Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    43s
  • max time network
    50s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/01/2024, 21:22

Errors

Reason
Machine shutdown

General

  • Target

    https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/Annabelle.exe

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Disables RegEdit via registry modification 2 IoCs
  • Disables Task Manager via registry modification
  • Disables use of System Restore points 1 TTPs
  • Downloads MZ/PE file
  • Modifies Windows Firewall 1 TTPs 2 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 2 TTPs 6 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 40 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 9 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/Annabelle.exe
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:724
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdd2a246f8,0x7ffdd2a24708,0x7ffdd2a24718
      2⤵
        PID:3696
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,2567974759979050090,6226632390451501840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3180
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,2567974759979050090,6226632390451501840,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
        2⤵
          PID:3160
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,2567974759979050090,6226632390451501840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:8
          2⤵
            PID:2408
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2567974759979050090,6226632390451501840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
            2⤵
              PID:448
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2567974759979050090,6226632390451501840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
              2⤵
                PID:3688
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2567974759979050090,6226632390451501840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:8
                2⤵
                  PID:452
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2567974759979050090,6226632390451501840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3780
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2567974759979050090,6226632390451501840,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
                  2⤵
                    PID:3660
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2567974759979050090,6226632390451501840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
                    2⤵
                      PID:1124
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,2567974759979050090,6226632390451501840,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5800 /prefetch:8
                      2⤵
                        PID:5028
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,2567974759979050090,6226632390451501840,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6292 /prefetch:8
                        2⤵
                          PID:5168
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2567974759979050090,6226632390451501840,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
                          2⤵
                            PID:5364
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2567974759979050090,6226632390451501840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
                            2⤵
                              PID:5356
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2567974759979050090,6226632390451501840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
                              2⤵
                                PID:5532
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,2567974759979050090,6226632390451501840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6316 /prefetch:8
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:5660
                              • C:\Users\Admin\Downloads\Annabelle.exe
                                "C:\Users\Admin\Downloads\Annabelle.exe"
                                2⤵
                                • Modifies WinLogon for persistence
                                • Modifies Windows Defender Real-time Protection settings
                                • UAC bypass
                                • Disables RegEdit via registry modification
                                • Sets file execution options in registry
                                • Executes dropped EXE
                                • Adds Run key to start application
                                • Checks whether UAC is enabled
                                • System policy modification
                                PID:5768
                                • C:\Windows\SYSTEM32\NetSh.exe
                                  NetSh Advfirewall set allprofiles state off
                                  3⤵
                                  • Modifies Windows Firewall
                                  PID:6028
                                • C:\Windows\SYSTEM32\vssadmin.exe
                                  vssadmin delete shadows /all /quiet
                                  3⤵
                                  • Interacts with shadow copies
                                  PID:6020
                                • C:\Windows\SYSTEM32\vssadmin.exe
                                  vssadmin delete shadows /all /quiet
                                  3⤵
                                  • Interacts with shadow copies
                                  PID:6012
                                • C:\Windows\SYSTEM32\vssadmin.exe
                                  vssadmin delete shadows /all /quiet
                                  3⤵
                                  • Interacts with shadow copies
                                  PID:6004
                                • C:\Windows\System32\shutdown.exe
                                  "C:\Windows\System32\shutdown.exe" -r -t 00 -f
                                  3⤵
                                    PID:292
                                • C:\Users\Admin\Downloads\Annabelle.exe
                                  "C:\Users\Admin\Downloads\Annabelle.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:6136
                                  • C:\Windows\SYSTEM32\vssadmin.exe
                                    vssadmin delete shadows /all /quiet
                                    3⤵
                                    • Interacts with shadow copies
                                    PID:5672
                                  • C:\Windows\SYSTEM32\vssadmin.exe
                                    vssadmin delete shadows /all /quiet
                                    3⤵
                                    • Interacts with shadow copies
                                    PID:5720
                                  • C:\Windows\SYSTEM32\NetSh.exe
                                    NetSh Advfirewall set allprofiles state off
                                    3⤵
                                    • Modifies Windows Firewall
                                    PID:4028
                                  • C:\Windows\SYSTEM32\vssadmin.exe
                                    vssadmin delete shadows /all /quiet
                                    3⤵
                                    • Interacts with shadow copies
                                    PID:5680
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:2412
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:1148
                                  • C:\Windows\system32\vssvc.exe
                                    C:\Windows\system32\vssvc.exe
                                    1⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1752
                                  • C:\Windows\system32\LogonUI.exe
                                    "LogonUI.exe" /flags:0x4 /state0:0xa390a855 /state1:0x41c64e6d
                                    1⤵
                                      PID:5396

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                      Filesize

                                      152B

                                      MD5

                                      3e71d66ce903fcba6050e4b99b624fa7

                                      SHA1

                                      139d274762405b422eab698da8cc85f405922de5

                                      SHA256

                                      53b34e24e3fbb6a7f473192fc4dec2ae668974494f5636f0359b6ca27d7c65e3

                                      SHA512

                                      17e2f1400000dd6c54c8dc067b31bcb0a3111e44a9d2c5c779f484a51ada92d88f5b6e6847270faae8ff881117b7ceaaf8dfe9df427cbb8d9449ceacd0480388

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                      Filesize

                                      1KB

                                      MD5

                                      3145b2c9647437e17b01830e320bf0ad

                                      SHA1

                                      92c611d0f740a6f1f1929e34260966095370d9a9

                                      SHA256

                                      a484f75272962484273dcc3a2a29615ff5d0a1a026c4585deac38c0ba9aa705d

                                      SHA512

                                      edc615cd7d133c56609e40021049a641bfd47c11381ba51d7b0b2205033a7815cae98583e6907a7ec81ce574cd865dfab4248f81646f0574e28ad247e474ee08

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      5KB

                                      MD5

                                      c590dadd2b386912d2c180189a6ba3b4

                                      SHA1

                                      58d73f51ca8b4a5e94af7762cef6cbe90d2ac6b3

                                      SHA256

                                      5d1caf48a5e76f3b49c9165bfc0dc569fa6755787c4c70d45a33dfcf6fe63745

                                      SHA512

                                      7427e14869ce5652f05fcbf730f739a700e037662efdd43e8a8c2195531a3fcf7da546029df96f320dfb9b2b41f048e826a667356b78d0de75136d43b9e42dbb

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      5KB

                                      MD5

                                      d42b952306f654e4d6f6fc868bbc3252

                                      SHA1

                                      7c8e205cadb1f6ad7e7efa6e28fd25b15f3756b1

                                      SHA256

                                      c3911ceda2359a47f381f1d18c4347bc50b938937f3303b42b3445eb23005086

                                      SHA512

                                      78573ad8c2beb558b2881f697eb6e8c70ea69bb3c4e5392f1b25ea75c9754e772be79765e22b9bce5e4aa3a0890ad9c7662106f8a90c7cc841ef788ed6e943e5

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      6KB

                                      MD5

                                      6645e56423c756577bcba311cc40c298

                                      SHA1

                                      916daa7a6ce621c07dbe89de3f39e5894cdad5ca

                                      SHA256

                                      6b61e82ed16d11ffbc6d9501dd3c94a40dde483be47337df959baf6d9300ea2e

                                      SHA512

                                      96adcf994b5a40103f63dfda272ffe33d01f412cda56753174fa47cec84de1ecff60e5546706240ef269bddc65d737da9ee71a6511ec49b6c027912cfc222e09

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      6KB

                                      MD5

                                      01e6a05fb37405909a51d87dcc600a4a

                                      SHA1

                                      13c9c1a3e767c8bbee254b7dd63b68c56707b8d6

                                      SHA256

                                      8ca9d5901853688ad82f81062189157e98eaccd5941fbe930e764a017ac7e243

                                      SHA512

                                      e7f9ac359d32fa82a6fa324c08175aae4eb1d96ac76cc328d5539840fa2fbe576b7f8fb95add16a82a034c4a188e53b613eb0cd5e40d7f6ee6614eac09883f15

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                                      Filesize

                                      24KB

                                      MD5

                                      1b1b142e24215f033793d1311e24f6e6

                                      SHA1

                                      74e23cffbf03f3f0c430e6f4481e740c55a48587

                                      SHA256

                                      3dca3ec65d1f4109c6b66a1a47b2477afaf8d15306a523f297283da0eccbe8b1

                                      SHA512

                                      a569385710e3a0dc0d6366476c457927a847a2b2298c839e423c485f7dcce2468a58d20133f6dc81913056fb579957e67f63cf1e20b910d61816210447cd1f1f

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                      Filesize

                                      16B

                                      MD5

                                      6752a1d65b201c13b62ea44016eb221f

                                      SHA1

                                      58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                      SHA256

                                      0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                      SHA512

                                      9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                      Filesize

                                      10KB

                                      MD5

                                      b17c7a7ec3efe6c4571dd350b79b4391

                                      SHA1

                                      f8efa24df7b529fad6f44b8b8e962fe69df7c96f

                                      SHA256

                                      c5af060519a5be626d6c43a8a2e79fab1c9a080eee61332b9597ca9e7125ad16

                                      SHA512

                                      fdcb643f3977bfe5bfc0224a4ef382bca01e8ad9395818d8d6382a132ed4e7be08cdea6ed525fb268c55bc518240b16e2041d79587a720e3e2c4fbe5fa8cadbb

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                      Filesize

                                      11KB

                                      MD5

                                      439504ce4947ea60554908b59b39e9a4

                                      SHA1

                                      4c2b02fbd62d56e5bedfbba0b56c7b7e798e46a1

                                      SHA256

                                      def634374ee68a6279491aaa515c459f7ae69ce9f2eac5e90092e2d5549246d6

                                      SHA512

                                      34ca2cb928c15f2f353ad529e3ba09e198f4e7eb3a5da36eb68259b0df55c841babe1418ac4f43b148f1ee1c219a8eab3a634bdd2b0571bebd2e784413a14901

                                    • C:\Users\Admin\Documents\Are.docx.ANNABELLE

                                      Filesize

                                      11KB

                                      MD5

                                      fbee6324fff5137f8a9b76b176f2e786

                                      SHA1

                                      bb91ae1a30051af85ef1c8a26207cd828faf19dc

                                      SHA256

                                      4f7c151f83c32cb20a900a67389ce79ad2ecb89f3adf6bea5a99311a292713a9

                                      SHA512

                                      318646d45567df4723c5539c3218548b9c5a7a9ee22c50b837eeffa5978759cbca1b26ebfe36920a8c6b083b0b7b601aa2f5b75e8433b2783fd462bad1f08c1b

                                    • C:\Users\Admin\Documents\BackupInitialize.vdw.ANNABELLE

                                      Filesize

                                      671KB

                                      MD5

                                      dc2594a1ff00a4833bfcc5b1d702fd0d

                                      SHA1

                                      a8dab235bd200b9a45cc3d82eb1206c2b98dac84

                                      SHA256

                                      4be389f803d638ee3bd7c1805201fd4b1a29bc6b7188593b1b435f9517ac5598

                                      SHA512

                                      74f5e2eb11f89159abf90b54577e25d289dabd8b5318e6c87506043ba429bf932ca2189cfc322e5d846e91b3be9e7f9b1c51ae95187d8800ae912d12d8affc24

                                    • C:\Users\Admin\Documents\CloseSave.ods.ANNABELLE

                                      Filesize

                                      308KB

                                      MD5

                                      729dedea42d5f4efea34ed7abdf6c264

                                      SHA1

                                      c48ffc1c2400aa4f63147ee0147e8a9681a92c12

                                      SHA256

                                      aaac8224c93d38261f8d39bd0ab51381b4456ecd4626daa5412dd4f077102e74

                                      SHA512

                                      6f037d68f989e9dc65a709779bb3cac0a8941e85709b006305322e81dfde25419ab1dbda57d35203381535853c282ab6c0f492b7cf26b3f8fd0e0205b67df4b4

                                    • C:\Users\Admin\Documents\ConfirmInitialize.wps.ANNABELLE

                                      Filesize

                                      698KB

                                      MD5

                                      3d075415ab38d3c0736fcbde12a60e11

                                      SHA1

                                      e2db58af40181226e7ee97822bfb0608564d9c58

                                      SHA256

                                      fb7f9c08a277bd1c4137c7e71ce9638474557f893c8c5c5084d3cb5ebc18bc6c

                                      SHA512

                                      b8fad268752bf35446507e218ab409a51f95b10e6cdee25961bf9b81598244df875183f47cd7a45ba796d60965c8d38b0dcaf61f496d030a1bbaaced743e52c2

                                    • C:\Users\Admin\Documents\ConfirmPush.ods.ANNABELLE

                                      Filesize

                                      577KB

                                      MD5

                                      602220ca15c0316e1b18147a480b8c7a

                                      SHA1

                                      8113cea86c0832a10922165693953a2a783750fe

                                      SHA256

                                      0b9b2d2db9dab4f0a0c2f759bf10ef7b4d492f11db7e8179411b85af1e4b80fc

                                      SHA512

                                      8a7c84adde2a37387622e09ddf1e8dc3035a82e73fc9da63f9c05ddb86a3a085bfef67e04ab2930996b7c1126139783ac8bdbb104efe67a56b4f1ac341d8662f

                                    • C:\Users\Admin\Documents\ConnectRequest.xltx.ANNABELLE

                                      Filesize

                                      456KB

                                      MD5

                                      d87acb07a9e8ab5f0039bbdb868689ed

                                      SHA1

                                      249435bc3bc894cbfdfad772c18460fbfc79ee4e

                                      SHA256

                                      269a38489046a8fc881af927f37b4a005d241672b8a3bec0a7419bf0399f2b52

                                      SHA512

                                      383019632ee3bdd9603e23bb83928dbac3b0efed2d5dad2885c0afedbe14033658835aa980e15ccf91e14700ffa18b4a6ae8658d7702c15a3e8ae8cda325864d

                                    • C:\Users\Admin\Documents\ConvertFromDisable.vdw.ANNABELLE

                                      Filesize

                                      604KB

                                      MD5

                                      d842b493f2f6711213cd5a632f2098b8

                                      SHA1

                                      df09325a71b596c81599b6aa9e7a569a95cf3f7a

                                      SHA256

                                      953d53d7f2d3b871c0c487259ee833499779acc0a8951657aec6725250134a87

                                      SHA512

                                      dc9f2c3f83ed0f0cff53941702cdcffd53e78cffe89d06814c8024c4bd4cb57e15258f51471f6436e1afea94e128cecdc1703d79f8ac862305c43f3cf51bdf14

                                    • C:\Users\Admin\Documents\ConvertInstall.ppt.ANNABELLE

                                      Filesize

                                      295KB

                                      MD5

                                      17fab6c05f95d074063d2e692364a681

                                      SHA1

                                      ea741fffdc80eff60174601dbbfff3077e204152

                                      SHA256

                                      cb88ed570d8029316a41ce96f65fd49e8a8ea2aecc5ec25fc843ecb0a3abe0b0

                                      SHA512

                                      026df667d6f29df16be731897a760710d80aa3ad1a939c171e466d7ffe38d970a0bb92cdbe87e5a5f88798a94e63778b13601b892327b894b9c3bfb2ac0c384b

                                    • C:\Users\Admin\Documents\CopyLock.txt.ANNABELLE

                                      Filesize

                                      564KB

                                      MD5

                                      55db5fdca86d1145df7753b7855131a8

                                      SHA1

                                      961ffb7750127014412af292eb6ed0f5246f4c35

                                      SHA256

                                      93c9c1a323eb11b2c03f5c2b020fce07f5a1b44c817e7be0f7a02fc1c7ce0888

                                      SHA512

                                      71e7f17ae974dfde0748eb7897d63ada243f74974be7f93274b4ca28c820fd82d1ba3184b6ea54763445d67c03d6997dc1bec99e340c85e19ffab0164e89166b

                                    • C:\Users\Admin\Documents\DebugTest.xps.ANNABELLE

                                      Filesize

                                      376KB

                                      MD5

                                      9560ab8b44d43b49ccbdb242b3c523a7

                                      SHA1

                                      adfaf4a41cc8c827cc8a46a8d774207bad3ae273

                                      SHA256

                                      f4ae2f6e13b10c2aef65ff1e43cd0880d7f30825f332e81a47ce3dedb3ed4b88

                                      SHA512

                                      f0180d1f7fbc3a941c22110774b0b8877fe9fc8349ebd3cd86f944a99f99c52b4abfdd9b3d2a404c6fe3ae43f3218946049ef843f0075e6e6cd7aa056ee0b9fc

                                    • C:\Users\Admin\Documents\DenySelect.vsx.ANNABELLE

                                      Filesize

                                      255KB

                                      MD5

                                      8eabb8ebd20a052da066455a5a540f56

                                      SHA1

                                      149964e37118dffbd213705608dca4eb2d66f378

                                      SHA256

                                      88739e733605ae26233057305dea6968be790ae2128909aaecbc98a78f255ca0

                                      SHA512

                                      d4d23106144efbd57e1913c7a932eb2496b6942b3224ffa93b63b2bc3a6c80e8f25e77e5e67990fc2e3dbb6e47d620c628fc79e5869e01c748ebaa595c8b4d28

                                    • C:\Users\Admin\Documents\DisconnectResume.vsd.ANNABELLE

                                      Filesize

                                      722KB

                                      MD5

                                      918ca7e332641289d602da130c949acf

                                      SHA1

                                      44f7c8b0a5db69bd54389fa89821ab52c3761a67

                                      SHA256

                                      422272d87749ec3db5925dc32eef9d378871ef565a171129646bd672e3b9f6ad

                                      SHA512

                                      bdd65eb1e1ee3738b06b8b39e1a6adab38eb611e763d73bf9cbddbf9950100cbb0313b0faa1ba40717276bcf553750cbc782570a36fee57be241628a9b372ed0

                                    • C:\Users\Admin\Downloads\Annabelle.exe

                                      Filesize

                                      2.7MB

                                      MD5

                                      e7320f59a017f4b171cda62207188c61

                                      SHA1

                                      42a12481e7bc271613ac2ab729c250d0484850d0

                                      SHA256

                                      bed70229a1c2e5bd501b8a9759d2b625adbca0f8a4edf846eb1a1e19c2ade474

                                      SHA512

                                      cb6f2df0f9aecc72931afe5703df8cac09ee4417087307311059a9dcba267b3f67f3b98e4d50b9757f4e11a81f289e35fd5a057d78aee4627a57967a078a42cd

                                    • C:\Users\Admin\Downloads\Annabelle.exe

                                      Filesize

                                      1.7MB

                                      MD5

                                      41dcd7874c49cf4c16facf7a908c8174

                                      SHA1

                                      614cb9745fc4928389a43ac607046c8c991cac06

                                      SHA256

                                      8635b68661763b5ceaf3d009cc321449601b6683119786007f7e19a29f60dc51

                                      SHA512

                                      c211bb89fd1827f6c922a57dccd40bc081da8fe4c04cc0abe52a3c67f0fe394b896d477e2464bec2f4d389295e804f3dd3edbf2b7e789a202b0a08ee57d0e943

                                    • C:\Users\Admin\Downloads\Annabelle.exe

                                      Filesize

                                      4.2MB

                                      MD5

                                      91f1062e85411ae8e2dec0dcf34d2cb0

                                      SHA1

                                      0125a00323a0b6cb7f13c47e146bc768c326bb06

                                      SHA256

                                      7060afd3840accbc2a688f080340f95b63fa9f4644804e315ca8ae856ef2e4ff

                                      SHA512

                                      9d96fa9792cce1d3c93af8d37aa0a70fef2739fdaf80b93ac894fd3512ffc73dcf97dc54ba48ed3e2fa8da8147b0aaeac51819385db149f4273c2c3109e892ef

                                    • C:\Users\Admin\Downloads\Unconfirmed 291636.crdownload

                                      Filesize

                                      221KB

                                      MD5

                                      dfd5ee48ec9cb4670ccbbc05c376e3a3

                                      SHA1

                                      650b0d24a71fa0bb68428742d7bc945fbdf7e026

                                      SHA256

                                      de06ac8a67094aa92954fc9c6a8ec2aef3a9beae6477136b2baa10f189ce6b90

                                      SHA512

                                      28835714da6ef6bd587b06513c298e3e234314080825ade769674d088d34d2c3edb2308343bd1c3fedfbd17a72aca356849be808eb431fcf01218fd5f4fa537f

                                    • memory/5768-218-0x0000025459750000-0x0000025459760000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/5768-217-0x0000025459760000-0x000002545ACEE000-memory.dmp

                                      Filesize

                                      21.6MB

                                    • memory/5768-201-0x00007FFDBE6F0000-0x00007FFDBF1B1000-memory.dmp

                                      Filesize

                                      10.8MB

                                    • memory/5768-211-0x000002543E130000-0x000002543F124000-memory.dmp

                                      Filesize

                                      16.0MB

                                    • memory/5768-371-0x00007FFDBE6F0000-0x00007FFDBF1B1000-memory.dmp

                                      Filesize

                                      10.8MB

                                    • memory/5768-454-0x00007FFDBE6F0000-0x00007FFDBF1B1000-memory.dmp

                                      Filesize

                                      10.8MB

                                    • memory/6136-318-0x00007FFDBE6F0000-0x00007FFDBF1B1000-memory.dmp

                                      Filesize

                                      10.8MB

                                    • memory/6136-372-0x00000226E8F30000-0x00000226E8F40000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/6136-453-0x00007FFDBE6F0000-0x00007FFDBF1B1000-memory.dmp

                                      Filesize

                                      10.8MB