adbeffec9abafd8d3c629ebde4b5df4fb43889016885e847142ff28622d742d5658cf61bbe906a39c835312

Download Submit
C:\Users\Admin\Downloads\EnableRequest.eps.abbt

Filesize
946KB

MD5
53277cda8286e7d659db537ee54d298f

SHA1
c485f6b91545581fca9ef8b64c75a82ddc035a34

SHA256
79333e004289f5500353a00458d4c54ae4896c72940fad4d2c8fa5842221b3b1

SHA512
262428f27b2543abd16b3d077a400e63dc514fbce5d8f3821adb9a051dc31bda6bd73e5a157868c8faa1ac1acb807befffec3e740e14de4064b48b257a268274

Download Submit
C:\Users\Admin\Downloads\GetUnblock.ps1.abbt

Filesize
660KB

MD5
99fb24b081413ebd30686410047a5f0f

SHA1
20dda81cec2fcdca337a73b707a05c1923564cf4

SHA256
4a919aef52876410a14ba34bc7f7fedb3b5eb2de18d805403462f00f00ac8aa5

SHA512
074bd0eff76950ecea977d92556f86bcfd20bcc91c9f91509a9f174f3a01305d51461ecd9dcdaddb5406cac721b2ed4238fdf0592cc5d680571f31c10ba004ba

Download Submit
C:\Users\Admin\Downloads\SetNew.m4a.abbt

Filesize
1012KB

MD5
e7dcf8e271f18e0ebba12a2abbea3310

SHA1
7086582631ebd23a187fd57424a19da2dac4944d

SHA256
dbae6c6f3a766ede9f9b5af8510195260c7fe5cac19e3494af7c85eac02d0f3a

SHA512
d3b141e3f8ae8d450e718691cfd570f55b0491c31e4a737ec54170f8b54201639239a78ab5c4bf811805b58b26ea761e9d8902b9fe29d7a8b0b1aa9168649459

Download Submit
C:\Users\Admin\Downloads\StartEdit.crw.abbt

Filesize
792KB

MD5
ef3fedbd5abe75eb4a49eb1fbb0b8cad

SHA1
58aecb8d14a49457d89e800d7803f695cf3e8757

SHA256
58476e2c2c5c3e32c8964ddb2a7c92a2389f3ad6c5f522163a680639c5fb7461

SHA512
b61b5cb80553657e4edbf248ae247eb3afa4768bfb34fe01a8dd2acfd5d4ba3209f2470e61bdb78a6ddc9c4bc79674b450b42f4545e1f3684b71004358a72a8e

Download Submit
C:\Users\Admin\Downloads\WaitComplete.vsx.abbt

Filesize
550KB

MD5
04dfe51e21fcaa36ad764cbfad2dd978

SHA1
d81012a773a30240d59149d9ad447ff09722a289

SHA256
431e061acfd4dcbad984e85edb1e825947f4df62243c94897e22bdbe2cbd131f

SHA512
e31dec27c30862a13a1ef52ed3827dbb4c4929eeed3d7e2b1e7ab5dad03ad569897f482d7a9b6e27b31e276acba79772806df755150be88104caddfffd552bf4

Download Submit
memory/4908-387-0x00007FF7C3D20000-0x00007FF7C3E17000-memory.dmp

Filesize
988KB

Download