Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
43s -
max time network
50s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2024, 21:22
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/Annabelle.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/Annabelle.exe
Resource
win10v2004-20231222-en
Errors
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/Annabelle.exe
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\Annabelle.exe" Annabelle.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Annabelle.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Annabelle.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Annabelle.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Annabelle.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 2 IoCs
pid Process 6028 NetSh.exe 4028 NetSh.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webcheck.dll\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasman.dll Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellstyle.dll\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemexplorer.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secpol.msc\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksuser.dll Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webcheck.dll Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbui.dll\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\url.dll Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DCIMAN32.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellstyle.dll Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpg4dmod.dll\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secpol.msc Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemexplorer.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cabinet.dll Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpg4dmod.dll Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe Annabelle.exe -
Executes dropped EXE 2 IoCs
pid Process 5768 Annabelle.exe 6136 Annabelle.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe" Annabelle.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe" Annabelle.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Annabelle.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 6020 vssadmin.exe 6012 vssadmin.exe 6004 vssadmin.exe 5672 vssadmin.exe 5720 vssadmin.exe 5680 vssadmin.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 291636.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3180 msedge.exe 3180 msedge.exe 724 msedge.exe 724 msedge.exe 3780 identity_helper.exe 3780 identity_helper.exe 5660 msedge.exe 5660 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 1752 vssvc.exe Token: SeRestorePrivilege 1752 vssvc.exe Token: SeAuditPrivilege 1752 vssvc.exe -
Suspicious use of FindShellTrayWindow 40 IoCs
pid Process 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 724 wrote to memory of 3696 724 msedge.exe 56 PID 724 wrote to memory of 3696 724 msedge.exe 56 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3160 724 msedge.exe 90 PID 724 wrote to memory of 3180 724 msedge.exe 89 PID 724 wrote to memory of 3180 724 msedge.exe 89 PID 724 wrote to memory of 2408 724 msedge.exe 91 PID 724 wrote to memory of 2408 724 msedge.exe 91 PID 724 wrote to memory of 2408 724 msedge.exe 91 PID 724 wrote to memory of 2408 724 msedge.exe 91 PID 724 wrote to memory of 2408 724 msedge.exe 91 PID 724 wrote to memory of 2408 724 msedge.exe 91 PID 724 wrote to memory of 2408 724 msedge.exe 91 PID 724 wrote to memory of 2408 724 msedge.exe 91 PID 724 wrote to memory of 2408 724 msedge.exe 91 PID 724 wrote to memory of 2408 724 msedge.exe 91 PID 724 wrote to memory of 2408 724 msedge.exe 91 PID 724 wrote to memory of 2408 724 msedge.exe 91 PID 724 wrote to memory of 2408 724 msedge.exe 91 PID 724 wrote to memory of 2408 724 msedge.exe 91 PID 724 wrote to memory of 2408 724 msedge.exe 91 PID 724 wrote to memory of 2408 724 msedge.exe 91 PID 724 wrote to memory of 2408 724 msedge.exe 91 PID 724 wrote to memory of 2408 724 msedge.exe 91 PID 724 wrote to memory of 2408 724 msedge.exe 91 PID 724 wrote to memory of 2408 724 msedge.exe 91 -
System policy modification 1 TTPs 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\WindowsDefenderMAJ = "1" Annabelle.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Annabelle.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" Annabelle.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/Annabelle.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdd2a246f8,0x7ffdd2a24708,0x7ffdd2a247182⤵PID:3696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,2567974759979050090,6226632390451501840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,2567974759979050090,6226632390451501840,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:22⤵PID:3160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,2567974759979050090,6226632390451501840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:82⤵PID:2408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2567974759979050090,6226632390451501840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2567974759979050090,6226632390451501840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵PID:3688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2567974759979050090,6226632390451501840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:82⤵PID:452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2567974759979050090,6226632390451501840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2567974759979050090,6226632390451501840,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:12⤵PID:3660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2567974759979050090,6226632390451501840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:12⤵PID:1124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,2567974759979050090,6226632390451501840,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5800 /prefetch:82⤵PID:5028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,2567974759979050090,6226632390451501840,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6292 /prefetch:82⤵PID:5168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2567974759979050090,6226632390451501840,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:12⤵PID:5364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2567974759979050090,6226632390451501840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:12⤵PID:5356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2567974759979050090,6226632390451501840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:12⤵PID:5532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,2567974759979050090,6226632390451501840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6316 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5660
-
-
C:\Users\Admin\Downloads\Annabelle.exe"C:\Users\Admin\Downloads\Annabelle.exe"2⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- System policy modification
PID:5768 -
C:\Windows\SYSTEM32\NetSh.exeNetSh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:6028
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:6020
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:6012
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:6004
-
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" -r -t 00 -f3⤵PID:292
-
-
-
C:\Users\Admin\Downloads\Annabelle.exe"C:\Users\Admin\Downloads\Annabelle.exe"2⤵
- Executes dropped EXE
PID:6136 -
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:5672
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:5720
-
-
C:\Windows\SYSTEM32\NetSh.exeNetSh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:4028
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:5680
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2412
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1148
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1752
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa390a855 /state1:0x41c64e6d1⤵PID:5396
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD53e71d66ce903fcba6050e4b99b624fa7
SHA1139d274762405b422eab698da8cc85f405922de5
SHA25653b34e24e3fbb6a7f473192fc4dec2ae668974494f5636f0359b6ca27d7c65e3
SHA51217e2f1400000dd6c54c8dc067b31bcb0a3111e44a9d2c5c779f484a51ada92d88f5b6e6847270faae8ff881117b7ceaaf8dfe9df427cbb8d9449ceacd0480388
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD53145b2c9647437e17b01830e320bf0ad
SHA192c611d0f740a6f1f1929e34260966095370d9a9
SHA256a484f75272962484273dcc3a2a29615ff5d0a1a026c4585deac38c0ba9aa705d
SHA512edc615cd7d133c56609e40021049a641bfd47c11381ba51d7b0b2205033a7815cae98583e6907a7ec81ce574cd865dfab4248f81646f0574e28ad247e474ee08
-
Filesize
5KB
MD5c590dadd2b386912d2c180189a6ba3b4
SHA158d73f51ca8b4a5e94af7762cef6cbe90d2ac6b3
SHA2565d1caf48a5e76f3b49c9165bfc0dc569fa6755787c4c70d45a33dfcf6fe63745
SHA5127427e14869ce5652f05fcbf730f739a700e037662efdd43e8a8c2195531a3fcf7da546029df96f320dfb9b2b41f048e826a667356b78d0de75136d43b9e42dbb
-
Filesize
5KB
MD5d42b952306f654e4d6f6fc868bbc3252
SHA17c8e205cadb1f6ad7e7efa6e28fd25b15f3756b1
SHA256c3911ceda2359a47f381f1d18c4347bc50b938937f3303b42b3445eb23005086
SHA51278573ad8c2beb558b2881f697eb6e8c70ea69bb3c4e5392f1b25ea75c9754e772be79765e22b9bce5e4aa3a0890ad9c7662106f8a90c7cc841ef788ed6e943e5
-
Filesize
6KB
MD56645e56423c756577bcba311cc40c298
SHA1916daa7a6ce621c07dbe89de3f39e5894cdad5ca
SHA2566b61e82ed16d11ffbc6d9501dd3c94a40dde483be47337df959baf6d9300ea2e
SHA51296adcf994b5a40103f63dfda272ffe33d01f412cda56753174fa47cec84de1ecff60e5546706240ef269bddc65d737da9ee71a6511ec49b6c027912cfc222e09
-
Filesize
6KB
MD501e6a05fb37405909a51d87dcc600a4a
SHA113c9c1a3e767c8bbee254b7dd63b68c56707b8d6
SHA2568ca9d5901853688ad82f81062189157e98eaccd5941fbe930e764a017ac7e243
SHA512e7f9ac359d32fa82a6fa324c08175aae4eb1d96ac76cc328d5539840fa2fbe576b7f8fb95add16a82a034c4a188e53b613eb0cd5e40d7f6ee6614eac09883f15
-
Filesize
24KB
MD51b1b142e24215f033793d1311e24f6e6
SHA174e23cffbf03f3f0c430e6f4481e740c55a48587
SHA2563dca3ec65d1f4109c6b66a1a47b2477afaf8d15306a523f297283da0eccbe8b1
SHA512a569385710e3a0dc0d6366476c457927a847a2b2298c839e423c485f7dcce2468a58d20133f6dc81913056fb579957e67f63cf1e20b910d61816210447cd1f1f
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5b17c7a7ec3efe6c4571dd350b79b4391
SHA1f8efa24df7b529fad6f44b8b8e962fe69df7c96f
SHA256c5af060519a5be626d6c43a8a2e79fab1c9a080eee61332b9597ca9e7125ad16
SHA512fdcb643f3977bfe5bfc0224a4ef382bca01e8ad9395818d8d6382a132ed4e7be08cdea6ed525fb268c55bc518240b16e2041d79587a720e3e2c4fbe5fa8cadbb
-
Filesize
11KB
MD5439504ce4947ea60554908b59b39e9a4
SHA14c2b02fbd62d56e5bedfbba0b56c7b7e798e46a1
SHA256def634374ee68a6279491aaa515c459f7ae69ce9f2eac5e90092e2d5549246d6
SHA51234ca2cb928c15f2f353ad529e3ba09e198f4e7eb3a5da36eb68259b0df55c841babe1418ac4f43b148f1ee1c219a8eab3a634bdd2b0571bebd2e784413a14901
-
Filesize
11KB
MD5fbee6324fff5137f8a9b76b176f2e786
SHA1bb91ae1a30051af85ef1c8a26207cd828faf19dc
SHA2564f7c151f83c32cb20a900a67389ce79ad2ecb89f3adf6bea5a99311a292713a9
SHA512318646d45567df4723c5539c3218548b9c5a7a9ee22c50b837eeffa5978759cbca1b26ebfe36920a8c6b083b0b7b601aa2f5b75e8433b2783fd462bad1f08c1b
-
Filesize
671KB
MD5dc2594a1ff00a4833bfcc5b1d702fd0d
SHA1a8dab235bd200b9a45cc3d82eb1206c2b98dac84
SHA2564be389f803d638ee3bd7c1805201fd4b1a29bc6b7188593b1b435f9517ac5598
SHA51274f5e2eb11f89159abf90b54577e25d289dabd8b5318e6c87506043ba429bf932ca2189cfc322e5d846e91b3be9e7f9b1c51ae95187d8800ae912d12d8affc24
-
Filesize
308KB
MD5729dedea42d5f4efea34ed7abdf6c264
SHA1c48ffc1c2400aa4f63147ee0147e8a9681a92c12
SHA256aaac8224c93d38261f8d39bd0ab51381b4456ecd4626daa5412dd4f077102e74
SHA5126f037d68f989e9dc65a709779bb3cac0a8941e85709b006305322e81dfde25419ab1dbda57d35203381535853c282ab6c0f492b7cf26b3f8fd0e0205b67df4b4
-
Filesize
698KB
MD53d075415ab38d3c0736fcbde12a60e11
SHA1e2db58af40181226e7ee97822bfb0608564d9c58
SHA256fb7f9c08a277bd1c4137c7e71ce9638474557f893c8c5c5084d3cb5ebc18bc6c
SHA512b8fad268752bf35446507e218ab409a51f95b10e6cdee25961bf9b81598244df875183f47cd7a45ba796d60965c8d38b0dcaf61f496d030a1bbaaced743e52c2
-
Filesize
577KB
MD5602220ca15c0316e1b18147a480b8c7a
SHA18113cea86c0832a10922165693953a2a783750fe
SHA2560b9b2d2db9dab4f0a0c2f759bf10ef7b4d492f11db7e8179411b85af1e4b80fc
SHA5128a7c84adde2a37387622e09ddf1e8dc3035a82e73fc9da63f9c05ddb86a3a085bfef67e04ab2930996b7c1126139783ac8bdbb104efe67a56b4f1ac341d8662f
-
Filesize
456KB
MD5d87acb07a9e8ab5f0039bbdb868689ed
SHA1249435bc3bc894cbfdfad772c18460fbfc79ee4e
SHA256269a38489046a8fc881af927f37b4a005d241672b8a3bec0a7419bf0399f2b52
SHA512383019632ee3bdd9603e23bb83928dbac3b0efed2d5dad2885c0afedbe14033658835aa980e15ccf91e14700ffa18b4a6ae8658d7702c15a3e8ae8cda325864d
-
Filesize
604KB
MD5d842b493f2f6711213cd5a632f2098b8
SHA1df09325a71b596c81599b6aa9e7a569a95cf3f7a
SHA256953d53d7f2d3b871c0c487259ee833499779acc0a8951657aec6725250134a87
SHA512dc9f2c3f83ed0f0cff53941702cdcffd53e78cffe89d06814c8024c4bd4cb57e15258f51471f6436e1afea94e128cecdc1703d79f8ac862305c43f3cf51bdf14
-
Filesize
295KB
MD517fab6c05f95d074063d2e692364a681
SHA1ea741fffdc80eff60174601dbbfff3077e204152
SHA256cb88ed570d8029316a41ce96f65fd49e8a8ea2aecc5ec25fc843ecb0a3abe0b0
SHA512026df667d6f29df16be731897a760710d80aa3ad1a939c171e466d7ffe38d970a0bb92cdbe87e5a5f88798a94e63778b13601b892327b894b9c3bfb2ac0c384b
-
Filesize
564KB
MD555db5fdca86d1145df7753b7855131a8
SHA1961ffb7750127014412af292eb6ed0f5246f4c35
SHA25693c9c1a323eb11b2c03f5c2b020fce07f5a1b44c817e7be0f7a02fc1c7ce0888
SHA51271e7f17ae974dfde0748eb7897d63ada243f74974be7f93274b4ca28c820fd82d1ba3184b6ea54763445d67c03d6997dc1bec99e340c85e19ffab0164e89166b
-
Filesize
376KB
MD59560ab8b44d43b49ccbdb242b3c523a7
SHA1adfaf4a41cc8c827cc8a46a8d774207bad3ae273
SHA256f4ae2f6e13b10c2aef65ff1e43cd0880d7f30825f332e81a47ce3dedb3ed4b88
SHA512f0180d1f7fbc3a941c22110774b0b8877fe9fc8349ebd3cd86f944a99f99c52b4abfdd9b3d2a404c6fe3ae43f3218946049ef843f0075e6e6cd7aa056ee0b9fc
-
Filesize
255KB
MD58eabb8ebd20a052da066455a5a540f56
SHA1149964e37118dffbd213705608dca4eb2d66f378
SHA25688739e733605ae26233057305dea6968be790ae2128909aaecbc98a78f255ca0
SHA512d4d23106144efbd57e1913c7a932eb2496b6942b3224ffa93b63b2bc3a6c80e8f25e77e5e67990fc2e3dbb6e47d620c628fc79e5869e01c748ebaa595c8b4d28
-
Filesize
722KB
MD5918ca7e332641289d602da130c949acf
SHA144f7c8b0a5db69bd54389fa89821ab52c3761a67
SHA256422272d87749ec3db5925dc32eef9d378871ef565a171129646bd672e3b9f6ad
SHA512bdd65eb1e1ee3738b06b8b39e1a6adab38eb611e763d73bf9cbddbf9950100cbb0313b0faa1ba40717276bcf553750cbc782570a36fee57be241628a9b372ed0
-
Filesize
2.7MB
MD5e7320f59a017f4b171cda62207188c61
SHA142a12481e7bc271613ac2ab729c250d0484850d0
SHA256bed70229a1c2e5bd501b8a9759d2b625adbca0f8a4edf846eb1a1e19c2ade474
SHA512cb6f2df0f9aecc72931afe5703df8cac09ee4417087307311059a9dcba267b3f67f3b98e4d50b9757f4e11a81f289e35fd5a057d78aee4627a57967a078a42cd
-
Filesize
1.7MB
MD541dcd7874c49cf4c16facf7a908c8174
SHA1614cb9745fc4928389a43ac607046c8c991cac06
SHA2568635b68661763b5ceaf3d009cc321449601b6683119786007f7e19a29f60dc51
SHA512c211bb89fd1827f6c922a57dccd40bc081da8fe4c04cc0abe52a3c67f0fe394b896d477e2464bec2f4d389295e804f3dd3edbf2b7e789a202b0a08ee57d0e943
-
Filesize
4.2MB
MD591f1062e85411ae8e2dec0dcf34d2cb0
SHA10125a00323a0b6cb7f13c47e146bc768c326bb06
SHA2567060afd3840accbc2a688f080340f95b63fa9f4644804e315ca8ae856ef2e4ff
SHA5129d96fa9792cce1d3c93af8d37aa0a70fef2739fdaf80b93ac894fd3512ffc73dcf97dc54ba48ed3e2fa8da8147b0aaeac51819385db149f4273c2c3109e892ef
-
Filesize
221KB
MD5dfd5ee48ec9cb4670ccbbc05c376e3a3
SHA1650b0d24a71fa0bb68428742d7bc945fbdf7e026
SHA256de06ac8a67094aa92954fc9c6a8ec2aef3a9beae6477136b2baa10f189ce6b90
SHA51228835714da6ef6bd587b06513c298e3e234314080825ade769674d088d34d2c3edb2308343bd1c3fedfbd17a72aca356849be808eb431fcf01218fd5f4fa537f